From 2d594bf4eac56a98901b134ffc71c6307a43cfb5 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Tue, 20 Jun 2023 14:08:50 +0500 Subject: [PATCH 001/498] diagnostic logs enabled in recovery vault --- exports.js | 1 + helpers/azure/api.js | 5 + .../recoveryVaultDiagnosticLogsEnabled.js | 68 +++++++++ ...recoveryVaultDiagnosticLogsEnabled.spec.js | 131 ++++++++++++++++++ 4 files changed, 205 insertions(+) create mode 100644 plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.js create mode 100644 plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.spec.js diff --git a/exports.js b/exports.js index ddd25cde89..8a867817dc 100644 --- a/exports.js +++ b/exports.js @@ -964,6 +964,7 @@ module.exports = { 'wafPolicyHasTags' : require(__dirname + '/plugins/azure/waf/wafPolicyHasTags.js'), 'recoveryVaultByokEncrypted' : require(__dirname + '/plugins/azure/recoveryService/recoveryVaultByokEncrypted.js'), + 'recoveryVaultDiagnosticLogsEnabled': require(__dirname + '/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.js'), 'domainPublicAccessEnabled' : require(__dirname + '/plugins/azure/eventGrid/domainPublicAccess.js') }, diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 08af8ac8e0..784d02d854 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -870,6 +870,11 @@ var tertiarycalls = { reliesOnPath: 'networkSecurityGroups.listAll', properties: ['id'], url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2017-05-01-preview' + }, + listByRecoveryServiceVault: { + reliesOnPath: 'recoveryServiceVaults.listBySubscriptionId', + properties: ['id'], + url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' } }, backupShortTermRetentionPolicies: { diff --git a/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.js b/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.js new file mode 100644 index 0000000000..b9659d7f34 --- /dev/null +++ b/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.js @@ -0,0 +1,68 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Recovery Services Vault Diagnostic Logs Enabled', + category: 'Recovery Service Vault', + domain: 'Backup', + description: 'Ensure that Microsoft Azure Recovery Services Vaults have Diagnostic logs enabled.', + more_info: 'Diagnostic logs provide valuable insights into the operation and health of the Recovery Services Vault. By enabling diagnostic logs, you can monitor and troubleshoot issues more effectively.', + recommended_action: 'Modify the Recovery Service vault and enable diagnostic logs.', + link: 'https://learn.microsoft.com/en-us/azure/backup/backup-azure-diagnostic-events?tabs=recovery-services-vaults', + apis: ['diagnosticSettings:listByRecoveryServiceVault', 'recoveryServiceVaults:listBySubscriptionId'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.recoveryServiceVaults, (location, rcb) => { + const serviceVaults = helpers.addSource(cache, source, + ['recoveryServiceVaults', 'listBySubscriptionId', location]); + + if (!serviceVaults) return rcb(); + + if (serviceVaults.err || !serviceVaults.data) { + helpers.addResult(results, 3, + 'Unable to list Recovery Service Vaults: ' + helpers.addError(serviceVaults), location); + return rcb(); + } + + if (!serviceVaults.data.length) { + helpers.addResult(results, 0, 'No Recovery Service Vaults found', location); + return rcb(); + } + + for (let vault of serviceVaults.data) { + if (!vault.id) continue; + + const diagnosticSettings = helpers.addSource(cache, source, + ['diagnosticSettings', 'listByRecoveryServiceVault', location, vault.id]); + + if (!diagnosticSettings.data || diagnosticSettings.err) { + helpers.addResult(results, 3, + 'Unable to query for Diagnostic settings: ' + helpers.addError(diagnosticSettings), location, vault.id); + continue; + } + var found = false; + for (let ds of diagnosticSettings.data) { + if (ds.logs && ds.logs.length) { + found = true; + break; + } + } + + if (found) { + helpers.addResult(results, 0, 'Recovery Service Vault has diagnostic logs enabled', location, vault.id); + } else { + helpers.addResult(results, 2, 'Recovery Service Vault does not have diagnostic logs enabled', location, vault.id); + } + } + + rcb(); + }, function(){ + // Global checking goes here + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.spec.js b/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.spec.js new file mode 100644 index 0000000000..0e682e2104 --- /dev/null +++ b/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.spec.js @@ -0,0 +1,131 @@ +var expect = require('chai').expect; +var recoveryVaultDiagnosticLogsEnabled = require('./recoveryVaultDiagnosticLogsEnabled'); + +const listServiceVaults = [ + { + 'name': 'test-vm', + 'id': '/subscriptions/77777777-b0c6-47a2-b37c-d8e65a629c18/resourceGroups/HelloWorld/providers/Microsoft.RecoveryServices/vaults/today1', + 'type': "Microsoft.RecoveryServices/vaults", + } +]; + +const diagnosticSettings = [ + { + id: '/subscriptions/77777777-b0c6-47a2-b37c-d8e65a629c18/resourceGroups/HelloWorld/providers/Microsoft.RecoveryServices/vaults/today1/providers/microsoft.insights/diagnosticSettings/gio-test-setting', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'gio-test-setting', + location: 'eastus', + kind: null, + tags: null, + identity: null, + storageAccountId: null, + serviceBusRuleId: null, + metrics: [], + logs: [ + { + category: 'RecoveryServiceVault', + categoryGroup: null, + enabled: true, + retentionPolicy: [Object] + }, + { + category: 'RecoveryServiceVault', + categoryGroup: null, + enabled: true, + retentionPolicy: [Object] + } + ], + logAnalyticsDestinationType: null + }, + { + id: '/subscriptions/77777777-b0c6-47a2-b37c-d8e65a629c18/resourceGroups/HelloWorld/providers/Microsoft.RecoveryServices/vaults/today1/providers/microsoft.insights/diagnosticSettings/gio-test-setting', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'gio-test-setting', + location: 'eastus', + kind: null, + tags: null, + identity: null, + metrics: [], + logs: [], + logAnalyticsDestinationType: null + }, +]; + +const createCache = (listServiceVault, ds) => { + const id = (listServiceVault && listServiceVault.length) ? listServiceVault[0].id : null; + return { + recoveryServiceVaults: { + listBySubscriptionId: { + 'eastus': { data: listServiceVault } + }, + }, + diagnosticSettings: { + listByRecoveryServiceVault: { + 'eastus': { + [id]: { + data: ds + } + } + } + } + }; +}; + +describe('recoveryVaultDiagnosticLogsEnabled', function() { + describe('run', function() { + it('should give passing result if no Recovery Service vault found', function(done) { + const cache = createCache([], null); + recoveryVaultDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No Recovery Service Vaults found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for list Recovery Service vault', function(done) { + const cache = createCache(null, null); + recoveryVaultDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to list Recovery Service Vaults:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for diagnostic settings', function(done) { + const cache = createCache([listServiceVaults[0]], null); + recoveryVaultDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Diagnostic settings:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if diagnostic logs enabled', function(done) { + const cache = createCache([listServiceVaults[0]], [diagnosticSettings[0]]); + recoveryVaultDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Recovery Service Vault has diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if diagnostic logs not enabled', function(done) { + const cache = createCache([listServiceVaults[0]], [diagnosticSettings[1]]); + recoveryVaultDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Recovery Service Vault does not have diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From dbab9e8bc14d99ed9f8b981df3168aa36dc21798 Mon Sep 17 00:00:00 2001 From: muzzamilinovaqo Date: Thu, 7 Sep 2023 13:10:34 +0500 Subject: [PATCH 002/498] adding realtime triggers for plugins section a,b --- plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js | 1 + plugins/aws/accessanalyzer/accessAnalyzerEnabled.js | 2 ++ plugins/aws/acm/acmCertificateExpiry.js | 1 + plugins/aws/acm/acmCertificateHasTags.js | 1 + plugins/aws/acm/acmSingleDomainNameCertificate.js | 1 + plugins/aws/acm/acmValidation.js | 1 + plugins/aws/apigateway/apiStageLevelCacheEncryption.js | 2 ++ plugins/aws/apigateway/apigatewayAuthorization.js | 1 + plugins/aws/apigateway/apigatewayCertificateRotation.js | 1 + plugins/aws/apigateway/apigatewayClientCertificate.js | 1 + plugins/aws/apigateway/apigatewayCloudwatchLogs.js | 1 + plugins/aws/apigateway/apigatewayContentEncoding.js | 2 ++ plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js | 1 + plugins/aws/apigateway/apigatewayPrivateEndpoints.js | 1 + plugins/aws/apigateway/apigatewayResponseCaching.js | 1 + plugins/aws/apigateway/apigatewayTracingEnabled.js | 2 ++ plugins/aws/apigateway/apigatewayWafEnabled.js | 2 ++ plugins/aws/apigateway/customDomainTlsVersion.js | 2 ++ plugins/aws/apigateway/detailedCloudWatchMetrics.js | 2 ++ plugins/aws/appflow/flowEncrypted.js | 2 ++ plugins/aws/appmesh/appmeshTLSRequired.js | 2 ++ plugins/aws/appmesh/appmeshVGAccessLogging.js | 2 ++ plugins/aws/appmesh/restrictExternalTraffic.js | 1 + plugins/aws/apprunner/serviceEncrypted.js | 2 ++ plugins/aws/athena/workgroupEnforceConfiguration.js | 2 ++ plugins/aws/auditmanager/auditmanagerDataEncrypted.js | 1 + plugins/aws/autoscaling/appTierAsgApprovedAmi.js | 1 + plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js | 2 ++ plugins/aws/autoscaling/appTierIamRole.js | 1 + plugins/aws/autoscaling/asgActiveNotifications.js | 2 ++ plugins/aws/autoscaling/asgCooldownPeriod.js | 1 + plugins/aws/autoscaling/asgMissingELB.js | 1 + plugins/aws/autoscaling/asgMissingSecurityGroups.js | 1 + plugins/aws/autoscaling/asgMultiAz.js | 2 ++ plugins/aws/autoscaling/asgSuspendedProcesses.js | 4 ++++ plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js | 2 ++ plugins/aws/autoscaling/elbHealthCheckActive.js | 2 ++ plugins/aws/autoscaling/emptyASG.js | 2 ++ plugins/aws/autoscaling/sameAzElb.js | 3 +++ plugins/aws/autoscaling/webTierAsgApprovedAmi.js | 2 ++ plugins/aws/autoscaling/webTierAsgAssociatedElb.js | 2 ++ plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js | 1 + plugins/aws/autoscaling/webTierIamRole.js | 1 + plugins/aws/backup/backupDeletionProtection.js | 4 +++- plugins/aws/backup/backupInUseForRDSSnapshots.js | 1 + plugins/aws/backup/backupNotificationEnabled.js | 3 ++- plugins/aws/backup/backupResourceProtection.js | 1 + plugins/aws/backup/backupVaultEncrypted.js | 1 + plugins/aws/backup/backupVaultHasTags.js | 1 + plugins/aws/backup/backupVaultPolicies.js | 1 + plugins/aws/backup/compliantLifecycleConfigured.js | 1 + 51 files changed, 79 insertions(+), 2 deletions(-) diff --git a/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js b/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js index 15c7e0856d..db016cfcbc 100644 --- a/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js +++ b/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js @@ -11,6 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-work-with-findings.html', recommended_action: 'Investigate into active findings in your account and do the needful until you have zero active findings.', apis: ['AccessAnalyzer:listAnalyzers', 'AccessAnalyzer:listFindings'], + realtime_triggers: ['AccessAnalyzer:createAnalyzer','AccessAnalyzer:createArchiveRule','AccessAnalyzer:updateArchiveRule'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/accessanalyzer/accessAnalyzerEnabled.js b/plugins/aws/accessanalyzer/accessAnalyzerEnabled.js index e3a69e2f67..7e00de06f9 100644 --- a/plugins/aws/accessanalyzer/accessAnalyzerEnabled.js +++ b/plugins/aws/accessanalyzer/accessAnalyzerEnabled.js @@ -10,6 +10,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html', recommended_action: 'Enable Access Analyzer for all regions', apis: ['AccessAnalyzer:listAnalyzers'], + realtime_triggers: ['AccessAnalyzer:createAnalyzer'], + run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/acm/acmCertificateExpiry.js b/plugins/aws/acm/acmCertificateExpiry.js index 2bafe3f14d..2f8164a1fc 100644 --- a/plugins/aws/acm/acmCertificateExpiry.js +++ b/plugins/aws/acm/acmCertificateExpiry.js @@ -27,6 +27,7 @@ module.exports = { default: 30 } }, + realtime_triggers: ['ACM:requestCertificate','ACM:importCertificate'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/acm/acmCertificateHasTags.js b/plugins/aws/acm/acmCertificateHasTags.js index bb46a3fb1f..bda492b847 100644 --- a/plugins/aws/acm/acmCertificateHasTags.js +++ b/plugins/aws/acm/acmCertificateHasTags.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/acm/latest/userguide/tags.html', recommended_action: 'Modify ACM certificate and add tags.', apis: ['ACM:listCertificates', 'ResourceGroupsTaggingAPI:getResources'], + realtime_triggers: ['ACM:requestCertificate','ACM:importCertificate','ACM:addTagsToCertificate', 'ACM:removeTagsFromCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/acm/acmSingleDomainNameCertificate.js b/plugins/aws/acm/acmSingleDomainNameCertificate.js index 100c2dc5df..48eddd9009 100644 --- a/plugins/aws/acm/acmSingleDomainNameCertificate.js +++ b/plugins/aws/acm/acmSingleDomainNameCertificate.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html', recommended_action: 'Configure ACM managed certificates to use single name domain instead of wildcards.', apis: ['ACM:listCertificates', 'ACM:describeCertificate'], + realtime_triggers: ['ACM:requestCertificate','ACM:importCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/acm/acmValidation.js b/plugins/aws/acm/acmValidation.js index ca14154b95..c9e35a52a2 100644 --- a/plugins/aws/acm/acmValidation.js +++ b/plugins/aws/acm/acmValidation.js @@ -11,6 +11,7 @@ module.exports = { cs_link: 'https://cloudsploit.com/remediations/aws/acm/acm-certificate-validation', recommended_action: 'Configure ACM managed certificates to use DNS validation.', apis: ['ACM:listCertificates', 'ACM:describeCertificate'], + realtime_triggers: ['ACM:requestCertificate','ACM:importCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apiStageLevelCacheEncryption.js b/plugins/aws/apigateway/apiStageLevelCacheEncryption.js index 6463fffa0e..33edac70f4 100644 --- a/plugins/aws/apigateway/apiStageLevelCacheEncryption.js +++ b/plugins/aws/apigateway/apiStageLevelCacheEncryption.js @@ -10,6 +10,8 @@ module.exports = { recommended_action: 'Modify API Gateway API stages to enable encryption on cache data', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/data-protection-encryption.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], + realtime_triggers: ['APIGateway:createStage','APIGateway:updateStage'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayAuthorization.js b/plugins/aws/apigateway/apigatewayAuthorization.js index 66c1276c32..25991892c5 100644 --- a/plugins/aws/apigateway/apigatewayAuthorization.js +++ b/plugins/aws/apigateway/apigatewayAuthorization.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway configuration and ensure that appropriate authorizers are set up for each API.', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html', apis: ['APIGateway:getRestApis', 'APIGateway:getAuthorizers'], + realtime_triggers: ['APIGateway:createRestApi','APIGateway:createAuthorizer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayCertificateRotation.js b/plugins/aws/apigateway/apigatewayCertificateRotation.js index 7d21e5c848..894ad24b47 100644 --- a/plugins/aws/apigateway/apigatewayCertificateRotation.js +++ b/plugins/aws/apigateway/apigatewayCertificateRotation.js @@ -18,6 +18,7 @@ module.exports = { default: '30', } }, + realtime_triggers: ['APIGateway:createRestApi','APIGateway:generateClientCertificate','APIGateway:deleteClientCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayClientCertificate.js b/plugins/aws/apigateway/apigatewayClientCertificate.js index a51805c7c7..ef8234dc3c 100644 --- a/plugins/aws/apigateway/apigatewayClientCertificate.js +++ b/plugins/aws/apigateway/apigatewayClientCertificate.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Attach client certificate to API Gateway API stages', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], + realtime_triggers: ['APIGateway:createStage','APIGateway:updateStage'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayCloudwatchLogs.js b/plugins/aws/apigateway/apigatewayCloudwatchLogs.js index 3268a9e853..1c83af7d91 100644 --- a/plugins/aws/apigateway/apigatewayCloudwatchLogs.js +++ b/plugins/aws/apigateway/apigatewayCloudwatchLogs.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway API stages to enable CloudWatch Logs', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], + realtime_triggers: ['APIGateway:createStage','APIGateway:updateStage'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayContentEncoding.js b/plugins/aws/apigateway/apigatewayContentEncoding.js index 03d305863c..00a5aac864 100644 --- a/plugins/aws/apigateway/apigatewayContentEncoding.js +++ b/plugins/aws/apigateway/apigatewayContentEncoding.js @@ -10,6 +10,8 @@ module.exports = { recommended_action: 'Enable content encoding and set minimum compression size of API Gateway API response', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-gzip-compression-decompression.html', apis: ['APIGateway:getRestApis'], + realtime_triggers: ['APIGateway:createRestApi','APIGateway:updateRestApi'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js b/plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js index 02773684e0..a287ce3427 100644 --- a/plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js +++ b/plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway to disable default execute-api endpoint.', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html', apis: ['APIGateway:getRestApis'], + realtime_triggers: ['APIGateway:createRestApi','APIGateway:updateRestApi'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayPrivateEndpoints.js b/plugins/aws/apigateway/apigatewayPrivateEndpoints.js index 1025618d5c..9c74ceb6a9 100644 --- a/plugins/aws/apigateway/apigatewayPrivateEndpoints.js +++ b/plugins/aws/apigateway/apigatewayPrivateEndpoints.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Set API Gateway API endpoint configuration to private', link: 'https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints', apis: ['APIGateway:getRestApis'], + realtime_triggers: ['APIGateway:createRestApi','APIGateway:updateRestApi'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayResponseCaching.js b/plugins/aws/apigateway/apigatewayResponseCaching.js index 852aa15ea4..25155f0065 100644 --- a/plugins/aws/apigateway/apigatewayResponseCaching.js +++ b/plugins/aws/apigateway/apigatewayResponseCaching.js @@ -11,6 +11,7 @@ module.exports = { recommended_action: 'Modify API Gateway API stages to enable API cache', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], + realtime_triggers: ['APIGateway:createStage','APIGateway:updateStage'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayTracingEnabled.js b/plugins/aws/apigateway/apigatewayTracingEnabled.js index 4680db581f..a58921c684 100644 --- a/plugins/aws/apigateway/apigatewayTracingEnabled.js +++ b/plugins/aws/apigateway/apigatewayTracingEnabled.js @@ -10,6 +10,8 @@ module.exports = { recommended_action: 'Enable tracing on API Gateway API stages', link: 'https://docs.aws.amazon.com/xray/latest/devguide/xray-services-apigateway.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], + realtime_triggers: ['APIGateway:createStage','APIGateway:updateStage'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayWafEnabled.js b/plugins/aws/apigateway/apigatewayWafEnabled.js index cd75996465..50fd77b7e0 100644 --- a/plugins/aws/apigateway/apigatewayWafEnabled.js +++ b/plugins/aws/apigateway/apigatewayWafEnabled.js @@ -10,6 +10,8 @@ module.exports = { recommended_action: 'Associate API Gateway API with Web Application Firewall', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], + realtime_triggers: ['APIGateway:createRestApi','WAFRegional:associateWebACL'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/customDomainTlsVersion.js b/plugins/aws/apigateway/customDomainTlsVersion.js index 6ee0a40707..11343ec30d 100644 --- a/plugins/aws/apigateway/customDomainTlsVersion.js +++ b/plugins/aws/apigateway/customDomainTlsVersion.js @@ -10,6 +10,8 @@ module.exports = { recommended_action: 'Modify API Gateway custom domain security policy and specify new TLS version.', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html', apis: ['APIGateway:getDomainNames'], + realtime_triggers: ['APIGateway:createDomainName','APIGateway:updateDomainName'], + run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/apigateway/detailedCloudWatchMetrics.js b/plugins/aws/apigateway/detailedCloudWatchMetrics.js index 5aa13b1a88..40b85d39ef 100644 --- a/plugins/aws/apigateway/detailedCloudWatchMetrics.js +++ b/plugins/aws/apigateway/detailedCloudWatchMetrics.js @@ -10,6 +10,8 @@ module.exports = { recommended_action: 'Add CloudWatch role ARN to API settings and enabled detailed metrics for each stage', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-metrics.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], + realtime_triggers: ['APIGateway:createStage','APIGateway:updateStage'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/appflow/flowEncrypted.js b/plugins/aws/appflow/flowEncrypted.js index f702cb57c6..548a6e23e4 100644 --- a/plugins/aws/appflow/flowEncrypted.js +++ b/plugins/aws/appflow/flowEncrypted.js @@ -19,6 +19,8 @@ module.exports = { default: 'awscmk', } }, + realtime_triggers: ['Appflow:createFlow','Appflow:updateFlow'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/appmesh/appmeshTLSRequired.js b/plugins/aws/appmesh/appmeshTLSRequired.js index c4aeaf6429..53aa53ca77 100644 --- a/plugins/aws/appmesh/appmeshTLSRequired.js +++ b/plugins/aws/appmesh/appmeshTLSRequired.js @@ -10,6 +10,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/app-mesh/latest/APIReference/API_ListenerTls.html', recommended_action: 'Restrict AWS App Mesh virtual gateway listeners to accept only TLS enabled connections.', apis: ['AppMesh:listMeshes', 'AppMesh:listVirtualGateways', 'AppMesh:describeVirtualGateway'], + realtime_triggers: ['AppMesh:createVirtualGateway','AppMesh:updateVirtualGateway'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/appmesh/appmeshVGAccessLogging.js b/plugins/aws/appmesh/appmeshVGAccessLogging.js index 1552aad58b..c815dcefde 100644 --- a/plugins/aws/appmesh/appmeshVGAccessLogging.js +++ b/plugins/aws/appmesh/appmeshVGAccessLogging.js @@ -10,6 +10,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/app-mesh/latest/userguide/envoy-logs.html', recommended_action: 'To enable access logging, modify virtual gateway configuration settings and configure the file path to write access logs to.', apis: ['AppMesh:listMeshes', 'AppMesh:listVirtualGateways', 'AppMesh:describeVirtualGateway'], + realtime_triggers: ['AppMesh:createVirtualGateway','AppMesh:updateVirtualGateway'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/appmesh/restrictExternalTraffic.js b/plugins/aws/appmesh/restrictExternalTraffic.js index e43f31238c..02c8711beb 100644 --- a/plugins/aws/appmesh/restrictExternalTraffic.js +++ b/plugins/aws/appmesh/restrictExternalTraffic.js @@ -12,6 +12,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/app-mesh/latest/userguide/security.html', recommended_action: 'Deny all traffic to the external services', apis: ['AppMesh:listMeshes', 'AppMesh:describeMesh'], + realtime_triggers: ['AppMesh:createMesh','AppMesh:updateMesh'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apprunner/serviceEncrypted.js b/plugins/aws/apprunner/serviceEncrypted.js index a9c7dc1f85..ddcd9a0193 100644 --- a/plugins/aws/apprunner/serviceEncrypted.js +++ b/plugins/aws/apprunner/serviceEncrypted.js @@ -19,6 +19,8 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['AppRunner:createService','AppRunner:updateService'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/athena/workgroupEnforceConfiguration.js b/plugins/aws/athena/workgroupEnforceConfiguration.js index bc4dc8452d..6704886d1c 100644 --- a/plugins/aws/athena/workgroupEnforceConfiguration.js +++ b/plugins/aws/athena/workgroupEnforceConfiguration.js @@ -10,6 +10,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings.html', recommended_action: 'Disable the ability for clients to override Athena workgroup configuration options.', apis: ['Athena:listWorkGroups', 'Athena:getWorkGroup', 'STS:getCallerIdentity'], + realtime_triggers: ['athena:CreateWorkGroup', 'athena:UpdateWorkGroup'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/auditmanager/auditmanagerDataEncrypted.js b/plugins/aws/auditmanager/auditmanagerDataEncrypted.js index 1e84afbfc1..61ff3ae17a 100644 --- a/plugins/aws/auditmanager/auditmanagerDataEncrypted.js +++ b/plugins/aws/auditmanager/auditmanagerDataEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk', } }, + realtime_triggers: ['AuditManager:updateSettings'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/appTierAsgApprovedAmi.js b/plugins/aws/autoscaling/appTierAsgApprovedAmi.js index 3c9acc65b9..3da850f053 100644 --- a/plugins/aws/autoscaling/appTierAsgApprovedAmi.js +++ b/plugins/aws/autoscaling/appTierAsgApprovedAmi.js @@ -24,6 +24,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js b/plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js index 6e9770af2f..89362c87e5 100644 --- a/plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js +++ b/plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js @@ -32,6 +32,8 @@ module.exports = { default: '' } }, + realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/appTierIamRole.js b/plugins/aws/autoscaling/appTierIamRole.js index d2e9486839..0c21310829 100644 --- a/plugins/aws/autoscaling/appTierIamRole.js +++ b/plugins/aws/autoscaling/appTierIamRole.js @@ -18,6 +18,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgActiveNotifications.js b/plugins/aws/autoscaling/asgActiveNotifications.js index b482467fe1..aa7ba42c4b 100644 --- a/plugins/aws/autoscaling/asgActiveNotifications.js +++ b/plugins/aws/autoscaling/asgActiveNotifications.js @@ -10,6 +10,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/ASGettingNotifications.html', recommended_action: 'Add a notification endpoint to the auto scaling group.', apis: ['AutoScaling:describeAutoScalingGroups', 'AutoScaling:describeNotificationConfigurations'], + realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:putNotificationConfiguration'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgCooldownPeriod.js b/plugins/aws/autoscaling/asgCooldownPeriod.js index bf259ee0a7..43dbb96158 100644 --- a/plugins/aws/autoscaling/asgCooldownPeriod.js +++ b/plugins/aws/autoscaling/asgCooldownPeriod.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/Cooldown.html', recommended_action: 'Implement proper cool down period for Auto Scaling groups to temporarily suspend any scaling actions.', apis: ['AutoScaling:describeAutoScalingGroups'], + realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgMissingELB.js b/plugins/aws/autoscaling/asgMissingELB.js index ba0d2e28e5..6aaceb2b9a 100644 --- a/plugins/aws/autoscaling/asgMissingELB.js +++ b/plugins/aws/autoscaling/asgMissingELB.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/attach-load-balancer-asg.html', recommended_action: 'Ensure that the Auto Scaling group load balancer has not been deleted. If so, remove it from the ASG.', apis: ['AutoScaling:describeAutoScalingGroups', 'ELB:describeLoadBalancers', 'ELBv2:describeLoadBalancers'], + realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:attachLoadBalancers'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgMissingSecurityGroups.js b/plugins/aws/autoscaling/asgMissingSecurityGroups.js index 20482d747b..60d52b9fd1 100644 --- a/plugins/aws/autoscaling/asgMissingSecurityGroups.js +++ b/plugins/aws/autoscaling/asgMissingSecurityGroups.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/GettingStartedTutorial.html', recommended_action: 'Ensure that the launch configuration security group has not been deleted. If so, remove it from launch configurations', apis: ['AutoScaling:describeLaunchConfigurations', 'EC2:describeSecurityGroups'], + realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgMultiAz.js b/plugins/aws/autoscaling/asgMultiAz.js index 9d775d6247..5686e6b136 100644 --- a/plugins/aws/autoscaling/asgMultiAz.js +++ b/plugins/aws/autoscaling/asgMultiAz.js @@ -10,6 +10,8 @@ module.exports = { link: 'http://docs.aws.amazon.com/autoscaling/latest/userguide/AutoScalingGroup.html', recommended_action: 'Modify the autoscaling instance to enable scaling across multiple availability zones.', apis: ['AutoScaling:describeAutoScalingGroups'], + realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgSuspendedProcesses.js b/plugins/aws/autoscaling/asgSuspendedProcesses.js index 448f373d1b..0571bf533e 100644 --- a/plugins/aws/autoscaling/asgSuspendedProcesses.js +++ b/plugins/aws/autoscaling/asgSuspendedProcesses.js @@ -10,6 +10,10 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-suspend-resume-processes.html', recommended_action: 'Update the AutoScaling group to resume the suspended processes.', apis: ['AutoScaling:describeAutoScalingGroups'], + realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:resumeProcesses'], + + + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js b/plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js index f3ae53e006..1c7f05d99c 100644 --- a/plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js +++ b/plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js @@ -11,6 +11,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/LaunchConfiguration.html', recommended_action: 'Identify and remove any Auto Scaling Launch Configuration templates that are not associated anymore with ASGs available in the selected AWS region.', apis: ['AutoScaling:describeAutoScalingGroups', 'AutoScaling:describeLaunchConfigurations'], + realtime_triggers: ['AutoScaling:createLaunchConfiguration','AutoScaling:deleteLaunchConfiguration'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/elbHealthCheckActive.js b/plugins/aws/autoscaling/elbHealthCheckActive.js index 882dadb304..3b65f46103 100644 --- a/plugins/aws/autoscaling/elbHealthCheckActive.js +++ b/plugins/aws/autoscaling/elbHealthCheckActive.js @@ -10,6 +10,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-elb-healthcheck.html', recommended_action: 'Enable ELB health check for the Auto Scaling groups.', apis: ['AutoScaling:describeAutoScalingGroups'], + realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/emptyASG.js b/plugins/aws/autoscaling/emptyASG.js index 30c4eed0f8..d148d6da1e 100644 --- a/plugins/aws/autoscaling/emptyASG.js +++ b/plugins/aws/autoscaling/emptyASG.js @@ -10,6 +10,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroup.html', recommended_action: 'Delete the unused AutoScaling group.', apis: ['AutoScaling:describeAutoScalingGroups'], + realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:deleteAutoScalingGroup'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/sameAzElb.js b/plugins/aws/autoscaling/sameAzElb.js index 8e7ac8cf97..bc5976353d 100644 --- a/plugins/aws/autoscaling/sameAzElb.js +++ b/plugins/aws/autoscaling/sameAzElb.js @@ -10,6 +10,9 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-availability-zone.html', recommended_action: 'Update the ELB to use the same availability zones as the autoscaling group.', apis: ['AutoScaling:describeAutoScalingGroups', 'ELB:describeLoadBalancers', 'ELBv2:describeLoadBalancers'], + realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], + + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/webTierAsgApprovedAmi.js b/plugins/aws/autoscaling/webTierAsgApprovedAmi.js index 5842d4e7fc..8e6f8e3fa6 100644 --- a/plugins/aws/autoscaling/webTierAsgApprovedAmi.js +++ b/plugins/aws/autoscaling/webTierAsgApprovedAmi.js @@ -24,6 +24,8 @@ module.exports = { default: '' } }, + realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/webTierAsgAssociatedElb.js b/plugins/aws/autoscaling/webTierAsgAssociatedElb.js index e2c2acb9bc..7a9c2fb36c 100644 --- a/plugins/aws/autoscaling/webTierAsgAssociatedElb.js +++ b/plugins/aws/autoscaling/webTierAsgAssociatedElb.js @@ -18,6 +18,8 @@ module.exports = { default: '' } }, + realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:attachLoadBalancers'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js b/plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js index 82d2f2a466..b9cc310f1d 100644 --- a/plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js +++ b/plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js @@ -32,6 +32,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/webTierIamRole.js b/plugins/aws/autoscaling/webTierIamRole.js index f7bdfc39aa..18283a5398 100644 --- a/plugins/aws/autoscaling/webTierIamRole.js +++ b/plugins/aws/autoscaling/webTierIamRole.js @@ -18,6 +18,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/backupDeletionProtection.js b/plugins/aws/backup/backupDeletionProtection.js index 7587bd83ac..e7a5b8d667 100644 --- a/plugins/aws/backup/backupDeletionProtection.js +++ b/plugins/aws/backup/backupDeletionProtection.js @@ -10,7 +10,9 @@ module.exports = { more_info: 'With AWS Backup, you can assign policies to backup vaults and the resources they contain. Assigning policies allows you to do things like grant access to users to create backup plans and on-demand backups, but limit their ability to delete recovery points after they are created.', recommended_action: 'Add a statement in Backup vault access policy which denies global access to action: backup:DeleteRecoveryPoint', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-vault-access-policy.html', - apis: ['Backup:listBackupVaults', 'Backup:getBackupVaultAccessPolicy' ], + apis: ['Backup:listBackupVaults', 'Backup:getBackupVaultAccessPolicy'], + realtime_triggers: ['Backup:createBackupVault','Backup:putBackupVaultAccessPolicy'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/backupInUseForRDSSnapshots.js b/plugins/aws/backup/backupInUseForRDSSnapshots.js index 515cf00cd3..7023570b25 100644 --- a/plugins/aws/backup/backupInUseForRDSSnapshots.js +++ b/plugins/aws/backup/backupInUseForRDSSnapshots.js @@ -11,6 +11,7 @@ module.exports = { recommended_action: 'Enable RDS database instance snapshots to improve the reliability of your backup strategy.', link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html', apis: ['RDS:describeDBSnapshots'], + realtime_triggers: ['Backup:createBackupPlan','Backup:createBackupSelection'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/backupNotificationEnabled.js b/plugins/aws/backup/backupNotificationEnabled.js index 7cb5a85776..eb7a83817c 100644 --- a/plugins/aws/backup/backupNotificationEnabled.js +++ b/plugins/aws/backup/backupNotificationEnabled.js @@ -10,7 +10,8 @@ module.exports = { more_info: 'AWS Backup can take advantage of the robust notifications delivered by Amazon Simple Notification Service (Amazon SNS). You can configure Amazon SNS to notify you of AWS Backup events from the Amazon SNS console.', recommended_action: 'Configure Backup vaults to sent notifications alert for failed backup job events.', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/sns-notifications.html', - apis: ['Backup:listBackupVaults', 'Backup:getBackupVaultNotifications' ], + apis: ['Backup:listBackupVaults', 'Backup:getBackupVaultNotifications'], + realtime_triggers: ['Backup:createBackupVault','Backup:putBackupVaultNotifications'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/backupResourceProtection.js b/plugins/aws/backup/backupResourceProtection.js index 5406e0f962..b95653fbee 100644 --- a/plugins/aws/backup/backupResourceProtection.js +++ b/plugins/aws/backup/backupResourceProtection.js @@ -19,6 +19,7 @@ module.exports = { default:'' } }, + realtime_triggers: ['Backup:updateRegionSettings'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/backup/backupVaultEncrypted.js b/plugins/aws/backup/backupVaultEncrypted.js index 45c3c2ccbd..59307670fc 100644 --- a/plugins/aws/backup/backupVaultEncrypted.js +++ b/plugins/aws/backup/backupVaultEncrypted.js @@ -18,6 +18,7 @@ module.exports = { default: 'awscmk', } }, + realtime_triggers: ['Backup:createBackupVault','Backup:updateBackupPlan'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/backupVaultHasTags.js b/plugins/aws/backup/backupVaultHasTags.js index b3150d43f4..5d56c3fdf7 100644 --- a/plugins/aws/backup/backupVaultHasTags.js +++ b/plugins/aws/backup/backupVaultHasTags.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Modify Backup Vault and add tags.', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-vault.html', apis: ['Backup:listBackupVaults', 'ResourceGroupsTaggingAPI:getResources'], + realtime_triggers: ['Backup:createBackupVault','Backup:tagResource'], run: function(cache, settings, callback) { diff --git a/plugins/aws/backup/backupVaultPolicies.js b/plugins/aws/backup/backupVaultPolicies.js index 9a8c66b6d2..88f1b76fe9 100644 --- a/plugins/aws/backup/backupVaultPolicies.js +++ b/plugins/aws/backup/backupVaultPolicies.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Ensure that all Backup Vault policies are scoped to specific services and API calls.', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-vault-access-policy.html', apis: ['Backup:listBackupVaults', 'Backup:getBackupVaultAccessPolicy', 'STS:getCallerIdentity'], + realtime_triggers: ['Backup:createBackupVault','Backup:putBackupVaultAccessPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/compliantLifecycleConfigured.js b/plugins/aws/backup/compliantLifecycleConfigured.js index 3b499ce7cc..8423c941d2 100644 --- a/plugins/aws/backup/compliantLifecycleConfigured.js +++ b/plugins/aws/backup/compliantLifecycleConfigured.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Enable compliant lifecycle configuration for your Amazon Backup plans', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/API_Lifecycle.html', apis: ['Backup:listBackupPlans', 'Backup:getBackupPlan'], + realtime_triggers: ['Backup:createBackupPlan','Backup:updateBackupPlan'], run: function(cache, settings, callback) { var results = []; From 2b7ec8669e6b02f2522a3a26bb0b0cf8963ff2f3 Mon Sep 17 00:00:00 2001 From: muzzamilinovaqo Date: Tue, 12 Sep 2023 15:16:46 +0500 Subject: [PATCH 003/498] added triggers for plugins section c,i,k --- plugins/aws/cloudformation/cloudformationAdminPriviliges.js | 2 ++ plugins/aws/cloudformation/cloudformationInUse.js | 1 + plugins/aws/cloudformation/driftDetection.js | 3 ++- plugins/aws/cloudformation/plainTextParameters.js | 1 + plugins/aws/cloudformation/stackFailedStatus.js | 1 + plugins/aws/cloudformation/stackNotifications.js | 1 + plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js | 2 ++ plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js | 2 ++ plugins/aws/cloudfront/cloudfrontGeoRestriction.js | 1 + plugins/aws/cloudfront/cloudfrontInUse.js | 2 ++ plugins/aws/cloudfront/cloudfrontLoggingEnabled.js | 1 + plugins/aws/cloudfront/cloudfrontOriginTlsVersion.js | 1 + plugins/aws/cloudfront/cloudfrontTlsDeprecatedProtocols.js | 1 + plugins/aws/cloudfront/cloudfrontTlsInsecureCipher.js | 1 + plugins/aws/cloudfront/cloudfrontWafEnabled.js | 1 + plugins/aws/cloudfront/compressObjectsAutomatically.js | 1 + plugins/aws/cloudfront/enableOriginFailOver.js | 1 + plugins/aws/cloudfront/insecureProtocols.js | 1 + plugins/aws/cloudfront/publicS3Origin.js | 1 + plugins/aws/cloudfront/secureOrigin.js | 1 + plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js | 1 + plugins/aws/cloudtrail/cloudtrailBucketDelete.js | 1 + plugins/aws/cloudtrail/cloudtrailBucketPrivate.js | 2 ++ plugins/aws/cloudtrail/cloudtrailDataEvents.js | 1 + plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js | 1 + plugins/aws/cloudtrail/cloudtrailEnabled.js | 2 ++ plugins/aws/cloudtrail/cloudtrailHasTags.js | 1 + plugins/aws/cloudtrail/cloudtrailManagementEvents.js | 1 + plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js | 1 + plugins/aws/cloudtrail/cloudtrailObjectLock.js | 1 + plugins/aws/cloudtrail/cloudtrailS3Bucket.js | 1 + plugins/aws/cloudtrail/cloudtrailToCloudwatch.js | 1 + plugins/aws/cloudtrail/globalLoggingDuplicated.js | 1 + plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js | 1 + plugins/aws/cloudwatchlogs/logGroupsEncrypted.js | 1 + plugins/aws/cloudwatchlogs/logRetentionPeriod.js | 1 + plugins/aws/cloudwatchlogs/monitoringMetrics.js | 1 + plugins/aws/codeartifact/codeartifactDomainEncrypted.js | 1 + plugins/aws/codebuild/codebuildValidSourceProviders.js | 1 + plugins/aws/codebuild/projectArtifactsEncrypted.js | 1 + plugins/aws/codepipeline/pipelineArtifactsEncrypted.js | 1 + plugins/aws/codestar/codestarValidRepoProviders.js | 1 + plugins/aws/cognito/cognitoHasWafEnabled.js | 1 + plugins/aws/cognito/cognitoMFAEnabled.js | 2 ++ plugins/aws/comprehend/outputResultEncryption.js | 1 + plugins/aws/comprehend/volumeEncryption.js | 1 + plugins/aws/computeoptimizer/asgOptimized.js | 1 + plugins/aws/computeoptimizer/ebsVolumesOptimized.js | 1 + plugins/aws/computeoptimizer/ec2InstancesOptimized.js | 1 + plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js | 1 + .../aws/computeoptimizer/optimizerRecommendationsEnabled.js | 1 + plugins/aws/configservice/configComplaintRules.js | 1 + plugins/aws/configservice/configDeliveryFailing.js | 1 + plugins/aws/configservice/configServiceEnabled.js | 1 + plugins/aws/configservice/configServiceMissingBucket.js | 1 + plugins/aws/configservice/servicesInUse.js | 1 + plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js | 1 + plugins/aws/dms/autoMinorVersionUpgrade.js | 1 + plugins/aws/dms/dmsEncryptionEnabled.js | 1 + plugins/aws/dms/dmsMultiAZFeatureEnabled.js | 1 + plugins/aws/dms/dmsPubliclyAccessibleInstances.js | 1 + plugins/aws/documentDB/docdbClusterBackupRetention.js | 1 + plugins/aws/documentDB/docdbClusterEncrypted.js | 1 + plugins/aws/dynamodb/daxClusterEncryption.js | 1 + plugins/aws/dynamodb/dynamoContinuousBackups.js | 1 + plugins/aws/dynamodb/dynamoTableBackupExists.js | 1 + plugins/aws/dynamodb/dynamoTableHasTags.js | 1 + plugins/aws/dynamodb/dynamoUnusedTable.js | 1 + plugins/aws/iam/accessKeysExtra.js | 2 ++ plugins/aws/iam/accessKeysLastUsed.js | 1 + plugins/aws/iam/accessKeysRotated.js | 1 + plugins/aws/iam/canaryKeysUsed.js | 2 ++ plugins/aws/iam/certificateExpiry.js | 1 + plugins/aws/iam/crossAccountMfaExtIdAccess.js | 1 + plugins/aws/iam/emptyGroups.js | 1 + plugins/aws/iam/groupInlinePolicies.js | 1 + plugins/aws/iam/iamMasterManagerRoles.js | 1 + plugins/aws/iam/iamPoliciesPresent.js | 1 + plugins/aws/iam/iamRoleHasTags.js | 2 ++ plugins/aws/iam/iamRoleLastUsed.js | 1 + plugins/aws/iam/iamRolePolicies.js | 1 + plugins/aws/iam/iamSupportPolicy.js | 1 + plugins/aws/iam/iamUserAdmins.js | 1 + plugins/aws/iam/iamUserHasTags.js | 1 + plugins/aws/iam/iamUserInUse.js | 1 + plugins/aws/iam/iamUserNameRegex.js | 1 + plugins/aws/iam/iamUserNotInUse.js | 1 + plugins/aws/iam/iamUserPresent.js | 1 + plugins/aws/iam/iamUserUnauthorizedToEdit.js | 1 + plugins/aws/iam/iamUserWithoutPermissions.js | 1 + plugins/aws/iam/maxPasswordAge.js | 2 ++ plugins/aws/iam/minPasswordLength.js | 1 + plugins/aws/iam/noUserIamPolicies.js | 1 + plugins/aws/iam/passwordExpiration.js | 1 + plugins/aws/iam/passwordPolicyExists.js | 1 + plugins/aws/iam/passwordRequiresLowercase.js | 1 + plugins/aws/iam/passwordRequiresNumbers.js | 1 + plugins/aws/iam/passwordRequiresSymbols.js | 1 + plugins/aws/iam/passwordRequiresUppercase.js | 1 + plugins/aws/iam/passwordReusePrevention.js | 1 + plugins/aws/iam/policyAllowsToChangePassword.js | 1 + plugins/aws/iam/rolePolicyUnusedServices.js | 1 + plugins/aws/iam/rootAccessKeys.js | 1 + plugins/aws/iam/rootAccountInUse.js | 1 + plugins/aws/iam/rootHardwareMfa.js | 1 + plugins/aws/iam/rootMfaEnabled.js | 1 + plugins/aws/iam/rootSigningCertificate.js | 1 + plugins/aws/iam/sshKeysRotated.js | 1 + plugins/aws/iam/trustedCrossAccountRoles.js | 1 + plugins/aws/iam/usersMfaEnabled.js | 1 + plugins/aws/iam/usersPasswordAndKeys.js | 1 + plugins/aws/iam/usersPasswordLastUsed.js | 1 + plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js | 1 + plugins/aws/imagebuilder/enhancedMetadataEnabled.js | 1 + plugins/aws/imagebuilder/imageRecipeVolumeEncrypted.js | 1 + plugins/aws/imagebuilder/imgBuilderComponentsEncrypted.js | 1 + plugins/aws/imagebuilder/infraConfigNotificationEnabled.js | 1 + plugins/aws/iotsitewise/iotsitewiseDataEncrypted.js | 1 + plugins/aws/kendra/kendraIndexEncrypted.js | 1 + plugins/aws/kinesis/kinesisDataStreamsEncrypted.js | 1 + plugins/aws/kinesisvideo/videostreamDataEncrypted.js | 1 + plugins/aws/kms/kmsAppTierCmk.js | 1 + plugins/aws/kms/kmsDefaultKeyUsage.js | 1 + plugins/aws/kms/kmsDuplicateGrants.js | 1 + plugins/aws/kms/kmsGrantLeastPrivilege.js | 1 + plugins/aws/kms/kmsKeyPolicy.js | 1 + plugins/aws/kms/kmsKeyRotation.js | 1 + plugins/aws/kms/kmsScheduledDeletion.js | 1 + 128 files changed, 140 insertions(+), 1 deletion(-) diff --git a/plugins/aws/cloudformation/cloudformationAdminPriviliges.js b/plugins/aws/cloudformation/cloudformationAdminPriviliges.js index 2fb521f88c..e59d016487 100644 --- a/plugins/aws/cloudformation/cloudformationAdminPriviliges.js +++ b/plugins/aws/cloudformation/cloudformationAdminPriviliges.js @@ -14,6 +14,8 @@ module.exports = { recommended_action: 'Modify IAM role attached with AWS CloudFormation stack to provide the minimal amount of access required to perform its tasks', apis: ['CloudFormation:listStacks', 'CloudFormation:describeStacks', 'IAM:listRoles', 'IAM:listAttachedRolePolicies', 'IAM:listRolePolicies', 'IAM:listPolicies', 'IAM:getPolicy', 'IAM:getPolicyVersion', 'IAM:getRolePolicy'], + realtime_triggers: ['CloudFormation:createStack','IAM:createPolicyVersion','IAM:putRolePolicy'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/cloudformationInUse.js b/plugins/aws/cloudformation/cloudformationInUse.js index 5b0db53ac4..0401bc8dfe 100644 --- a/plugins/aws/cloudformation/cloudformationInUse.js +++ b/plugins/aws/cloudformation/cloudformationInUse.js @@ -12,6 +12,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html', recommended_action: 'Check if CloudFormation is in use or not by observing the stacks', apis: ['CloudFormation:describeStacks'], + realtime_triggers: ['CloudFormation:createStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/driftDetection.js b/plugins/aws/cloudformation/driftDetection.js index b153a7674a..463c8207f6 100644 --- a/plugins/aws/cloudformation/driftDetection.js +++ b/plugins/aws/cloudformation/driftDetection.js @@ -10,7 +10,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-resolve-drift.html', recommended_action: 'Resolve CloudFormation stack drift by importing drifted resource back to the stack.', apis: ['CloudFormation:listStacks'], - + realtime_triggers: ['CloudFormation:createStack','CloudFormation:updateStack'], + run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/cloudformation/plainTextParameters.js b/plugins/aws/cloudformation/plainTextParameters.js index bae64ff47e..a6c206489e 100644 --- a/plugins/aws/cloudformation/plainTextParameters.js +++ b/plugins/aws/cloudformation/plainTextParameters.js @@ -18,6 +18,7 @@ module.exports = { default: 'secret,password,privatekey' } }, + realtime_triggers: ['CloudFormation:createStack','CloudFormation:updateStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/stackFailedStatus.js b/plugins/aws/cloudformation/stackFailedStatus.js index c51b64e51b..004590a2ce 100644 --- a/plugins/aws/cloudformation/stackFailedStatus.js +++ b/plugins/aws/cloudformation/stackFailedStatus.js @@ -18,6 +18,7 @@ module.exports = { default: 0 } }, + realtime_triggers: ['CloudFormation:createStack','CloudFormation:deleteStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/stackNotifications.js b/plugins/aws/cloudformation/stackNotifications.js index 1c5e37a96a..cd912c145b 100644 --- a/plugins/aws/cloudformation/stackNotifications.js +++ b/plugins/aws/cloudformation/stackNotifications.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-view-stack-data-resources.html', recommended_action: 'Associate an Amazon SNS topic to all CloudFormation stacks', apis: ['CloudFormation:listStacks', 'CloudFormation:describeStacks'], + realtime_triggers: ['CloudFormation:createStack','CloudFormation:updateStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js b/plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js index 0c479a620d..4c27de3741 100644 --- a/plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js +++ b/plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js @@ -9,6 +9,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html', recommended_action: 'Modify CloudFront distribution and update the Origin Protocol Policy setting to HTTPS Only.', apis: ['CloudFront:listDistributions'], + realtime_triggers: ['CloudFront:createDistribution','CloudFront:updateDistribution'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js b/plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js index fd0a2cacf7..f5ee3e9f09 100644 --- a/plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js +++ b/plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js @@ -11,6 +11,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html', recommended_action: 'Enable field-level encryption for CloudFront distributions.', apis: ['CloudFront:listDistributions'], + realtime_triggers: ['CloudFront:createDistribution','CloudFront:updateDistribution'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudfront/cloudfrontGeoRestriction.js b/plugins/aws/cloudfront/cloudfrontGeoRestriction.js index a4aad38593..dd27bde079 100644 --- a/plugins/aws/cloudfront/cloudfrontGeoRestriction.js +++ b/plugins/aws/cloudfront/cloudfrontGeoRestriction.js @@ -18,6 +18,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['CloudFront:createDistribution','CloudFront:updateDistribution'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudfront/cloudfrontInUse.js b/plugins/aws/cloudfront/cloudfrontInUse.js index fe663d9b4a..1754f22a51 100644 --- a/plugins/aws/cloudfront/cloudfrontInUse.js +++ b/plugins/aws/cloudfront/cloudfrontInUse.js @@ -10,6 +10,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html', recommended_action: 'Create CloudFront distributions as per requirement.', apis: ['CloudFront:listDistributions'], + realtime_triggers: ['cloudfront:CreateDistribution'], + run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudfront/cloudfrontLoggingEnabled.js b/plugins/aws/cloudfront/cloudfrontLoggingEnabled.js index 3b245baf38..d8d5d81900 100644 --- a/plugins/aws/cloudfront/cloudfrontLoggingEnabled.js +++ b/plugins/aws/cloudfront/cloudfrontLoggingEnabled.js @@ -33,6 +33,7 @@ module.exports = { } ] }, + realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudfront/cloudfrontOriginTlsVersion.js b/plugins/aws/cloudfront/cloudfrontOriginTlsVersion.js index e1fde8d214..85ae31de36 100644 --- a/plugins/aws/cloudfront/cloudfrontOriginTlsVersion.js +++ b/plugins/aws/cloudfront/cloudfrontOriginTlsVersion.js @@ -9,6 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html', recommended_action: 'Modify cloudFront distribution and update the TLS version.', apis: ['CloudFront:listDistributions'], + realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudfront/cloudfrontTlsDeprecatedProtocols.js b/plugins/aws/cloudfront/cloudfrontTlsDeprecatedProtocols.js index 2ea8be4fa5..9bd14dbbc1 100644 --- a/plugins/aws/cloudfront/cloudfrontTlsDeprecatedProtocols.js +++ b/plugins/aws/cloudfront/cloudfrontTlsDeprecatedProtocols.js @@ -9,6 +9,7 @@ module.exports = { link: 'https://aws.amazon.com/about-aws/whats-new/2020/07/cloudfront-tls-security-policy/', recommended_action: 'Modify cloudFront distribution and update the TLS version.', apis: ['CloudFront:listDistributions'], + realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudfront/cloudfrontTlsInsecureCipher.js b/plugins/aws/cloudfront/cloudfrontTlsInsecureCipher.js index 15d9e6b702..9b334acc73 100644 --- a/plugins/aws/cloudfront/cloudfrontTlsInsecureCipher.js +++ b/plugins/aws/cloudfront/cloudfrontTlsInsecureCipher.js @@ -9,6 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html', recommended_action: 'Modify cloudFront distribution and update the TLS version.', apis: ['CloudFront:listDistributions'], + realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudfront/cloudfrontWafEnabled.js b/plugins/aws/cloudfront/cloudfrontWafEnabled.js index 67a5149edc..43dd330308 100644 --- a/plugins/aws/cloudfront/cloudfrontWafEnabled.js +++ b/plugins/aws/cloudfront/cloudfrontWafEnabled.js @@ -9,6 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-cloudfront-distribution.html', recommended_action: '1. Enter the WAF service. 2. Enter Web ACLs and filter by global. 3. If no Web ACL is found, Create a new global Web ACL and in Resource type to associate with web ACL, select the CloudFront Distribution. ', apis: ['CloudFront:listDistributions'], + realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudfront/compressObjectsAutomatically.js b/plugins/aws/cloudfront/compressObjectsAutomatically.js index 28e7a8fb51..81e1be3b73 100644 --- a/plugins/aws/cloudfront/compressObjectsAutomatically.js +++ b/plugins/aws/cloudfront/compressObjectsAutomatically.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/ServingCompressedFiles.html', recommended_action: 'Ensures that CloudFront is configured to automatically compress files', apis: ['CloudFront:listDistributions'], + realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudfront/enableOriginFailOver.js b/plugins/aws/cloudfront/enableOriginFailOver.js index 9aaa1779db..9a8c84c67f 100644 --- a/plugins/aws/cloudfront/enableOriginFailOver.js +++ b/plugins/aws/cloudfront/enableOriginFailOver.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_OriginGroupFailoverCriteria.html', recommended_action: 'Modify CloudFront distributions and configure origin group instead of a single origin', apis: ['CloudFront:listDistributions'], + realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudfront/insecureProtocols.js b/plugins/aws/cloudfront/insecureProtocols.js index e67481e8cf..7894889713 100644 --- a/plugins/aws/cloudfront/insecureProtocols.js +++ b/plugins/aws/cloudfront/insecureProtocols.js @@ -25,6 +25,7 @@ module.exports = { default: 'true' } }, + realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/cloudfront/publicS3Origin.js b/plugins/aws/cloudfront/publicS3Origin.js index 819f9c6efb..51b8e54eb7 100644 --- a/plugins/aws/cloudfront/publicS3Origin.js +++ b/plugins/aws/cloudfront/publicS3Origin.js @@ -15,6 +15,7 @@ module.exports = { 'If an S3 bucket backing a CloudFront distribution does not require the end ' + 'user to access the contents through CloudFront, this policy may be violated.' }, + realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudfront/secureOrigin.js b/plugins/aws/cloudfront/secureOrigin.js index f9de61e66a..bc28534009 100644 --- a/plugins/aws/cloudfront/secureOrigin.js +++ b/plugins/aws/cloudfront/secureOrigin.js @@ -16,6 +16,7 @@ module.exports = { 'ensures that traffic between CloudFront and any backend resource is ' + 'encrypted in transit.' }, + realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js b/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js index afc8c01da8..7b8709d3dc 100644 --- a/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js +++ b/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js @@ -26,6 +26,7 @@ module.exports = { default: '', } }, + realtime_triggers: ['CloudTrail:createTrail', 'S3:putBucketLogging'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/cloudtrail/cloudtrailBucketDelete.js b/plugins/aws/cloudtrail/cloudtrailBucketDelete.js index 8ad8c33ac9..f723c93959 100644 --- a/plugins/aws/cloudtrail/cloudtrailBucketDelete.js +++ b/plugins/aws/cloudtrail/cloudtrailBucketDelete.js @@ -24,6 +24,7 @@ module.exports = { default: '', } }, + realtime_triggers: ['CloudTrail:createTrail', 'S3:putBucketVersioning'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js b/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js index 433daee9c0..b85dd0cc5b 100644 --- a/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js +++ b/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js @@ -22,6 +22,8 @@ module.exports = { } }, + realtime_triggers: ['CloudTrail:createTrail', 'S3:putBucketAcl'], + run: function(cache, settings, callback) { var config = { whitelist_ct_private_buckets: settings.whitelist_ct_private_buckets || this.settings.whitelist_ct_private_buckets.default diff --git a/plugins/aws/cloudtrail/cloudtrailDataEvents.js b/plugins/aws/cloudtrail/cloudtrailDataEvents.js index 1f0b000b6f..5883fbd478 100644 --- a/plugins/aws/cloudtrail/cloudtrailDataEvents.js +++ b/plugins/aws/cloudtrail/cloudtrailDataEvents.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Update CloudTrail to enable data events.', link: 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html', apis: ['CloudTrail:describeTrails', 'CloudTrail:getEventSelectors'], + realtime_triggers: ['CloudTrail:createTrail', 'CloudTrail:putEventSelectors'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js b/plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js index 9d51103315..e552db1c9e 100644 --- a/plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js +++ b/plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js @@ -18,6 +18,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['CloudTrail:createTrail', 'CloudTrail:updateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailEnabled.js b/plugins/aws/cloudtrail/cloudtrailEnabled.js index 21993057e8..ea906a2dd3 100644 --- a/plugins/aws/cloudtrail/cloudtrailEnabled.js +++ b/plugins/aws/cloudtrail/cloudtrailEnabled.js @@ -19,6 +19,8 @@ module.exports = { 'within environments containing cardholder data.', cis1: '2.1 Ensure CloudTrail is enabled in all regions' }, + realtime_triggers: ['CloudTrail:createTrail', 'CloudTrail:updateTrail'], + run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/cloudtrail/cloudtrailHasTags.js b/plugins/aws/cloudtrail/cloudtrailHasTags.js index 2fce14fc07..ecd8c553bc 100644 --- a/plugins/aws/cloudtrail/cloudtrailHasTags.js +++ b/plugins/aws/cloudtrail/cloudtrailHasTags.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Modify CloudTrail trails and add tags.', link: 'https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AddTags.html', apis: ['CloudTrail:describeTrails', 'CloudTrail:listTags'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:addTags','cloudtrail:removeTags'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailManagementEvents.js b/plugins/aws/cloudtrail/cloudtrailManagementEvents.js index fd21ccca8e..d8b3b28313 100644 --- a/plugins/aws/cloudtrail/cloudtrailManagementEvents.js +++ b/plugins/aws/cloudtrail/cloudtrailManagementEvents.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Update CloudTrail to enable management events logging', link: 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html', apis: ['CloudTrail:describeTrails', 'CloudTrail:getEventSelectors'], + realtime_triggers: ['CloudTrail:createTrail', 'CloudTrail:putEventSelectors'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js b/plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js index 4081988aa7..611ba0221f 100644 --- a/plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js +++ b/plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js @@ -11,6 +11,7 @@ module.exports = { recommended_action: 'Make sure that CloudTrail trails are using active SNS topics and that SNS topics have not been deleted after trail creation.', link: 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html', apis: ['CloudTrail:describeTrails', 'SNS:listTopics', 'SNS:getTopicAttributes'], + realtime_triggers: ['CloudTrail:createTrail', 'CloudTrail:updateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailObjectLock.js b/plugins/aws/cloudtrail/cloudtrailObjectLock.js index 5509c164ba..9fe6333447 100644 --- a/plugins/aws/cloudtrail/cloudtrailObjectLock.js +++ b/plugins/aws/cloudtrail/cloudtrailObjectLock.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Edit trail to use a bucket with object locking enabled.', link: 'https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-managing.html', apis: ['CloudTrail:describeTrails', 'S3:getObjectLockConfiguration', 'S3:listBuckets'], + realtime_triggers: ['CloudTrail:createTrail', 'CloudTrail:updateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailS3Bucket.js b/plugins/aws/cloudtrail/cloudtrailS3Bucket.js index 1b021206d9..9a47bafeaa 100644 --- a/plugins/aws/cloudtrail/cloudtrailS3Bucket.js +++ b/plugins/aws/cloudtrail/cloudtrailS3Bucket.js @@ -24,6 +24,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['CloudTrail:createTrail', 'CloudTrail:updateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailToCloudwatch.js b/plugins/aws/cloudtrail/cloudtrailToCloudwatch.js index 2786019d0b..c9f3885f60 100644 --- a/plugins/aws/cloudtrail/cloudtrailToCloudwatch.js +++ b/plugins/aws/cloudtrail/cloudtrailToCloudwatch.js @@ -13,6 +13,7 @@ module.exports = { compliance: { cis1: '2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs' }, + realtime_triggers: ['CloudTrail:createTrail', 'CloudTrail:updateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/globalLoggingDuplicated.js b/plugins/aws/cloudtrail/globalLoggingDuplicated.js index 0ef33b26dc..438780e849 100644 --- a/plugins/aws/cloudtrail/globalLoggingDuplicated.js +++ b/plugins/aws/cloudtrail/globalLoggingDuplicated.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Update CloudTrail trails to log global services events enabled for only one trail', link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html', apis: ['CloudTrail:describeTrails'], + realtime_triggers: ['CloudTrail:createTrail', 'CloudTrail:updateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js b/plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js index efa3c2282b..b542873886 100644 --- a/plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js +++ b/plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js @@ -21,6 +21,7 @@ module.exports = { default: 'vpc_flow_logs' } }, + realtime_triggers: ['CloudWatchLogs:putMetricFilter', 'CloudWatch:putMetricAlarm'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudwatchlogs/logGroupsEncrypted.js b/plugins/aws/cloudwatchlogs/logGroupsEncrypted.js index fefb2bba41..a980409d2e 100644 --- a/plugins/aws/cloudwatchlogs/logGroupsEncrypted.js +++ b/plugins/aws/cloudwatchlogs/logGroupsEncrypted.js @@ -26,6 +26,7 @@ module.exports = { default: 'Aqua-CSPM-Token-Rotator-Function,-CreateCSPMKeyFunction-,-TriggerDiscoveryFunction-,-GenerateVolumeScanningEx-,-GenerateCSPMExternalIdFu-' } }, + realtime_triggers: ['CloudWatchLogs:createLogGroup', 'CloudWatchLogs:associateKmsKey'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudwatchlogs/logRetentionPeriod.js b/plugins/aws/cloudwatchlogs/logRetentionPeriod.js index 4080943781..ee8f0f0276 100644 --- a/plugins/aws/cloudwatchlogs/logRetentionPeriod.js +++ b/plugins/aws/cloudwatchlogs/logRetentionPeriod.js @@ -18,6 +18,7 @@ module.exports = { default: '90' } }, + realtime_triggers: ['CloudWatchLogs:createLogGroup', 'CloudWatchLogs:putRetentionPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/cloudwatchlogs/monitoringMetrics.js b/plugins/aws/cloudwatchlogs/monitoringMetrics.js index 7f3a00c1da..59872407e7 100644 --- a/plugins/aws/cloudwatchlogs/monitoringMetrics.js +++ b/plugins/aws/cloudwatchlogs/monitoringMetrics.js @@ -76,6 +76,7 @@ module.exports = { compliance: { cis1: '3.0 Monitoring metrics are enabled' }, + realtime_triggers: ['CloudWatchLogs:createLogGroup', 'CloudWatchLogs:putMetricFilter'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codeartifact/codeartifactDomainEncrypted.js b/plugins/aws/codeartifact/codeartifactDomainEncrypted.js index b972dc0642..c730cf4072 100644 --- a/plugins/aws/codeartifact/codeartifactDomainEncrypted.js +++ b/plugins/aws/codeartifact/codeartifactDomainEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk', } }, + realtime_triggers: ['CodeArtifact:createDomain', 'CodeArtifact:deleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codebuild/codebuildValidSourceProviders.js b/plugins/aws/codebuild/codebuildValidSourceProviders.js index e19c90acec..5ca91b7b77 100644 --- a/plugins/aws/codebuild/codebuildValidSourceProviders.js +++ b/plugins/aws/codebuild/codebuildValidSourceProviders.js @@ -18,6 +18,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['CodeBuild:createProject', 'CodeBuild:updateProject'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codebuild/projectArtifactsEncrypted.js b/plugins/aws/codebuild/projectArtifactsEncrypted.js index 6978b28788..54a43d0c9b 100644 --- a/plugins/aws/codebuild/projectArtifactsEncrypted.js +++ b/plugins/aws/codebuild/projectArtifactsEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk', } }, + realtime_triggers: ['CodeBuild:createProject', 'CodeBuild:updateProject'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js b/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js index 002e655e7e..230c063411 100644 --- a/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js +++ b/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js @@ -20,6 +20,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['CodePipeline:createPipeline', 'CodePipeline:updatePipeline'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codestar/codestarValidRepoProviders.js b/plugins/aws/codestar/codestarValidRepoProviders.js index a5b81eb905..10d1cf9a2a 100644 --- a/plugins/aws/codestar/codestarValidRepoProviders.js +++ b/plugins/aws/codestar/codestarValidRepoProviders.js @@ -18,6 +18,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['CodeStar:createProject','CodeStar:updateProject'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js index f045eab37b..0300236552 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html', recommended_action: '1. Enter the Cognito service. 2. Enter user pools and enable WAF from properties.', apis: ['CognitoIdentityServiceProvider:listUserPools', 'WAFV2:getWebACLForCognitoUserPool', 'STS:getCallerIdentity'], + realtime_triggers: ['CognitoIdentityServiceProvider:createUserPool','CognitoIdentityServiceProvider:updateUserPool'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cognito/cognitoMFAEnabled.js b/plugins/aws/cognito/cognitoMFAEnabled.js index 83ac31fda1..05c459cce9 100644 --- a/plugins/aws/cognito/cognitoMFAEnabled.js +++ b/plugins/aws/cognito/cognitoMFAEnabled.js @@ -10,6 +10,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html', recommended_action: '1. Enter the Cognito service. 2. Enter user pools and enable MFA from sign in experience.', apis: ['CognitoIdentityServiceProvider:listUserPools', 'CognitoIdentityServiceProvider:describeUserPool', 'STS:getCallerIdentity'], + realtime_triggers: ['CognitoIdentityServiceProvider:createUserPool','CognitoIdentityServiceProvider:updateUserPool'], + run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/comprehend/outputResultEncryption.js b/plugins/aws/comprehend/outputResultEncryption.js index d62b645503..ff02147ad4 100644 --- a/plugins/aws/comprehend/outputResultEncryption.js +++ b/plugins/aws/comprehend/outputResultEncryption.js @@ -11,6 +11,7 @@ module.exports = { recommended_action: 'Enable output result encryption for the Comprehend job', apis: ['Comprehend:listEntitiesDetectionJobs', 'Comprehend:listDominantLanguageDetectionJobs', 'Comprehend:listTopicsDetectionJobs', 'Comprehend:listDocumentClassificationJobs', 'Comprehend:listKeyPhrasesDetectionJobs', 'Comprehend:listSentimentDetectionJobs'], + realtime_triggers: ['Comprehend:startEntitiesDetectionJob'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/comprehend/volumeEncryption.js b/plugins/aws/comprehend/volumeEncryption.js index a44705bcfe..7333a87afd 100644 --- a/plugins/aws/comprehend/volumeEncryption.js +++ b/plugins/aws/comprehend/volumeEncryption.js @@ -11,6 +11,7 @@ module.exports = { recommended_action: 'Enable volume encryption for the Comprehend job', apis: ['Comprehend:listEntitiesDetectionJobs', 'Comprehend:listDominantLanguageDetectionJobs', 'Comprehend:listTopicsDetectionJobs', 'Comprehend:listDocumentClassificationJobs', 'Comprehend:listKeyPhrasesDetectionJobs', 'Comprehend:listSentimentDetectionJobs'], + realtime_triggers: ['Comprehend:startEntitiesDetectionJob'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/asgOptimized.js b/plugins/aws/computeoptimizer/asgOptimized.js index 1fe6ef2dfe..3751d3a102 100644 --- a/plugins/aws/computeoptimizer/asgOptimized.js +++ b/plugins/aws/computeoptimizer/asgOptimized.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-asg-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for Auto Scaling groups.', apis: ['ComputeOptimizer:getRecommendationSummaries'], + realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup','AutoScaling:startInstanceRefresh'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/ebsVolumesOptimized.js b/plugins/aws/computeoptimizer/ebsVolumesOptimized.js index d00f4a6be1..f4d5873303 100644 --- a/plugins/aws/computeoptimizer/ebsVolumesOptimized.js +++ b/plugins/aws/computeoptimizer/ebsVolumesOptimized.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-ebs-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for EBS volumes.', apis: ['ComputeOptimizer:getRecommendationSummaries'], + realtime_triggers: ['EC2:createVolume','EC2:modifyVolume'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/ec2InstancesOptimized.js b/plugins/aws/computeoptimizer/ec2InstancesOptimized.js index ff50a04dd8..0e0e951ac4 100644 --- a/plugins/aws/computeoptimizer/ec2InstancesOptimized.js +++ b/plugins/aws/computeoptimizer/ec2InstancesOptimized.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-ec2-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for EC2 instances.', apis: ['ComputeOptimizer:getRecommendationSummaries'], + realtime_triggers: ['EC2:runInstances','EC2:modifyInstanceAttribute','EC2:startInstances'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js b/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js index 919039ee86..0e1b49731d 100644 --- a/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js +++ b/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-lambda-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for Lambda functions.', apis: ['ComputeOptimizer:getRecommendationSummaries'], + realtime_triggers: ['Lambda:createFunction','Lambda:updateFunctionConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/optimizerRecommendationsEnabled.js b/plugins/aws/computeoptimizer/optimizerRecommendationsEnabled.js index 209d770ade..8f7f0ef549 100644 --- a/plugins/aws/computeoptimizer/optimizerRecommendationsEnabled.js +++ b/plugins/aws/computeoptimizer/optimizerRecommendationsEnabled.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/what-is-compute-optimizer.html', recommended_action: 'Enable Compute Optimizer Opt In options for current of all AWS account in your organization.', apis: ['ComputeOptimizer:getRecommendationSummaries'], + realtime_triggers: ['ComputeOptimizer:updateEnrollmentStatus'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/configComplaintRules.js b/plugins/aws/configservice/configComplaintRules.js index c8594c7b20..8e900bf622 100644 --- a/plugins/aws/configservice/configComplaintRules.js +++ b/plugins/aws/configservice/configComplaintRules.js @@ -11,6 +11,7 @@ module.exports = { recommended_action: 'Enable the AWS Config Service rules for compliance checks and close security gaps.', link: 'https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html', apis: ['ConfigService:describeConfigRules', 'ConfigService:getComplianceDetailsByConfigRule'], + realtime_triggers: ['ConfigService:startConfigurationRecorder','ConfigService:putConfigRule'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/configDeliveryFailing.js b/plugins/aws/configservice/configDeliveryFailing.js index 599cd853ae..d4fc02edc7 100644 --- a/plugins/aws/configservice/configDeliveryFailing.js +++ b/plugins/aws/configservice/configDeliveryFailing.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Configure AWS Config log files to be delivered without any failures to designated S3 bucket.', link: 'https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html', apis: ['ConfigService:describeConfigurationRecorderStatus'], + realtime_triggers: ['ConfigService:startConfigurationRecorder','ConfigService:putDeliveryChannel'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/configServiceEnabled.js b/plugins/aws/configservice/configServiceEnabled.js index f0fefc094b..5e6239fb12 100644 --- a/plugins/aws/configservice/configServiceEnabled.js +++ b/plugins/aws/configservice/configServiceEnabled.js @@ -17,6 +17,7 @@ module.exports = { 'could introduce security risks.', cis1: '2.5 Ensure AWS Config is enabled in all regions' }, + realtime_triggers: ['ConfigService:startConfigurationRecorder','ConfigService:stopConfigurationRecorder'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/configServiceMissingBucket.js b/plugins/aws/configservice/configServiceMissingBucket.js index fcb11ac10b..782f940e0a 100644 --- a/plugins/aws/configservice/configServiceMissingBucket.js +++ b/plugins/aws/configservice/configServiceMissingBucket.js @@ -11,6 +11,7 @@ module.exports = { recommended_action: 'Ensure that Amazon Config service is referencing an active S3 bucket in order to save configuration information.', link: 'https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html', apis: ['S3:listBuckets', 'ConfigService:describeDeliveryChannels', 'S3:headBucket'], + realtime_triggers: ['ConfigService:startConfigurationRecorder','ConfigService:putDeliveryChannel'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/servicesInUse.js b/plugins/aws/configservice/servicesInUse.js index 50abc8afce..bf7bd8b2c8 100644 --- a/plugins/aws/configservice/servicesInUse.js +++ b/plugins/aws/configservice/servicesInUse.js @@ -25,6 +25,7 @@ module.exports = { default:'' }, }, + realtime_triggers: ['ConfigService:startConfigurationRecorder','ConfigService:startConfigRulesEvaluation'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js b/plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js index 63bb52c514..bf463f5041 100644 --- a/plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js +++ b/plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Add a notification channel to DevOps Guru', link: 'https://docs.aws.amazon.com/devops-guru/latest/userguide/setting-up.html', apis: ['DevOpsGuru:listNotificationChannels'], + realtime_triggers: ['DevOpsGuru:addNotificationChannel'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dms/autoMinorVersionUpgrade.js b/plugins/aws/dms/autoMinorVersionUpgrade.js index 0133417ef0..e48003d580 100644 --- a/plugins/aws/dms/autoMinorVersionUpgrade.js +++ b/plugins/aws/dms/autoMinorVersionUpgrade.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Enable Auto Minor Version Upgrade feature in order to automatically receive minor engine upgrades for improved performance and security', link: 'https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.Modifying.html', apis: ['DMS:describeReplicationInstances'], + realtime_triggers: ['DMS:createReplicationInstance','DMS:modifyReplicationInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dms/dmsEncryptionEnabled.js b/plugins/aws/dms/dmsEncryptionEnabled.js index 102772e0ba..c423d9fb39 100644 --- a/plugins/aws/dms/dmsEncryptionEnabled.js +++ b/plugins/aws/dms/dmsEncryptionEnabled.js @@ -29,6 +29,7 @@ module.exports = { default: false } }, + realtime_triggers: ['DMS:createReplicationInstance'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/dms/dmsMultiAZFeatureEnabled.js b/plugins/aws/dms/dmsMultiAZFeatureEnabled.js index b5c4033c23..554959e1f0 100644 --- a/plugins/aws/dms/dmsMultiAZFeatureEnabled.js +++ b/plugins/aws/dms/dmsMultiAZFeatureEnabled.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Enable Multi-AZ deployment feature in order to get high availability and failover support', link: 'https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.html', apis: ['DMS:describeReplicationInstances'], + realtime_triggers: ['DMS:createReplicationInstance','DMS:modifyReplicationInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dms/dmsPubliclyAccessibleInstances.js b/plugins/aws/dms/dmsPubliclyAccessibleInstances.js index f1ae262e49..adf4cdeb71 100644 --- a/plugins/aws/dms/dmsPubliclyAccessibleInstances.js +++ b/plugins/aws/dms/dmsPubliclyAccessibleInstances.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Ensure that DMS replication instances have only private IP address and not public IP address', link: 'https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.PublicPrivate.html', apis: ['DMS:describeReplicationInstances'], + realtime_triggers: ['DMS:createReplicationInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/documentDB/docdbClusterBackupRetention.js b/plugins/aws/documentDB/docdbClusterBackupRetention.js index 14b04684b2..fdd57ae1df 100644 --- a/plugins/aws/documentDB/docdbClusterBackupRetention.js +++ b/plugins/aws/documentDB/docdbClusterBackupRetention.js @@ -18,6 +18,7 @@ module.exports = { default: 7 } }, + realtime_triggers: ['DocDB:createDBCluster','DocDB:modifyDBCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/documentDB/docdbClusterEncrypted.js b/plugins/aws/documentDB/docdbClusterEncrypted.js index 9626596258..269efff794 100644 --- a/plugins/aws/documentDB/docdbClusterEncrypted.js +++ b/plugins/aws/documentDB/docdbClusterEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk', } }, + realtime_triggers: ['DocDB:createDBCluster','DocDB:createDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/daxClusterEncryption.js b/plugins/aws/dynamodb/daxClusterEncryption.js index 4c185620cc..0ae7b3c373 100644 --- a/plugins/aws/dynamodb/daxClusterEncryption.js +++ b/plugins/aws/dynamodb/daxClusterEncryption.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionAtRest.html', recommended_action: 'Enable encryption for DAX cluster.', apis: ['DAX:describeClusters'], + realtime_triggers: ['DAX:createCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/dynamoContinuousBackups.js b/plugins/aws/dynamodb/dynamoContinuousBackups.js index 12778dbdba..838fb12ab8 100644 --- a/plugins/aws/dynamodb/dynamoContinuousBackups.js +++ b/plugins/aws/dynamodb/dynamoContinuousBackups.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/new-amazon-dynamodb-continuous-backups-and-point-in-time-recovery-pitr/', recommended_action: 'Enable Continuous Backups and Point-In-Time Recovery (PITR) features.', apis: ['DynamoDB:listTables', 'DynamoDB:describeContinuousBackups', 'STS:getCallerIdentity'], + realtime_triggers: ['DynamoDB:createTable','DynamoDB:updateContinuousBackups'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/dynamoTableBackupExists.js b/plugins/aws/dynamodb/dynamoTableBackupExists.js index 29c79cd5b3..db800ecdaa 100644 --- a/plugins/aws/dynamodb/dynamoTableBackupExists.js +++ b/plugins/aws/dynamodb/dynamoTableBackupExists.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/BackupRestore.html', recommended_action: 'Create on-demand backups for DynamoDB tables.', apis: ['DynamoDB:listTables', 'DynamoDB:listBackups', 'STS:getCallerIdentity'], + realtime_triggers: ['DynamoDB:createTable','DynamoDB:createBackup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/dynamoTableHasTags.js b/plugins/aws/dynamodb/dynamoTableHasTags.js index 29fcbca951..3f06cb6f11 100644 --- a/plugins/aws/dynamodb/dynamoTableHasTags.js +++ b/plugins/aws/dynamodb/dynamoTableHasTags.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Tagging.html', recommended_action: 'Modify DynamoDB table and add tags.', apis: ['DynamoDB:listTables', 'ResourceGroupsTaggingAPI:getResources', 'STS:getCallerIdentity'], + realtime_triggers: ['DynamoDB:createTable','DynamoDB:tagResource','DynamoDB:untagResource'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/dynamoUnusedTable.js b/plugins/aws/dynamodb/dynamoUnusedTable.js index 960b69d312..ce6ded72ed 100644 --- a/plugins/aws/dynamodb/dynamoUnusedTable.js +++ b/plugins/aws/dynamodb/dynamoUnusedTable.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithTables.Basics.html', recommended_action: 'Remove unused tables if you no longer need them.', apis: ['DynamoDB:listTables', 'DynamoDB:describeTable', 'STS:getCallerIdentity'], + realtime_triggers: ['DynamoDB:createTable','DynamoDB:deleteTable'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/accessKeysExtra.js b/plugins/aws/iam/accessKeysExtra.js index 10a957f53f..8e1fd07027 100644 --- a/plugins/aws/iam/accessKeysExtra.js +++ b/plugins/aws/iam/accessKeysExtra.js @@ -27,6 +27,8 @@ module.exports = { } ] }, + realtime_triggers: ['IAM:createAccessKey,IAM:deleteAccessKey'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/accessKeysLastUsed.js b/plugins/aws/iam/accessKeysLastUsed.js index c6ac135352..f11d5dc38e 100644 --- a/plugins/aws/iam/accessKeysLastUsed.js +++ b/plugins/aws/iam/accessKeysLastUsed.js @@ -41,6 +41,7 @@ module.exports = { } ] }, + realtime_triggers: ['IAM:deleteAccessKey'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/accessKeysRotated.js b/plugins/aws/iam/accessKeysRotated.js index 406c8b3b3e..90d9e61bbd 100644 --- a/plugins/aws/iam/accessKeysRotated.js +++ b/plugins/aws/iam/accessKeysRotated.js @@ -33,6 +33,7 @@ module.exports = { default: 90 } }, + realtime_triggers: ['IAM:createAccessKey,IAM:deleteAccessKey'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/canaryKeysUsed.js b/plugins/aws/iam/canaryKeysUsed.js index fe0baae14b..8054a99629 100644 --- a/plugins/aws/iam/canaryKeysUsed.js +++ b/plugins/aws/iam/canaryKeysUsed.js @@ -32,6 +32,8 @@ module.exports = { } ] }, + realtime_triggers: ['IAM:createUser'], + run: function(cache, settings, callback) { var config = { canary_user: settings.canary_user || this.settings.canary_user.default diff --git a/plugins/aws/iam/certificateExpiry.js b/plugins/aws/iam/certificateExpiry.js index 18a57e777a..5080112e09 100644 --- a/plugins/aws/iam/certificateExpiry.js +++ b/plugins/aws/iam/certificateExpiry.js @@ -35,6 +35,7 @@ module.exports = { } ] }, + realtime_triggers: ['IAM:uploadServerCertificate,ELB:setLoadBalancerListenerSSLCertificate'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/crossAccountMfaExtIdAccess.js b/plugins/aws/iam/crossAccountMfaExtIdAccess.js index e59ffaa612..3c376490ec 100644 --- a/plugins/aws/iam/crossAccountMfaExtIdAccess.js +++ b/plugins/aws/iam/crossAccountMfaExtIdAccess.js @@ -9,6 +9,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/mfa-protection-for-cross-account-access/', recommended_action: 'Update the IAM role to either require MFA or use an external ID.', apis: ['IAM:listRoles', 'STS:getCallerIdentity'], + realtime_triggers: ['IAM:createRole,IAM:updateAssumeRolePolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/emptyGroups.js b/plugins/aws/iam/emptyGroups.js index 5b520cce5b..3209c0a826 100644 --- a/plugins/aws/iam/emptyGroups.js +++ b/plugins/aws/iam/emptyGroups.js @@ -22,6 +22,7 @@ module.exports = { } ] }, + realtime_triggers: ['IAM:createGroup,IAM:deleteGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/groupInlinePolicies.js b/plugins/aws/iam/groupInlinePolicies.js index 194b9e75ad..7d2b7e32fd 100644 --- a/plugins/aws/iam/groupInlinePolicies.js +++ b/plugins/aws/iam/groupInlinePolicies.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html', recommended_action: 'Remove inline policies attached to groups', apis: ['IAM:listGroups', 'IAM:listGroupPolicies'], + realtime_triggers: ['IAM:createPolicy,IAM:deleteGroupPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamMasterManagerRoles.js b/plugins/aws/iam/iamMasterManagerRoles.js index 8bbb62995e..5c6a748b78 100644 --- a/plugins/aws/iam/iamMasterManagerRoles.js +++ b/plugins/aws/iam/iamMasterManagerRoles.js @@ -129,6 +129,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['IAM:createRole'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamPoliciesPresent.js b/plugins/aws/iam/iamPoliciesPresent.js index 2a11993f7b..b3861c67a3 100644 --- a/plugins/aws/iam/iamPoliciesPresent.js +++ b/plugins/aws/iam/iamPoliciesPresent.js @@ -18,6 +18,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['IAM:createPolicy,IAM:createPolicyVersion,IAM:putRolePolicy,IAM:updateAssumeRolePolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamRoleHasTags.js b/plugins/aws/iam/iamRoleHasTags.js index cfd022211f..4ded449a96 100644 --- a/plugins/aws/iam/iamRoleHasTags.js +++ b/plugins/aws/iam/iamRoleHasTags.js @@ -9,6 +9,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html', recommended_action: 'Modify Roles to add tags.', apis: ['IAM:listRoles', 'IAM:getRole'], + realtime_triggers: ['IAM:createRole,IAM:tagRole,IAM:untagRole'], + run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/iam/iamRoleLastUsed.js b/plugins/aws/iam/iamRoleLastUsed.js index b5c8e90bac..84c7f95025 100644 --- a/plugins/aws/iam/iamRoleLastUsed.js +++ b/plugins/aws/iam/iamRoleLastUsed.js @@ -54,6 +54,7 @@ module.exports = { } ] }, + realtime_triggers: ['IAM:createRole,IAM:deleteRole'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamRolePolicies.js b/plugins/aws/iam/iamRolePolicies.js index 3cba37feb9..2d1d36d974 100644 --- a/plugins/aws/iam/iamRolePolicies.js +++ b/plugins/aws/iam/iamRolePolicies.js @@ -82,6 +82,7 @@ module.exports = { default: 'false' } }, + realtime_triggers: ['IAM:createPolicy,IAM:createPolicyVersion,IAM:putRolePolicy,IAM:updateAssumeRolePolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamSupportPolicy.js b/plugins/aws/iam/iamSupportPolicy.js index d0d4dc50ad..9f455d8d92 100644 --- a/plugins/aws/iam/iamSupportPolicy.js +++ b/plugins/aws/iam/iamSupportPolicy.js @@ -9,6 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html', recommended_action: 'Ensure that an IAM role has permission to access support center.', apis: ['IAM:listPolicies'], + realtime_triggers: ['IAM:createPolicy,IAM:createPolicyVersion'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserAdmins.js b/plugins/aws/iam/iamUserAdmins.js index 03ca14226d..fa727f6c4c 100644 --- a/plugins/aws/iam/iamUserAdmins.js +++ b/plugins/aws/iam/iamUserAdmins.js @@ -33,6 +33,7 @@ module.exports = { default: 2 } }, + realtime_triggers: ['IAM:addUserToGroup,IAM:removeUserFromGroup,IAM:attachGroupPolicy,IAM:detachGroupPolicy,IAM:attachUserPolicy,IAM:detachUserPolicy,IAM:putUserPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamUserHasTags.js b/plugins/aws/iam/iamUserHasTags.js index 7600632a59..0320cefec9 100644 --- a/plugins/aws/iam/iamUserHasTags.js +++ b/plugins/aws/iam/iamUserHasTags.js @@ -9,6 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags_users.html', recommended_action: 'Modify IAM User and add tags', apis: ['IAM:listUsers', 'IAM:getUser'], + realtime_triggers: ['IAM:createUser,IAM:tagUser,IAM:untagUser'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserInUse.js b/plugins/aws/iam/iamUserInUse.js index ba4b9cb81e..eb456b9867 100644 --- a/plugins/aws/iam/iamUserInUse.js +++ b/plugins/aws/iam/iamUserInUse.js @@ -17,6 +17,7 @@ module.exports = { default: '15' } }, + realtime_triggers: ['IAM:createUser,IAM:deleteUser'], run: function(cache, settings, callback) { const config = { diff --git a/plugins/aws/iam/iamUserNameRegex.js b/plugins/aws/iam/iamUserNameRegex.js index 78c5592319..b4cd32a785 100644 --- a/plugins/aws/iam/iamUserNameRegex.js +++ b/plugins/aws/iam/iamUserNameRegex.js @@ -30,6 +30,7 @@ module.exports = { } ] }, + realtime_triggers: ['IAM:createUser,IAM:deleteUser,IAM:updateUser'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserNotInUse.js b/plugins/aws/iam/iamUserNotInUse.js index 1eb5984525..8fc8f51568 100644 --- a/plugins/aws/iam/iamUserNotInUse.js +++ b/plugins/aws/iam/iamUserNotInUse.js @@ -17,6 +17,7 @@ module.exports = { default: '90' } }, + realtime_triggers: ['IAM:createUser,IAM:deleteUser'], run: function(cache, settings, callback) { const config = { diff --git a/plugins/aws/iam/iamUserPresent.js b/plugins/aws/iam/iamUserPresent.js index fc5abc8067..35be2f0767 100644 --- a/plugins/aws/iam/iamUserPresent.js +++ b/plugins/aws/iam/iamUserPresent.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html', recommended_action: 'Create IAM user(s) and use them to access AWS services and resources.', apis: ['IAM:listUsers'], + realtime_triggers: ['IAM:createUser'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserUnauthorizedToEdit.js b/plugins/aws/iam/iamUserUnauthorizedToEdit.js index 7912ef5865..f6fcdf6b84 100644 --- a/plugins/aws/iam/iamUserUnauthorizedToEdit.js +++ b/plugins/aws/iam/iamUserUnauthorizedToEdit.js @@ -45,6 +45,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['IAM:addUserToGroup,IAM:removeUserFromGroup,IAM:attachGroupPolicy,IAM:detachGroupPolicy,IAM:attachUserPolicy,IAM:detachUserPolicy,IAM:putUserPolicy'], run: function(cache, settings, callback) { var whitelisted_users = settings.iam_authorized_user_arns || this.settings.iam_authorized_user_arns.default; diff --git a/plugins/aws/iam/iamUserWithoutPermissions.js b/plugins/aws/iam/iamUserWithoutPermissions.js index 1f3fb414f3..d424eaf5ed 100644 --- a/plugins/aws/iam/iamUserWithoutPermissions.js +++ b/plugins/aws/iam/iamUserWithoutPermissions.js @@ -11,6 +11,7 @@ module.exports = { recommended_action: 'Modify IAM user and attach new permissions or delete the user.', apis: ['IAM:listUsers', 'IAM:listUserPolicies', 'IAM:listAttachedUserPolicies', 'IAM:getPolicyVersion' ,'IAM:listGroupsForUser', 'IAM:listGroups', 'IAM:listGroupPolicies', 'IAM:listAttachedGroupPolicies'], + realtime_triggers: ['IAM:addUserToGroup,IAM:removeUserFromGroup,IAM:attachGroupPolicy,IAM:detachGroupPolicy,IAM:attachUserPolicy,IAM:detachUserPolicy,IAM:putUserPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/maxPasswordAge.js b/plugins/aws/iam/maxPasswordAge.js index f0acefe6b4..e8d662f229 100644 --- a/plugins/aws/iam/maxPasswordAge.js +++ b/plugins/aws/iam/maxPasswordAge.js @@ -58,6 +58,8 @@ module.exports = { } ] }, + realtime_triggers: ['IAM:updateAccountPasswordPolicy'], + run: function(cache, settings, callback) { var config = { max_password_age_fail: settings.max_password_age_fail || this.settings.max_password_age_fail.default, diff --git a/plugins/aws/iam/minPasswordLength.js b/plugins/aws/iam/minPasswordLength.js index f227d81621..a9a0f4f933 100644 --- a/plugins/aws/iam/minPasswordLength.js +++ b/plugins/aws/iam/minPasswordLength.js @@ -59,6 +59,7 @@ module.exports = { } ] }, + realtime_triggers: ['IAM:updateAccountPasswordPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/noUserIamPolicies.js b/plugins/aws/iam/noUserIamPolicies.js index 2d4c81f303..4ed3bced74 100644 --- a/plugins/aws/iam/noUserIamPolicies.js +++ b/plugins/aws/iam/noUserIamPolicies.js @@ -13,6 +13,7 @@ module.exports = { compliance: { cis1: '1.16 Ensure IAM policies are attached only to groups or roles' }, + realtime_triggers: ['IAM:attachUserPolicy,IAM:detachUserPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordExpiration.js b/plugins/aws/iam/passwordExpiration.js index a9e15b242b..a024448deb 100644 --- a/plugins/aws/iam/passwordExpiration.js +++ b/plugins/aws/iam/passwordExpiration.js @@ -39,6 +39,7 @@ module.exports = { } ] }, + realtime_triggers: ['IAM:updateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordPolicyExists.js b/plugins/aws/iam/passwordPolicyExists.js index 154bae986f..488c9d082a 100644 --- a/plugins/aws/iam/passwordPolicyExists.js +++ b/plugins/aws/iam/passwordPolicyExists.js @@ -9,6 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html', recommended_action: 'Create a password policy under account settings in IAM', apis: ['IAM:getAccountPasswordPolicy'], + realtime_triggers: ['IAM:updateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordRequiresLowercase.js b/plugins/aws/iam/passwordRequiresLowercase.js index bf2c04d1aa..88a1e258e1 100644 --- a/plugins/aws/iam/passwordRequiresLowercase.js +++ b/plugins/aws/iam/passwordRequiresLowercase.js @@ -27,6 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.6 Ensure IAM password policy require at least one lowercase letter' }, + realtime_triggers: ['IAM:updateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordRequiresNumbers.js b/plugins/aws/iam/passwordRequiresNumbers.js index 076980e9bf..dcec0228d0 100644 --- a/plugins/aws/iam/passwordRequiresNumbers.js +++ b/plugins/aws/iam/passwordRequiresNumbers.js @@ -27,6 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.8 Ensure IAM password policy require at least one number' }, + realtime_triggers: ['IAM:updateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordRequiresSymbols.js b/plugins/aws/iam/passwordRequiresSymbols.js index af69e6ef01..e2f656068c 100644 --- a/plugins/aws/iam/passwordRequiresSymbols.js +++ b/plugins/aws/iam/passwordRequiresSymbols.js @@ -27,6 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.7 Ensure IAM password policy require at least one symbol' }, + realtime_triggers: ['IAM:updateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordRequiresUppercase.js b/plugins/aws/iam/passwordRequiresUppercase.js index 7202ad2eac..0ec0b9758c 100644 --- a/plugins/aws/iam/passwordRequiresUppercase.js +++ b/plugins/aws/iam/passwordRequiresUppercase.js @@ -27,6 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.5 Ensure IAM password policy requires at least one uppercase letter' }, + realtime_triggers: ['IAM:updateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordReusePrevention.js b/plugins/aws/iam/passwordReusePrevention.js index 5deb15a94b..c38e947201 100644 --- a/plugins/aws/iam/passwordReusePrevention.js +++ b/plugins/aws/iam/passwordReusePrevention.js @@ -47,6 +47,7 @@ module.exports = { default: 24 } }, + realtime_triggers: ['IAM:updateAccountPasswordPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/policyAllowsToChangePassword.js b/plugins/aws/iam/policyAllowsToChangePassword.js index 677da59ab9..2d15150fdb 100644 --- a/plugins/aws/iam/policyAllowsToChangePassword.js +++ b/plugins/aws/iam/policyAllowsToChangePassword.js @@ -27,6 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.6 Ensure IAM password policy allows users to change their passwords' }, + realtime_triggers: ['IAM:updateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/rolePolicyUnusedServices.js b/plugins/aws/iam/rolePolicyUnusedServices.js index 08109e1ac7..f9951a21fc 100644 --- a/plugins/aws/iam/rolePolicyUnusedServices.js +++ b/plugins/aws/iam/rolePolicyUnusedServices.js @@ -94,6 +94,7 @@ module.exports = { default: 'false' } }, + realtime_triggers: ['IAM:createPolicy,IAM:updatePolicy,IAM:putRolePolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/rootAccessKeys.js b/plugins/aws/iam/rootAccessKeys.js index 0e75b20b56..d1bc1b7347 100644 --- a/plugins/aws/iam/rootAccessKeys.js +++ b/plugins/aws/iam/rootAccessKeys.js @@ -16,6 +16,7 @@ module.exports = { 'should not be used.', cis1: '1.12 Ensure no root account access key exists' }, + realtime_triggers: ['IAM:createAccessKey,IAM:deleteAccessKey'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/rootAccountInUse.js b/plugins/aws/iam/rootAccountInUse.js index d980f62496..5353f8164e 100644 --- a/plugins/aws/iam/rootAccountInUse.js +++ b/plugins/aws/iam/rootAccountInUse.js @@ -27,6 +27,7 @@ module.exports = { default: 15 } }, + realtime_triggers: ['IAM:createUser'], run: function(cache, settings, callback) { this._run(cache, settings, callback, new Date()); diff --git a/plugins/aws/iam/rootHardwareMfa.js b/plugins/aws/iam/rootHardwareMfa.js index 3dd4d2a26c..5b449a376a 100644 --- a/plugins/aws/iam/rootHardwareMfa.js +++ b/plugins/aws/iam/rootHardwareMfa.js @@ -9,6 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html', recommended_action: 'Enable a hardware MFA device for the root account and disable any virtual devices', apis: ['IAM:listVirtualMFADevices', 'IAM:getAccountSummary'], + realtime_triggers: ['IAM:enableMFADevice,IAM:deactivateMFADevice'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/rootMfaEnabled.js b/plugins/aws/iam/rootMfaEnabled.js index 700df29757..01a403787e 100644 --- a/plugins/aws/iam/rootMfaEnabled.js +++ b/plugins/aws/iam/rootMfaEnabled.js @@ -15,6 +15,7 @@ module.exports = { 'a safe location for use as backup for named IAM users.', cis1: '1.13 Ensure MFA is enabled for the "root" account' }, + realtime_triggers: ['IAM:enableMFADevice,IAM:deactivateMFADevice'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/rootSigningCertificate.js b/plugins/aws/iam/rootSigningCertificate.js index bd96310ad2..c968a08401 100644 --- a/plugins/aws/iam/rootSigningCertificate.js +++ b/plugins/aws/iam/rootSigningCertificate.js @@ -15,6 +15,7 @@ module.exports = { 'since it is not tied to a specific user. The root signing keys ' + 'should not be used.' }, + realtime_triggers: ['IAM:deleteSigningCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/sshKeysRotated.js b/plugins/aws/iam/sshKeysRotated.js index bf6a4b40f9..5b5b7e3cd7 100644 --- a/plugins/aws/iam/sshKeysRotated.js +++ b/plugins/aws/iam/sshKeysRotated.js @@ -23,6 +23,7 @@ module.exports = { default: 180 } }, + realtime_triggers: ['IAM:uploadSSHPublicKey'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/trustedCrossAccountRoles.js b/plugins/aws/iam/trustedCrossAccountRoles.js index 93f5e8a932..a4211f4915 100644 --- a/plugins/aws/iam/trustedCrossAccountRoles.js +++ b/plugins/aws/iam/trustedCrossAccountRoles.js @@ -30,6 +30,7 @@ module.exports = { default: 'false' } }, + realtime_triggers: ['IAM:createRole,IAM:updateAssumeRolePolicy,IAM:deleteRole'], run: function(cache, settings, callback) { var config= { diff --git a/plugins/aws/iam/usersMfaEnabled.js b/plugins/aws/iam/usersMfaEnabled.js index 964e37f49f..e6cf593c4b 100644 --- a/plugins/aws/iam/usersMfaEnabled.js +++ b/plugins/aws/iam/usersMfaEnabled.js @@ -31,6 +31,7 @@ module.exports = { } ] }, + realtime_triggers: ['IAM:enableMFADevice,IAM:deactivateMFADevice'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/usersPasswordAndKeys.js b/plugins/aws/iam/usersPasswordAndKeys.js index ccb16e3407..1f8ff6286d 100644 --- a/plugins/aws/iam/usersPasswordAndKeys.js +++ b/plugins/aws/iam/usersPasswordAndKeys.js @@ -18,6 +18,7 @@ module.exports = { default: '^.*$' } }, + realtime_triggers: ['IAM:createAccessKey,IAM:deleteAccessKey'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/usersPasswordLastUsed.js b/plugins/aws/iam/usersPasswordLastUsed.js index 7d53e1b884..a3bf2a4e03 100644 --- a/plugins/aws/iam/usersPasswordLastUsed.js +++ b/plugins/aws/iam/usersPasswordLastUsed.js @@ -32,6 +32,7 @@ module.exports = { default: 90 } }, + realtime_triggers: ['IAM:createUser,IAM:deleteUser'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js b/plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js index 0b324b088a..47d282a498 100644 --- a/plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js +++ b/plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js @@ -20,6 +20,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['Imagebuilder:createContainerRecipe'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/imagebuilder/enhancedMetadataEnabled.js b/plugins/aws/imagebuilder/enhancedMetadataEnabled.js index 3559af7703..cfcf61f25d 100644 --- a/plugins/aws/imagebuilder/enhancedMetadataEnabled.js +++ b/plugins/aws/imagebuilder/enhancedMetadataEnabled.js @@ -11,6 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/imagebuilder/latest/userguide/start-build-image-pipeline.html', recommended_action: 'Enable enhanced metadata collection for image pipeline.', apis: ['Imagebuilder:listImagePipelines'], + realtime_triggers: ['Imagebuilder:createImagePipeline,Imagebuilder:updateImagePipeline'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/imagebuilder/imageRecipeVolumeEncrypted.js b/plugins/aws/imagebuilder/imageRecipeVolumeEncrypted.js index e87ca80d55..ae4af17183 100644 --- a/plugins/aws/imagebuilder/imageRecipeVolumeEncrypted.js +++ b/plugins/aws/imagebuilder/imageRecipeVolumeEncrypted.js @@ -20,6 +20,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['Imagebuilder:createImageRecipe'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/imagebuilder/imgBuilderComponentsEncrypted.js b/plugins/aws/imagebuilder/imgBuilderComponentsEncrypted.js index e3f7f8dca2..0da4cad8e8 100644 --- a/plugins/aws/imagebuilder/imgBuilderComponentsEncrypted.js +++ b/plugins/aws/imagebuilder/imgBuilderComponentsEncrypted.js @@ -20,6 +20,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['Imagebuilder:createComponent'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js b/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js index b13a91273c..58ac575b5a 100644 --- a/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js +++ b/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js @@ -11,6 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/imagebuilder/latest/userguide/manage-infra-config.html', recommended_action: 'Enable SNS notification in EC2 Image Builder infrastructure configurations to get notified of any changes in the service.', apis: ['Imagebuilder:listInfrastructureConfigurations', 'Imagebuilder:getInfrastructureConfiguration'], + realtime_triggers: ['Imagebuilder:createInfrastructureConfiguration,Imagebuilder:updateInfrastructureConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iotsitewise/iotsitewiseDataEncrypted.js b/plugins/aws/iotsitewise/iotsitewiseDataEncrypted.js index b955151d47..fc1c72660f 100644 --- a/plugins/aws/iotsitewise/iotsitewiseDataEncrypted.js +++ b/plugins/aws/iotsitewise/iotsitewiseDataEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk', } }, + realtime_triggers: ['Imagebuilder:putDefaultEncryptionConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kendra/kendraIndexEncrypted.js b/plugins/aws/kendra/kendraIndexEncrypted.js index 5f91c3261c..a3c9dcc4ed 100644 --- a/plugins/aws/kendra/kendraIndexEncrypted.js +++ b/plugins/aws/kendra/kendraIndexEncrypted.js @@ -18,6 +18,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['Kendra:createIndex,Kendra:updateIndex'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js b/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js index 0e8836ac9c..926b04f5e3 100644 --- a/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js +++ b/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js @@ -20,6 +20,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['Kinesis:createStream,Kinesis:startStreamEncryption'], run: function(cache, settings, callback) { diff --git a/plugins/aws/kinesisvideo/videostreamDataEncrypted.js b/plugins/aws/kinesisvideo/videostreamDataEncrypted.js index 821c4e1196..66cd533d2f 100644 --- a/plugins/aws/kinesisvideo/videostreamDataEncrypted.js +++ b/plugins/aws/kinesisvideo/videostreamDataEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['KinesisVideo:CreateStream', 'KinesisVideo:updateStream'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsAppTierCmk.js b/plugins/aws/kms/kmsAppTierCmk.js index 1fe682b480..584dfb417d 100644 --- a/plugins/aws/kms/kmsAppTierCmk.js +++ b/plugins/aws/kms/kmsAppTierCmk.js @@ -18,6 +18,7 @@ module.exports = { default: '' }, }, + realtime_triggers: ['KMS:createKey,KMS:tagResource'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsDefaultKeyUsage.js b/plugins/aws/kms/kmsDefaultKeyUsage.js index 1ae39f5955..910e333ee9 100644 --- a/plugins/aws/kms/kmsDefaultKeyUsage.js +++ b/plugins/aws/kms/kmsDefaultKeyUsage.js @@ -20,6 +20,7 @@ module.exports = { 'passwords, it is still strongly encouraged to use a ' + 'customer-provided CMK rather than the default KMS key.' }, + realtime_triggers: ['CloudTrail:createTrail,CloudTrail:updateTrail,EC2:createVolume,ElasticTranscoder:updatePipeline,ElasticTranscoder:createPipeline,RDS:createDBInstance,RDS:modifyDBInstance,Redshift:createCluster,Redshift:modifyCluster,S3:createBucket,S3:putBucketEncryption,SES:createReceiptRule,SES:updateReceiptRule,Workspaces:createWorkspaces,Lambda:updateFunctionConfiguration,Lambda:createFunction,CloudWatchLogs:createLogGroup,CloudWatchLogs:associateKmsKey,EFS:createFileSystem'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsDuplicateGrants.js b/plugins/aws/kms/kmsDuplicateGrants.js index f130b8343e..f0cf55100d 100644 --- a/plugins/aws/kms/kmsDuplicateGrants.js +++ b/plugins/aws/kms/kmsDuplicateGrants.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Delete duplicate grants for AWS KMS keys', link: 'https://docs.aws.amazon.com/kms/latest/developerguide/grants.html', apis: ['KMS:listKeys', 'KMS:listGrants', 'KMS:describeKey'], + realtime_triggers: ['KMS:createKey,KMS:revokeGrant'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsGrantLeastPrivilege.js b/plugins/aws/kms/kmsGrantLeastPrivilege.js index b801a89073..5712788c40 100644 --- a/plugins/aws/kms/kmsGrantLeastPrivilege.js +++ b/plugins/aws/kms/kmsGrantLeastPrivilege.js @@ -9,6 +9,7 @@ module.exports = { recommended_action: 'Create KMS grants with minimum permission required', link: 'https://docs.aws.amazon.com/kms/latest/developerguide/grants.html', apis: ['KMS:listKeys', 'KMS:listGrants', 'KMS:describeKey'], + realtime_triggers: ['KMS:createKey,KMS:createGrant'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsKeyPolicy.js b/plugins/aws/kms/kmsKeyPolicy.js index 1ed460aeda..f97d38e14e 100644 --- a/plugins/aws/kms/kmsKeyPolicy.js +++ b/plugins/aws/kms/kmsKeyPolicy.js @@ -57,6 +57,7 @@ module.exports = { default: 'false' }, }, + realtime_triggers: ['KMS:createKey,KMS:putKeyPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/kms/kmsKeyRotation.js b/plugins/aws/kms/kmsKeyRotation.js index 681520189f..ab2c69dff1 100644 --- a/plugins/aws/kms/kmsKeyRotation.js +++ b/plugins/aws/kms/kmsKeyRotation.js @@ -25,6 +25,7 @@ module.exports = { default: 'aqua-cspm' } }, + realtime_triggers: ['KMS:createKey,KMS:enableKeyRotation'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsScheduledDeletion.js b/plugins/aws/kms/kmsScheduledDeletion.js index ffc083514b..a0bfe72237 100644 --- a/plugins/aws/kms/kmsScheduledDeletion.js +++ b/plugins/aws/kms/kmsScheduledDeletion.js @@ -22,6 +22,7 @@ module.exports = { } ] }, + realtime_triggers: ['KMS:scheduleKeyDeletion,KMS:cancelKeyDeletion'], run: function(cache, settings, callback) { var results = []; From 5f31552196e4bdd9442e9a5cb2fc63c7973843d3 Mon Sep 17 00:00:00 2001 From: --global Date: Thu, 14 Sep 2023 15:34:32 +0500 Subject: [PATCH 004/498] added tiggers for E --- plugins/aws/ec2/allowedCustomPorts.js | 1 + plugins/aws/ec2/amiHasTags.js | 1 + plugins/aws/ec2/appTierInstanceIamRole.js | 1 + plugins/aws/ec2/classicInstances.js | 1 + plugins/aws/ec2/crossVpcPublicPrivate.js | 1 + plugins/aws/ec2/defaultSecurityGroup.js | 1 + plugins/aws/ec2/defaultSecurityGroupInUse.js | 1 + plugins/aws/ec2/defaultVpcExists.js | 1 + plugins/aws/ec2/defaultVpcInUse.js | 1 + plugins/aws/ec2/ebsBackupEnabled.js | 1 + plugins/aws/ec2/ebsDefaultEncryptionEnabled.js | 3 ++- plugins/aws/ec2/ebsEncryptedSnapshots.js | 1 + plugins/aws/ec2/ebsEncryptionEnabled.js | 1 + plugins/aws/ec2/ebsOldSnapshots.js | 1 + plugins/aws/ec2/ebsRecentSnapshots.js | 1 + plugins/aws/ec2/ebsSnapshotHasTags.js | 1 + plugins/aws/ec2/ebsSnapshotLifecycle.js | 1 + plugins/aws/ec2/ebsSnapshotPublic.js | 1 + plugins/aws/ec2/ebsUnusedVolumes.js | 1 + plugins/aws/ec2/ebsVolumeHasTags.js | 1 + plugins/aws/ec2/ec2HasTags.js | 1 + plugins/aws/ec2/ec2MetadataOptions.js | 1 + plugins/aws/ec2/enableDetailedMonitoring.js | 1 + plugins/aws/ec2/encryptedAmi.js | 1 + plugins/aws/ec2/excessiveSecurityGroups.js | 1 + plugins/aws/ec2/flowLogsEnabled.js | 1 + plugins/aws/ec2/instanceIamRole.js | 1 + plugins/aws/ec2/instanceKeyBasedLogin.js | 1 + plugins/aws/ec2/instanceLimit.js | 1 + plugins/aws/ec2/instanceMaxCount.js | 1 + plugins/aws/ec2/instanceVcpusLimit.js | 1 + plugins/aws/ec2/internetGatewayInVpc.js | 1 + plugins/aws/ec2/launchWizardSecurityGroups.js | 1 + plugins/aws/ec2/managedNatGateway.js | 1 + plugins/aws/ec2/multipleSubnets.js | 1 + plugins/aws/ec2/natMultiAz.js | 1 + plugins/aws/ec2/networkAclHasTags.js | 1 + plugins/aws/ec2/networkAclInboundTraffic.js | 2 +- plugins/aws/ec2/networkAclOutboundTraffic.js | 1 + plugins/aws/ec2/openAllPortsProtocols.js | 1 + plugins/aws/ec2/openAllPortsProtocolsEgress.js | 2 ++ plugins/aws/ec2/openCustomPorts.js | 1 + plugins/aws/ec2/openHTTP.js | 1 + plugins/aws/ec2/openHTTPS.js | 1 + plugins/aws/ec2/outdatedAmiInUse.js | 1 + plugins/aws/ec2/overlappingSecurityGroups.js | 1 + plugins/aws/ec2/overutilizedEC2Instance.js | 1 + plugins/aws/ec2/publicAmi.js | 2 ++ plugins/aws/ec2/publicIpAddress.js | 1 + plugins/aws/ec2/securityGroupRfc1918.js | 1 + plugins/aws/ec2/securityGroupsHasTags.js | 1 + plugins/aws/ec2/subnetIpAvailability.js | 1 + plugins/aws/ec2/unassociatedElasticIp.js | 1 + plugins/aws/ec2/unusedAmi.js | 1 + plugins/aws/ec2/unusedEni.js | 1 + plugins/aws/ec2/unusedSecurityGroups.js | 1 + plugins/aws/ec2/unusedVirtualPrivateGateway.js | 1 + plugins/aws/ec2/unusedVpcInternetGateways.js | 1 + plugins/aws/ec2/vpcEndpointAcceptance.js | 1 + plugins/aws/ec2/vpcEndpointCrossAccount.js | 1 + plugins/aws/ec2/vpcEndpointExposed.js | 1 + plugins/aws/ec2/vpcHasTags.js | 1 + plugins/aws/ec2/vpcPeeringConnections.js | 1 + plugins/aws/ec2/vpcSubnetInstancesPresent.js | 1 + plugins/aws/ec2/vpnGatewayInVpc.js | 1 + plugins/aws/ec2/vpnTunnelState.js | 1 + plugins/aws/ec2/webTierInstanceIamRole.js | 1 + plugins/aws/ecr/ecrImageVulnerability.js | 1 + plugins/aws/ecr/ecrRepositoryEncrypted.js | 1 + plugins/aws/ecr/ecrRepositoryHasTags.js | 1 + plugins/aws/ecr/ecrRepositoryPolicy.js | 1 + plugins/aws/ecr/ecrRepositoryTagImmutability.js | 1 + plugins/aws/ecs/ecsClusterActiveService.js | 1 + plugins/aws/ecs/ecsClusterWithActiveTask.js | 1 + plugins/aws/ecs/ecsClustersHaveTags.js | 1 + plugins/aws/ecs/ecsContainerInsightsEnabled.js | 1 + plugins/aws/efs/efsCmkEncrypted.js | 1 + plugins/aws/efs/efsEncryptionEnabled.js | 1 + plugins/aws/efs/efsHasTags.js | 1 + plugins/aws/eks/eksClusterHasTags.js | 1 + plugins/aws/eks/eksKubernetesVersion.js | 1 + plugins/aws/eks/eksLatestPlatformVersion.js | 1 + plugins/aws/eks/eksLoggingEnabled.js | 1 + plugins/aws/eks/eksPrivateEndpoint.js | 1 + plugins/aws/eks/eksSecretsEncrypted.js | 1 + plugins/aws/eks/eksSecurityGroups.js | 1 + plugins/aws/elasticache/elasticCacheClusterHasTags.js | 1 + plugins/aws/elasticache/elasticacheClusterInVpc.js | 2 ++ plugins/aws/elasticache/elasticacheDefaultPorts.js | 1 + plugins/aws/elasticache/elasticacheInstanceGeneration.js | 1 + plugins/aws/elasticache/elasticacheNodesCount.js | 1 + plugins/aws/elasticache/elasticacheRedisMultiAZ.js | 1 + plugins/aws/elasticache/elasticaheDesiredNodeType.js | 1 + plugins/aws/elasticache/idleElastiCacheNode.js | 1 + plugins/aws/elasticache/redisClusterEncryptionAtRest.js | 1 + plugins/aws/elasticache/redisClusterEncryptionInTransit.js | 1 + plugins/aws/elasticache/redisEngineVersions.js | 1 + plugins/aws/elasticache/reservedNodeLeaseExpiration.js | 1 + plugins/aws/elasticache/reservedNodePaymentFailed.js | 1 + plugins/aws/elasticache/reservedNodePaymentPending.js | 1 + plugins/aws/elasticache/unusedElastiCacheReservedNode.js | 1 + plugins/aws/elasticbeanstalk/enhancedHealthReporting.js | 1 + plugins/aws/elasticbeanstalk/environmentAccessLogs.js | 1 + plugins/aws/elasticbeanstalk/environmentPersistentLogs.js | 1 + plugins/aws/elasticbeanstalk/managedPlatformUpdates.js | 1 + plugins/aws/elastictranscoder/jobOutputsEncrypted.js | 1 + plugins/aws/elastictranscoder/pipelineDataEncrypted.js | 1 + plugins/aws/elb/appTierElbSecurity.js | 1 + plugins/aws/elb/classicELBInUse.js | 1 + plugins/aws/elb/connectionDrainingEnabled.js | 1 + plugins/aws/elb/crosszoneLoadBalancing.js | 1 + plugins/aws/elb/elbHasTags.js | 2 ++ plugins/aws/elb/elbLoggingEnabled.js | 1 + plugins/aws/elb/elbNoInstances.js | 2 +- plugins/aws/elb/elbUnhealthyInstances.js | 1 + plugins/aws/elb/insecureCiphers.js | 1 + plugins/aws/elbv2/elbv2DeletionProtection.js | 1 + plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js | 1 + plugins/aws/elbv2/elbv2DeregistrationDelay.js | 1 + plugins/aws/elbv2/elbv2HasTags.js | 2 ++ plugins/aws/elbv2/elbv2InsecureCiphers.js | 1 + plugins/aws/elbv2/elbv2LoggingEnabled.js | 1 + plugins/aws/elbv2/elbv2MinimumTargetInstances.js | 1 + plugins/aws/elbv2/elbv2NlbListenerSecurity.js | 1 + plugins/aws/elbv2/elbv2NoInstances.js | 2 +- plugins/aws/elbv2/elbv2SslTermination.js | 1 + plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js | 1 + plugins/aws/elbv2/elbv2UnhealthyInstance.js | 1 + plugins/aws/elbv2/elbv2WafEnabled.js | 2 ++ plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js | 1 + plugins/aws/emr/emrClusterHasTags.js | 1 + plugins/aws/emr/emrClusterInVPC.js | 1 + plugins/aws/emr/emrClusterLogging.js | 1 + plugins/aws/emr/emrDesiredInstanceType.js | 1 + plugins/aws/emr/emrEncryptionAtRest.js | 1 + plugins/aws/emr/emrEncryptionInTransit.js | 1 + plugins/aws/emr/emrInstanceCount.js | 1 + plugins/aws/eventbridge/eventBusCrossAccountAccess.js | 1 + plugins/aws/eventbridge/eventBusPublicAccess.js | 1 + plugins/aws/eventbridge/eventsInUse.js | 1 + 140 files changed, 147 insertions(+), 4 deletions(-) diff --git a/plugins/aws/ec2/allowedCustomPorts.js b/plugins/aws/ec2/allowedCustomPorts.js index ad77cec327..fa7a88165d 100644 --- a/plugins/aws/ec2/allowedCustomPorts.js +++ b/plugins/aws/ec2/allowedCustomPorts.js @@ -18,6 +18,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/amiHasTags.js b/plugins/aws/ec2/amiHasTags.js index 79348cf24a..48e97c5743 100644 --- a/plugins/aws/ec2/amiHasTags.js +++ b/plugins/aws/ec2/amiHasTags.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/about-aws/whats-new/2020/12/amazon-machine-images-support-tag-on-create-tag-based-access-control/', recommended_action: 'Modify AMI and add tags.', apis: ['EC2:describeImages'], + realtime_triggers: ['ec2:CreateImage', 'ec2:CreateTags', 'ec2:DeleteTags'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/appTierInstanceIamRole.js b/plugins/aws/ec2/appTierInstanceIamRole.js index b0ebaba3d9..9199acf07c 100644 --- a/plugins/aws/ec2/appTierInstanceIamRole.js +++ b/plugins/aws/ec2/appTierInstanceIamRole.js @@ -19,6 +19,7 @@ module.exports = { default: '' }, }, + realtime_triggers: ['ec2:RunInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/classicInstances.js b/plugins/aws/ec2/classicInstances.js index 6b7da672cb..c9743ddf64 100644 --- a/plugins/aws/ec2/classicInstances.js +++ b/plugins/aws/ec2/classicInstances.js @@ -19,6 +19,7 @@ module.exports = { 'segmentation criteria for PCI. Ensure all instances are launched ' + 'within a VPC to comply with isolation requirements.' }, + realtime_triggers: ['ec2:RunInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/crossVpcPublicPrivate.js b/plugins/aws/ec2/crossVpcPublicPrivate.js index ca672b7be5..22404af170 100644 --- a/plugins/aws/ec2/crossVpcPublicPrivate.js +++ b/plugins/aws/ec2/crossVpcPublicPrivate.js @@ -16,6 +16,7 @@ module.exports = { 'communicate across these segmented boundaries. Ensure that public ' + 'services in one VPC cannot communicate with the private tier of another.' }, + realtime_triggers: ['ec2:CreateVpcPeeringConnection', 'ec2:ModifyVpcPeeringConnectionOptions'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/defaultSecurityGroup.js b/plugins/aws/ec2/defaultSecurityGroup.js index 24fb39d849..afb26825e7 100644 --- a/plugins/aws/ec2/defaultSecurityGroup.js +++ b/plugins/aws/ec2/defaultSecurityGroup.js @@ -17,6 +17,7 @@ module.exports = { 'unintended traffic to cross these isolation boundaries.', cis2: '4.3 Ensure the default security group of every VPC restricts all traffic' }, + realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/defaultSecurityGroupInUse.js b/plugins/aws/ec2/defaultSecurityGroupInUse.js index 8b68b15f9d..a06db51908 100644 --- a/plugins/aws/ec2/defaultSecurityGroupInUse.js +++ b/plugins/aws/ec2/defaultSecurityGroupInUse.js @@ -10,6 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-security-group', recommended_action: 'Modify EC2 instances and change security group.', apis: ['EC2:describeInstances'], + realtime_triggers: ['ec2:RunInstance', 'ec2:ModifyInstanceAttribute'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/defaultVpcExists.js b/plugins/aws/ec2/defaultVpcExists.js index 7006c2201e..c328295b9e 100644 --- a/plugins/aws/ec2/defaultVpcExists.js +++ b/plugins/aws/ec2/defaultVpcExists.js @@ -10,6 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.html', recommended_action: 'Move resources from the default VPC to a new VPC created for that application or resource group.', apis: ['EC2:describeVpcs', 'STS:getCallerIdentity'], + realtime_triggers: ['ec2:CreateVpc', 'ec2:ModifyVpcAttribute'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/defaultVpcInUse.js b/plugins/aws/ec2/defaultVpcInUse.js index c834491266..eb5ff9ad26 100644 --- a/plugins/aws/ec2/defaultVpcInUse.js +++ b/plugins/aws/ec2/defaultVpcInUse.js @@ -10,6 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.html', recommended_action: 'Move resources from the default VPC to a new VPC created for that application or resource group.', apis: ['EC2:describeVpcs', 'EC2:describeInstances', 'ELB:describeLoadBalancers', 'Lambda:listFunctions', 'RDS:describeDBInstances', 'Redshift:describeClusters'], + realtime_triggers: ['ec2:CreateVpc', 'ec2:ModifyVpcAttribute', 'ec2:RunInstance','elasticloadbalancing:CreateLoadBalancer', 'lambda:CreateFunction','', 'rds:CreateDBInstance','redshift:CreateCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ebsBackupEnabled.js b/plugins/aws/ec2/ebsBackupEnabled.js index be51aedc90..b04fa32e70 100644 --- a/plugins/aws/ec2/ebsBackupEnabled.js +++ b/plugins/aws/ec2/ebsBackupEnabled.js @@ -18,6 +18,7 @@ module.exports = { default: 'true' } }, + realtime_triggers: ['ec2:CreateSnapshot', 'ec2:CreateVloume'], run: function(cache, settings, callback) { let results = []; diff --git a/plugins/aws/ec2/ebsDefaultEncryptionEnabled.js b/plugins/aws/ec2/ebsDefaultEncryptionEnabled.js index 1e4324235f..d91e1a327c 100644 --- a/plugins/aws/ec2/ebsDefaultEncryptionEnabled.js +++ b/plugins/aws/ec2/ebsDefaultEncryptionEnabled.js @@ -18,7 +18,8 @@ module.exports = { default: 'awskms', }, }, - + realtime_triggers: ['ec2:CreateVolume', 'ec2:EnableEbsEncryptionByDefault', 'ec2:DisableEbsEncryptionByDefault', 'ec2:ModifyEbsDefaultKmsKeyId'], + run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/ec2/ebsEncryptedSnapshots.js b/plugins/aws/ec2/ebsEncryptedSnapshots.js index 8b34a3eef6..886d82dc72 100644 --- a/plugins/aws/ec2/ebsEncryptedSnapshots.js +++ b/plugins/aws/ec2/ebsEncryptedSnapshots.js @@ -16,6 +16,7 @@ module.exports = { 'of EC2 instance data at rest, but volumes must be configured to use ' + 'encryption so their snapshots are also encrypted.' }, + realtime_triggers: ['ec2:CreateSnapshot', 'ec2:CopySnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ebsEncryptionEnabled.js b/plugins/aws/ec2/ebsEncryptionEnabled.js index a86f0ec21c..653a4ed0fb 100644 --- a/plugins/aws/ec2/ebsEncryptionEnabled.js +++ b/plugins/aws/ec2/ebsEncryptionEnabled.js @@ -58,6 +58,7 @@ module.exports = { }, }, + realtime_triggers: ['ec2:CreateVolume'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ebsOldSnapshots.js b/plugins/aws/ec2/ebsOldSnapshots.js index c9be769671..82e7e5a14a 100644 --- a/plugins/aws/ec2/ebsOldSnapshots.js +++ b/plugins/aws/ec2/ebsOldSnapshots.js @@ -24,6 +24,7 @@ module.exports = { default: '20', }, }, + realtime_triggers: ['ec2:CreateSnapshot', 'ec2:DeleteSnapshot'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/ebsRecentSnapshots.js b/plugins/aws/ec2/ebsRecentSnapshots.js index f34ffb859a..9bd01f38da 100644 --- a/plugins/aws/ec2/ebsRecentSnapshots.js +++ b/plugins/aws/ec2/ebsRecentSnapshots.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html', recommended_action: 'Create a new snapshot for EBS volume weekly.', apis: ['EC2:describeSnapshots','STS:getCallerIdentity'], + realtime_triggers: ['ec2:CreateSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ebsSnapshotHasTags.js b/plugins/aws/ec2/ebsSnapshotHasTags.js index ca5f66fbd7..e9687ba78b 100644 --- a/plugins/aws/ec2/ebsSnapshotHasTags.js +++ b/plugins/aws/ec2/ebsSnapshotHasTags.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/compute/tag-amazon-ebs-snapshots-on-creation-and-implement-stronger-security-policies/', recommended_action: 'Modify EBS snapshots and add tags.', apis: ['EC2:describeSnapshots'], + realtime_triggers: ['ec2:CreateSnapshot', 'ec2:AddTags', 'ec2:DeleteTags'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ebsSnapshotLifecycle.js b/plugins/aws/ec2/ebsSnapshotLifecycle.js index a6f98e430d..ffd6462a5f 100644 --- a/plugins/aws/ec2/ebsSnapshotLifecycle.js +++ b/plugins/aws/ec2/ebsSnapshotLifecycle.js @@ -12,6 +12,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html', apis: ['EC2:describeInstances', 'EC2:describeVolumes', 'DLM:getLifecyclePolicies', 'DLM:getLifecyclePolicy', 'STS:getCallerIdentity'], + realtime_triggers: ['dlm:CreateLifecyclePolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ebsSnapshotPublic.js b/plugins/aws/ec2/ebsSnapshotPublic.js index aff5799c1d..16cd944cde 100644 --- a/plugins/aws/ec2/ebsSnapshotPublic.js +++ b/plugins/aws/ec2/ebsSnapshotPublic.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html', recommended_action: 'Modify the permissions of public snapshots to remove public access.', apis: ['EC2:describeSnapshots', 'EC2:describeSnapshotAttribute'], + realtime_triggers: ['ec2:CreateSnapshot' , 'ec2:ModifySnapshotAttribute'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ebsUnusedVolumes.js b/plugins/aws/ec2/ebsUnusedVolumes.js index 37cb461f6d..ee0fa1323d 100644 --- a/plugins/aws/ec2/ebsUnusedVolumes.js +++ b/plugins/aws/ec2/ebsUnusedVolumes.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Delete the unassociated EBS volume.', link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-deleting-volume.html', apis: ['EC2:describeInstances', 'EC2:describeVolumes', 'STS:getCallerIdentity'], + realtime_triggers: ['ec2:CreateVolume','ec2:DeleteVolume'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ebsVolumeHasTags.js b/plugins/aws/ec2/ebsVolumeHasTags.js index ecabf193a6..426a7ddbe4 100644 --- a/plugins/aws/ec2/ebsVolumeHasTags.js +++ b/plugins/aws/ec2/ebsVolumeHasTags.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Modify EBS volumes and add tags', link: 'https://aws.amazon.com/blogs/aws/new-tag-ec2-instances-ebs-volumes-on-creation/', apis: ['EC2:describeVolumes', 'STS:getCallerIdentity'], + realtime_triggers: ['ec2:CreateVolume', 'ec2:AddTags', 'ec2:DeleteTags'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ec2HasTags.js b/plugins/aws/ec2/ec2HasTags.js index 1cb46202f3..6db8b342dc 100644 --- a/plugins/aws/ec2/ec2HasTags.js +++ b/plugins/aws/ec2/ec2HasTags.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html', recommended_action: 'Modify EC2 instances and add tags.', apis: ['EC2:describeInstances'], + realtime_triggers: ['ec2:RunInstance', 'ec2:AddTags', 'ec2:DeleteTags'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ec2MetadataOptions.js b/plugins/aws/ec2/ec2MetadataOptions.js index b65a607ec2..192f10dd86 100644 --- a/plugins/aws/ec2/ec2MetadataOptions.js +++ b/plugins/aws/ec2/ec2MetadataOptions.js @@ -11,6 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#configuring-instance-metadata-service', recommended_action: 'Update instance metadata options to use IMDSv2', apis: ['EC2:describeInstances'], + realtime_triggers: ['ec2:RunInstance', 'ec2:ModifyInstanceMetadataOptions'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/enableDetailedMonitoring.js b/plugins/aws/ec2/enableDetailedMonitoring.js index c923c09573..5170993242 100644 --- a/plugins/aws/ec2/enableDetailedMonitoring.js +++ b/plugins/aws/ec2/enableDetailedMonitoring.js @@ -11,6 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html', recommended_action: 'Modify EC2 instance to enable detailed monitoring.', apis: ['EC2:describeInstances'], + realtime_triggers: ['ec2:RunInstance', 'ec2:MonitorInstances'], run: function(cache, settings, callback) { const results = []; diff --git a/plugins/aws/ec2/encryptedAmi.js b/plugins/aws/ec2/encryptedAmi.js index 8716571e1f..cfa8dfeada 100644 --- a/plugins/aws/ec2/encryptedAmi.js +++ b/plugins/aws/ec2/encryptedAmi.js @@ -16,6 +16,7 @@ module.exports = { 'allow it to remain compliant with the encryption at-rest ' + 'regulatory requirement.' }, + realtime_triggers: ['ec2:CreateImage', 'ec2:CopyImage'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/excessiveSecurityGroups.js b/plugins/aws/ec2/excessiveSecurityGroups.js index f49150964b..17e33ffaa8 100644 --- a/plugins/aws/ec2/excessiveSecurityGroups.js +++ b/plugins/aws/ec2/excessiveSecurityGroups.js @@ -30,6 +30,7 @@ module.exports = { default: 30 } }, + realtime_triggers: ['ec2:CreateSecurityGroup', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/flowLogsEnabled.js b/plugins/aws/ec2/flowLogsEnabled.js index c4827e15e0..47610f2fe8 100644 --- a/plugins/aws/ec2/flowLogsEnabled.js +++ b/plugins/aws/ec2/flowLogsEnabled.js @@ -19,6 +19,7 @@ module.exports = { 'cardholder data. Enable VPC flow logs to log these network requests.', cis2: '2.9 Ensure VPC flow logging is enabled in all VPCs' }, + realtime_triggers: ['ec2:CreateVpc', 'ec2:CreateFlowLogs'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/instanceIamRole.js b/plugins/aws/ec2/instanceIamRole.js index 2cb3c81303..a144413d56 100644 --- a/plugins/aws/ec2/instanceIamRole.js +++ b/plugins/aws/ec2/instanceIamRole.js @@ -18,6 +18,7 @@ module.exports = { default: 10 } }, + realtime_triggers: ['ec2:RunInstance'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/instanceKeyBasedLogin.js b/plugins/aws/ec2/instanceKeyBasedLogin.js index 80af12c3d1..ea66558a4b 100644 --- a/plugins/aws/ec2/instanceKeyBasedLogin.js +++ b/plugins/aws/ec2/instanceKeyBasedLogin.js @@ -18,6 +18,7 @@ module.exports = { default: '10' } }, + realtime_triggers: ['ec2:RunInstance', 'ec2:ModifyInstanceAttribute'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/instanceLimit.js b/plugins/aws/ec2/instanceLimit.js index 3b30d5bcee..b6e55ea493 100644 --- a/plugins/aws/ec2/instanceLimit.js +++ b/plugins/aws/ec2/instanceLimit.js @@ -24,6 +24,7 @@ module.exports = { default: 75 } }, + realtime_triggers: ['ec2:RunInstance', 'ec2:TerminateInstance'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/instanceMaxCount.js b/plugins/aws/ec2/instanceMaxCount.js index 889b0a8d2d..548625d245 100644 --- a/plugins/aws/ec2/instanceMaxCount.js +++ b/plugins/aws/ec2/instanceMaxCount.js @@ -205,6 +205,7 @@ module.exports = { }, }, + realtime_triggers: ['ec2:RunInstance', 'ec2:TerminateInstance'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/instanceVcpusLimit.js b/plugins/aws/ec2/instanceVcpusLimit.js index c69092c1bc..ed85d96e6f 100644 --- a/plugins/aws/ec2/instanceVcpusLimit.js +++ b/plugins/aws/ec2/instanceVcpusLimit.js @@ -24,6 +24,7 @@ module.exports = { default: 75 } }, + realtime_triggers: ['ec2:RunInstance', 'ec2:TerminateInstance', 'servicequotas:RequestServiceQuotaIncrease'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/internetGatewayInVpc.js b/plugins/aws/ec2/internetGatewayInVpc.js index fc6f91e4d2..ef68b75fcd 100644 --- a/plugins/aws/ec2/internetGatewayInVpc.js +++ b/plugins/aws/ec2/internetGatewayInVpc.js @@ -11,6 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html', recommended_action: 'Ensure Internet Gateways have VPC attached to them.', apis: ['EC2:describeInternetGateways', 'STS:getCallerIdentity'], + realtime_triggers: ['ec2:CreateInternetGateway', 'ec2:DetachInternetGateway', 'ec2:AttachInternetGateway'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/launchWizardSecurityGroups.js b/plugins/aws/ec2/launchWizardSecurityGroups.js index da5554b435..5ae29a9ec2 100644 --- a/plugins/aws/ec2/launchWizardSecurityGroups.js +++ b/plugins/aws/ec2/launchWizardSecurityGroups.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-sap-security-groups.html', recommended_action: 'Delete the launch wizard security group and replace it with a custom security group.', apis: ['EC2:describeSecurityGroups'], + realtime_triggers: ['ec2:CreateSecurityGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/managedNatGateway.js b/plugins/aws/ec2/managedNatGateway.js index 5c145ce14a..255b0f7746 100644 --- a/plugins/aws/ec2/managedNatGateway.js +++ b/plugins/aws/ec2/managedNatGateway.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/new-managed-nat-network-address-translation-gateway-for-aws/', recommended_action: 'Update VPCs to use Managed NAT Gateways instead of NAT instances', apis: ['EC2:describeVpcs', 'EC2:describeNatGateways', 'STS:getCallerIdentity'], + realtime_triggers: ['ec2:CreateNatGateway', 'ec2:ReplaceRoute'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/multipleSubnets.js b/plugins/aws/ec2/multipleSubnets.js index d3f07c4ef2..0f12117e5b 100644 --- a/plugins/aws/ec2/multipleSubnets.js +++ b/plugins/aws/ec2/multipleSubnets.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#SubnetSecurity', recommended_action: 'Create at least two subnets in each VPC, utilizing one for public traffic and the other for private traffic.', apis: ['EC2:describeVpcs', 'EC2:describeSubnets', 'STS:getCallerIdentity'], + realtime_triggers: ['ec2:CreateVpc', 'ec2:CreateSubnet', 'ec2:DeleteSubnet'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/natMultiAz.js b/plugins/aws/ec2/natMultiAz.js index 2627a935c7..3a513e46f7 100644 --- a/plugins/aws/ec2/natMultiAz.js +++ b/plugins/aws/ec2/natMultiAz.js @@ -10,6 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html', recommended_action: 'Launch managed NAT instances in multiple AZs.', apis: ['EC2:describeVpcs', 'EC2:describeNatGateways', 'STS:getCallerIdentity'], + realtime_triggers: ['ec2:CreateNatGateway'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/networkAclHasTags.js b/plugins/aws/ec2/networkAclHasTags.js index fb54f266dc..a53f75eb86 100644 --- a/plugins/aws/ec2/networkAclHasTags.js +++ b/plugins/aws/ec2/networkAclHasTags.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Modify Network ACL and add tags.', link: 'https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html', apis: ['EC2:describeNetworkAcls', 'STS:getCallerIdentity'], + realtime_triggers: ['ec2:CreateNetworkAcl', 'ec2:AddTags', 'ec2:DeleteTags'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/networkAclInboundTraffic.js b/plugins/aws/ec2/networkAclInboundTraffic.js index de73ed2f49..110f0a32ec 100644 --- a/plugins/aws/ec2/networkAclInboundTraffic.js +++ b/plugins/aws/ec2/networkAclInboundTraffic.js @@ -13,7 +13,7 @@ module.exports = { compliance: { cis1: '5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports', }, - + realtime_triggers: ['ec2:CreateNetworkAcl', 'ec2:ReplaceNetworkAclEntry'], run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/ec2/networkAclOutboundTraffic.js b/plugins/aws/ec2/networkAclOutboundTraffic.js index 08529633b7..d0190c12a7 100644 --- a/plugins/aws/ec2/networkAclOutboundTraffic.js +++ b/plugins/aws/ec2/networkAclOutboundTraffic.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Update Network ACL to allow outbound/egress traffic to specific port ranges only', link: 'https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html', apis: ['EC2:describeNetworkAcls', 'STS:getCallerIdentity'], + realtime_triggers: ['ec2:CreateNetworkAcl', 'ec2:ReplaceNetworkAclEntry'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/openAllPortsProtocols.js b/plugins/aws/ec2/openAllPortsProtocols.js index 3a8b14661b..11d000f3bc 100644 --- a/plugins/aws/ec2/openAllPortsProtocols.js +++ b/plugins/aws/ec2/openAllPortsProtocols.js @@ -27,6 +27,7 @@ module.exports = { 'Security groups should be properly secured to prevent access to ' + 'backend services.' }, + realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openAllPortsProtocolsEgress.js b/plugins/aws/ec2/openAllPortsProtocolsEgress.js index 9ebbc0efdc..564f9d24ce 100644 --- a/plugins/aws/ec2/openAllPortsProtocolsEgress.js +++ b/plugins/aws/ec2/openAllPortsProtocolsEgress.js @@ -18,6 +18,8 @@ module.exports = { default: 'false', } }, + realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules'], + run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, diff --git a/plugins/aws/ec2/openCustomPorts.js b/plugins/aws/ec2/openCustomPorts.js index 516476b8a0..10c6598d5c 100644 --- a/plugins/aws/ec2/openCustomPorts.js +++ b/plugins/aws/ec2/openCustomPorts.js @@ -24,6 +24,7 @@ module.exports = { default: 'false', } }, + realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openHTTP.js b/plugins/aws/ec2/openHTTP.js index 0daaa139d7..94dcb29ebc 100644 --- a/plugins/aws/ec2/openHTTP.js +++ b/plugins/aws/ec2/openHTTP.js @@ -10,6 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html', recommended_action: 'Restrict TCP port 80 to known IP addresses', apis: ['EC2:describeSecurityGroups'], + realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { diff --git a/plugins/aws/ec2/openHTTPS.js b/plugins/aws/ec2/openHTTPS.js index cdca0788d2..bf7935712a 100644 --- a/plugins/aws/ec2/openHTTPS.js +++ b/plugins/aws/ec2/openHTTPS.js @@ -10,6 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html', recommended_action: 'Restrict TCP port 443 to known IP addresses.', apis: ['EC2:describeSecurityGroups'], + realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/outdatedAmiInUse.js b/plugins/aws/ec2/outdatedAmiInUse.js index 7b9576b2fc..a684aeb209 100644 --- a/plugins/aws/ec2/outdatedAmiInUse.js +++ b/plugins/aws/ec2/outdatedAmiInUse.js @@ -11,6 +11,7 @@ module.exports = { recommended_action: 'Delete the instances using deprecated AMIs', apis: ['EC2:describeImages', 'EC2:describeInstances', 'AutoScaling:describeLaunchConfigurations', 'EC2:describeLaunchTemplates', 'EC2:describeLaunchTemplateVersions','STS:getCallerIdentity'], + realtime_triggers: ['ec2:RunInstance', 'ec2:TerminateInstance'], run: function(cache, settings, callback) { const results = []; diff --git a/plugins/aws/ec2/overlappingSecurityGroups.js b/plugins/aws/ec2/overlappingSecurityGroups.js index 083f935d68..ff1e443aeb 100644 --- a/plugins/aws/ec2/overlappingSecurityGroups.js +++ b/plugins/aws/ec2/overlappingSecurityGroups.js @@ -13,6 +13,7 @@ module.exports = { recommended_action: 'Structure security groups to provide a single category of access and do not ' + 'duplicate rules across groups used by the same instances.', apis: ['EC2:describeInstances', 'EC2:describeSecurityGroups'], + realtime_triggers: ['ec2:RunInnstance', 'ec2:modify-instance-attribute', 'ec2:ModifySecurityGroupRules'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/overutilizedEC2Instance.js b/plugins/aws/ec2/overutilizedEC2Instance.js index 8d3d05296b..27809a3fac 100644 --- a/plugins/aws/ec2/overutilizedEC2Instance.js +++ b/plugins/aws/ec2/overutilizedEC2Instance.js @@ -18,6 +18,7 @@ module.exports = { default: '90' } }, + realtime_triggers: ['ec2:RunInstace', 'ec2:ModifyInstanceAttribute'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/publicAmi.js b/plugins/aws/ec2/publicAmi.js index c7fe573974..3a8b408738 100644 --- a/plugins/aws/ec2/publicAmi.js +++ b/plugins/aws/ec2/publicAmi.js @@ -10,6 +10,8 @@ module.exports = { link: 'http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html', recommended_action: 'Convert the public AMI a private image.', apis: ['EC2:describeImages'], + realtime_triggers: ['ec2:CreateImage', 'ec2:ResetImageAttribute', 'ec2:ModifyImageAttribute'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/publicIpAddress.js b/plugins/aws/ec2/publicIpAddress.js index deb5e7abfa..87534b780a 100644 --- a/plugins/aws/ec2/publicIpAddress.js +++ b/plugins/aws/ec2/publicIpAddress.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html', recommended_action: 'Remove the public IP address from the EC2 instances to block public access to the instance', apis: ['EC2:describeInstances', 'STS:getCallerIdentity', 'EC2:describeSecurityGroups'], + realtime_triggers: ['ec2:RunInstance','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/securityGroupRfc1918.js b/plugins/aws/ec2/securityGroupRfc1918.js index 7d338b1070..35f10c3200 100644 --- a/plugins/aws/ec2/securityGroupRfc1918.js +++ b/plugins/aws/ec2/securityGroupRfc1918.js @@ -18,6 +18,7 @@ module.exports = { default: '10.0.0.0/8,172.16.0.0/12,192.168.0.0/16' } }, + realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/securityGroupsHasTags.js b/plugins/aws/ec2/securityGroupsHasTags.js index a3b550ff65..65a34a7d88 100644 --- a/plugins/aws/ec2/securityGroupsHasTags.js +++ b/plugins/aws/ec2/securityGroupsHasTags.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/about-aws/whats-new/2021/07/amazon-ec2-adds-resource-identifiers-tags-vpc-security-groups-rules/', recommended_action: 'Update Security Group and add Tags', apis: ['EC2:describeSecurityGroups'], + realtime_triggers: ['ec2:CreateSecurityGroup', 'ec2:AddTags', 'ec2:DeleteTags'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/subnetIpAvailability.js b/plugins/aws/ec2/subnetIpAvailability.js index c6902576de..1852f44223 100644 --- a/plugins/aws/ec2/subnetIpAvailability.js +++ b/plugins/aws/ec2/subnetIpAvailability.js @@ -24,6 +24,7 @@ module.exports = { default: 75 } }, + realtime_triggers: ['ec2:CreateSubnet'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/unassociatedElasticIp.js b/plugins/aws/ec2/unassociatedElasticIp.js index 7f2277ab70..3cb6a205c9 100644 --- a/plugins/aws/ec2/unassociatedElasticIp.js +++ b/plugins/aws/ec2/unassociatedElasticIp.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Delete the unassociated Elastic IP', link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html', apis: ['EC2:describeAddresses', 'STS:getCallerIdentity'], + realtime_triggers: ['ec2:ReleaseAddress'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/unusedAmi.js b/plugins/aws/ec2/unusedAmi.js index 66eaac5fcf..0e5b684400 100644 --- a/plugins/aws/ec2/unusedAmi.js +++ b/plugins/aws/ec2/unusedAmi.js @@ -11,6 +11,7 @@ module.exports = { recommended_action: 'Delete the unused/deregistered AMIs', apis: ['EC2:describeImages', 'EC2:describeInstances', 'EC2:describeLaunchTemplates', 'EC2:describeLaunchTemplateVersions', 'AutoScaling:describeLaunchConfigurations', 'STS:getCallerIdentity'], + realtime_triggers: ['ec2:DeregisterImage'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/unusedEni.js b/plugins/aws/ec2/unusedEni.js index 18c2eb61fb..c8b7e2dd6f 100644 --- a/plugins/aws/ec2/unusedEni.js +++ b/plugins/aws/ec2/unusedEni.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Delete the unused AWS Elastic Network Interfaces', link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html', apis: ['EC2:describeNetworkInterfaces', 'STS:getCallerIdentity'], + realtime_triggers: ['ec2:DeleteNetworkInterface'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/unusedSecurityGroups.js b/plugins/aws/ec2/unusedSecurityGroups.js index 1c21bf350a..d527c55b19 100644 --- a/plugins/aws/ec2/unusedSecurityGroups.js +++ b/plugins/aws/ec2/unusedSecurityGroups.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html', recommended_action: 'Remove security groups that are not being used.', apis: ['EC2:describeSecurityGroups', 'EC2:describeNetworkInterfaces', 'Lambda:listFunctions'], + realtime_triggers: ['ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/unusedVirtualPrivateGateway.js b/plugins/aws/ec2/unusedVirtualPrivateGateway.js index e548a09f19..40007e2187 100644 --- a/plugins/aws/ec2/unusedVirtualPrivateGateway.js +++ b/plugins/aws/ec2/unusedVirtualPrivateGateway.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/vpn/latest/s2svpn/delete-vpn.html', recommended_action: 'Remove the unused Virtual Private Gateways (VGWs)', apis: ['EC2:describeVpnGateways', 'STS:getCallerIdentity'], + realtime_triggers: ['ec2:CreateVpnGateway', 'ec2:DeleteVpnGateway'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/unusedVpcInternetGateways.js b/plugins/aws/ec2/unusedVpcInternetGateways.js index a7ec5b6635..e54476f1e9 100644 --- a/plugins/aws/ec2/unusedVpcInternetGateways.js +++ b/plugins/aws/ec2/unusedVpcInternetGateways.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html', recommended_action: 'Remove the unused/detached Internet Gateways and Egress-Only Internet Gateways', apis: ['EC2:describeInternetGateways', 'EC2:describeEgressOnlyInternetGateways', 'STS:getCallerIdentity'], + realtime_triggers: ['ec2:CreateInternetGateway', 'ec2:DeleteInternetGateway'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/vpcEndpointAcceptance.js b/plugins/aws/ec2/vpcEndpointAcceptance.js index 8a42948c1e..c5c7b894f5 100644 --- a/plugins/aws/ec2/vpcEndpointAcceptance.js +++ b/plugins/aws/ec2/vpcEndpointAcceptance.js @@ -18,6 +18,7 @@ module.exports = { default: 'false' }, }, + realtime_triggers: ['ec2:AcceptVpcEndpointConnections'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/vpcEndpointCrossAccount.js b/plugins/aws/ec2/vpcEndpointCrossAccount.js index 53e3c8c5ce..d2e5032341 100644 --- a/plugins/aws/ec2/vpcEndpointCrossAccount.js +++ b/plugins/aws/ec2/vpcEndpointCrossAccount.js @@ -18,6 +18,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['ec2:CreateVpcEndpoint', 'ec2:ModifyVpcEndpoint'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/vpcEndpointExposed.js b/plugins/aws/ec2/vpcEndpointExposed.js index 8df83fa875..5be435d624 100644 --- a/plugins/aws/ec2/vpcEndpointExposed.js +++ b/plugins/aws/ec2/vpcEndpointExposed.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Update VPC endpoint access policy in order to stop any unsigned requests', link: 'https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html', apis: ['EC2:describeVpcEndpoints', 'EC2:describeSubnets', 'EC2:describeRouteTables', 'STS:getCallerIdentity'], + realtime_triggers: ['ec2:CreateVpcEndpoint', 'ec2:ModifyVpcEndpoint'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/vpcHasTags.js b/plugins/aws/ec2/vpcHasTags.js index eb5a2db0d6..affbc3e0e4 100644 --- a/plugins/aws/ec2/vpcHasTags.js +++ b/plugins/aws/ec2/vpcHasTags.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/about-aws/whats-new/2020/07/amazon-vpc-resources-support-tag-on-create/', recommended_action: 'Modify VPCs and add new tags', apis: ['EC2:describeVpcs'], + realtime_triggers: ['ec2:CreateVpc', 'ec2:AddTags', 'ec2:DeleteTags'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/vpcPeeringConnections.js b/plugins/aws/ec2/vpcPeeringConnections.js index fa3ebddcbf..914862c1b2 100644 --- a/plugins/aws/ec2/vpcPeeringConnections.js +++ b/plugins/aws/ec2/vpcPeeringConnections.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Update VPC peering connections to allow connections to AWS Accounts, members of the same organization', link: 'https://docs.aws.amazon.com/vpc/latest/peering/working-with-vpc-peering.html', apis: ['Organizations:listAccounts', 'EC2:describeVpcPeeringConnections', 'STS:getCallerIdentity'], + realtime_triggers: ['ec2:CreateVpcPeeringConnection', 'ec2:DeleteVpcPeeringConnection'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/vpcSubnetInstancesPresent.js b/plugins/aws/ec2/vpcSubnetInstancesPresent.js index 1614db1c59..35bf7d695c 100644 --- a/plugins/aws/ec2/vpcSubnetInstancesPresent.js +++ b/plugins/aws/ec2/vpcSubnetInstancesPresent.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Update VPC subnets and attach instances to it or remove the unused VPC subnets', link: 'https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html', apis: ['EC2:describeInstances', 'EC2:describeSubnets'], + realtime_triggers: ['ec2:RunInstance', 'ec2:CreateSubnet', 'ec2:TerminateInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/vpnGatewayInVpc.js b/plugins/aws/ec2/vpnGatewayInVpc.js index 257d34ee48..479e082e30 100644 --- a/plugins/aws/ec2/vpnGatewayInVpc.js +++ b/plugins/aws/ec2/vpnGatewayInVpc.js @@ -11,6 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html', recommended_action: 'Check if virtual private gateways have vpc associated', apis: ['EC2:describeVpnGateways', 'STS:getCallerIdentity'], + realtime_triggers: ['ec2:CreateVpnGateway', 'ec2:AttachVpnGateway', 'ec2:DeattachVpnGateway'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/vpnTunnelState.js b/plugins/aws/ec2/vpnTunnelState.js index a69ed8bb2e..2c1323fedb 100644 --- a/plugins/aws/ec2/vpnTunnelState.js +++ b/plugins/aws/ec2/vpnTunnelState.js @@ -18,6 +18,7 @@ module.exports = { default: 'false' } }, + realtime_triggers: ['ec2:CreateVpnConnection'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/webTierInstanceIamRole.js b/plugins/aws/ec2/webTierInstanceIamRole.js index 85364ccac0..97d75cc3a1 100644 --- a/plugins/aws/ec2/webTierInstanceIamRole.js +++ b/plugins/aws/ec2/webTierInstanceIamRole.js @@ -19,6 +19,7 @@ module.exports = { default: '' }, }, + realtime_triggers: ['ec2:RunInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ecr/ecrImageVulnerability.js b/plugins/aws/ecr/ecrImageVulnerability.js index 06f4ad5758..e849d7cd8d 100644 --- a/plugins/aws/ecr/ecrImageVulnerability.js +++ b/plugins/aws/ecr/ecrImageVulnerability.js @@ -9,6 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#scanning-on-push', recommended_action: 'Enable "Scan on Push" for your Amazon ECR repositories.', apis: ['ECR:describeRepositories'], + realtime_triggers: ['ecr:CreateRepository', 'ecr:PutImageScanningConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ecr/ecrRepositoryEncrypted.js b/plugins/aws/ecr/ecrRepositoryEncrypted.js index c79941c6a7..ff601925e0 100644 --- a/plugins/aws/ecr/ecrRepositoryEncrypted.js +++ b/plugins/aws/ecr/ecrRepositoryEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['ecr:CreateRepository'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ecr/ecrRepositoryHasTags.js b/plugins/aws/ecr/ecrRepositoryHasTags.js index 94aa8bc2bc..124386dcfd 100644 --- a/plugins/aws/ecr/ecrRepositoryHasTags.js +++ b/plugins/aws/ecr/ecrRepositoryHasTags.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-using-tags.html', recommended_action: 'Modify ECR repository and add tags.', apis: ['ECR:describeRepositories', 'ResourceGroupsTaggingAPI:getResources'], + realtime_triggers: ['ecr:CreateRepository', 'ecr:TagResource', 'ecr:UntagResource'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ecr/ecrRepositoryPolicy.js b/plugins/aws/ecr/ecrRepositoryPolicy.js index 77cb837522..b86ee2b11d 100644 --- a/plugins/aws/ecr/ecrRepositoryPolicy.js +++ b/plugins/aws/ecr/ecrRepositoryPolicy.js @@ -24,6 +24,7 @@ module.exports = { default: 'true' } }, + realtime_triggers: ['ecr:CreateRepository', 'ecr:SetRepositoryPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ecr/ecrRepositoryTagImmutability.js b/plugins/aws/ecr/ecrRepositoryTagImmutability.js index ba78a6d2d2..ac81cd9708 100644 --- a/plugins/aws/ecr/ecrRepositoryTagImmutability.js +++ b/plugins/aws/ecr/ecrRepositoryTagImmutability.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-tag-mutability.html', recommended_action: 'Update ECR registry configurations to ensure image tag mutability is set to immutable.', apis: ['ECR:describeRepositories'], + realtime_triggers: ['ecr:CreateRepository', 'ecr:PutImageTagMutability'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ecs/ecsClusterActiveService.js b/plugins/aws/ecs/ecsClusterActiveService.js index dafdc019e1..04757f8fa7 100644 --- a/plugins/aws/ecs/ecsClusterActiveService.js +++ b/plugins/aws/ecs/ecsClusterActiveService.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Modify Cluster and create new service.', link: 'https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html', apis: ['ECS:listClusters', 'ECS:describeCluster'], + realtime_triggers: ['ecs:CreateCluster', 'ecs:CreateService', 'ecs:UpdateService', 'ecs:DeleteService'], run: function(cache, settings, callback){ var results = []; diff --git a/plugins/aws/ecs/ecsClusterWithActiveTask.js b/plugins/aws/ecs/ecsClusterWithActiveTask.js index dbf4fffb08..473f2e7bfd 100644 --- a/plugins/aws/ecs/ecsClusterWithActiveTask.js +++ b/plugins/aws/ecs/ecsClusterWithActiveTask.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Modify Cluster services and add tasks', link: 'https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html', apis: ['ECS:listClusters', 'ECS:describeCluster'], + realtime_triggers: ['ecs:CreateCluster', 'ecs:RunTask'], run: function(cache, settings, callback){ var results = []; diff --git a/plugins/aws/ecs/ecsClustersHaveTags.js b/plugins/aws/ecs/ecsClustersHaveTags.js index 96cf576ebd..67e4a38c1b 100644 --- a/plugins/aws/ecs/ecsClustersHaveTags.js +++ b/plugins/aws/ecs/ecsClustersHaveTags.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-using-tags.html', recommended_action: 'Modify ECS Cluster and add tags.', apis: ['ECS:listClusters', 'ResourceGroupsTaggingAPI:getResources'], + realtime_triggers: ['ecs:CreateCluster', 'ecs:TagResource', 'ecs:UntagResource'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ecs/ecsContainerInsightsEnabled.js b/plugins/aws/ecs/ecsContainerInsightsEnabled.js index 5192a051cd..7df5a3ef41 100644 --- a/plugins/aws/ecs/ecsContainerInsightsEnabled.js +++ b/plugins/aws/ecs/ecsContainerInsightsEnabled.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Enabled container insights feature for ECS clusters.', link: 'https://docs.aws.amazon.com/AmazonECS/latest/developerguide/cloudwatch-container-insights.html', apis: ['ECS:listClusters', 'ECS:describeCluster'], + realtime_triggers: ['ecs:CreateCluster', 'ecs:UpdateClusterSettings'], run: function(cache, settings, callback){ var results = []; diff --git a/plugins/aws/efs/efsCmkEncrypted.js b/plugins/aws/efs/efsCmkEncrypted.js index 20662f6317..75b25124fc 100644 --- a/plugins/aws/efs/efsCmkEncrypted.js +++ b/plugins/aws/efs/efsCmkEncrypted.js @@ -18,6 +18,7 @@ module.exports = { default: 20 } }, + realtime_triggers: ['efs:CreateFileSystem'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/efs/efsEncryptionEnabled.js b/plugins/aws/efs/efsEncryptionEnabled.js index 80d3ba8899..871d6bc866 100644 --- a/plugins/aws/efs/efsEncryptionEnabled.js +++ b/plugins/aws/efs/efsEncryptionEnabled.js @@ -18,6 +18,7 @@ module.exports = { 'encryption should be enabled for all volumes storing this type ' + 'of data.' }, + realtime_triggers: ['efs:CreateFileSystem'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/efs/efsHasTags.js b/plugins/aws/efs/efsHasTags.js index 18beb85c4a..f8b644f8dd 100644 --- a/plugins/aws/efs/efsHasTags.js +++ b/plugins/aws/efs/efsHasTags.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/efs/latest/ug/manage-fs-tags.html', recommended_action: 'Modify EFS file systems to add tags.', apis: ['EFS:describeFileSystems'], + realtime_triggers: ['efs:CreateFileSystem', 'efs:TagResource', 'efs:UnTagResource'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/eks/eksClusterHasTags.js b/plugins/aws/eks/eksClusterHasTags.js index e229b0c360..c23e8d31c3 100644 --- a/plugins/aws/eks/eksClusterHasTags.js +++ b/plugins/aws/eks/eksClusterHasTags.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/eks/latest/userguide/eks-using-tags.html', recommended_action: 'Modify EKS Cluster and add tags.', apis: ['EKS:listClusters', 'ResourceGroupsTaggingAPI:getResources', 'STS:getCallerIdentity'], + realtime_triggers: ['eks:CreateCluster', 'eks:TagResource', 'eks:UntagResource'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/eks/eksKubernetesVersion.js b/plugins/aws/eks/eksKubernetesVersion.js index a2b836806a..0ecc62d7e6 100644 --- a/plugins/aws/eks/eksKubernetesVersion.js +++ b/plugins/aws/eks/eksKubernetesVersion.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html', recommended_action: 'Upgrade the version of Kubernetes on all EKS clusters to the latest available version.', apis: ['EKS:listClusters', 'EKS:describeCluster', 'STS:getCallerIdentity'], + realtime_triggers: ['eks:CreateCluster', 'eks:UpdateClusterVersion'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/eks/eksLatestPlatformVersion.js b/plugins/aws/eks/eksLatestPlatformVersion.js index 32e406a8e8..6f2fb38c1e 100644 --- a/plugins/aws/eks/eksLatestPlatformVersion.js +++ b/plugins/aws/eks/eksLatestPlatformVersion.js @@ -11,6 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html', recommended_action: 'Check for the version on all EKS clusters to be the latest platform version.', apis: ['EKS:listClusters', 'EKS:describeCluster', 'STS:getCallerIdentity'], + realtime_triggers: ['eks:CreateCluster', 'eks:UpdateClusterVersion'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/eks/eksLoggingEnabled.js b/plugins/aws/eks/eksLoggingEnabled.js index 6941935617..b03c6905d0 100644 --- a/plugins/aws/eks/eksLoggingEnabled.js +++ b/plugins/aws/eks/eksLoggingEnabled.js @@ -15,6 +15,7 @@ module.exports = { apis_remediate: ['EKS:listClusters', 'EKS:describeCluster'], actions: {remediate: ['EKS:updateClusterConfig'], rollback: ['EKS:updateClusterConfig']}, permissions: {remediate: ['eks:UpdateClusterConfig'], rollback: ['eks:UpdateClusterConfig']}, + realtime_triggers: ['eks:CreateCluster', 'eks:updateClusterConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/eks/eksPrivateEndpoint.js b/plugins/aws/eks/eksPrivateEndpoint.js index 6cc16fed34..1fcde4fccb 100644 --- a/plugins/aws/eks/eksPrivateEndpoint.js +++ b/plugins/aws/eks/eksPrivateEndpoint.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html', recommended_action: 'Enable the private endpoint setting for all EKS clusters.', apis: ['EKS:listClusters', 'EKS:describeCluster', 'STS:getCallerIdentity'], + realtime_triggers: ['eks:CreateCluster', 'eks:updateClusterConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/eks/eksSecretsEncrypted.js b/plugins/aws/eks/eksSecretsEncrypted.js index 1d759e20be..798d88afc8 100644 --- a/plugins/aws/eks/eksSecretsEncrypted.js +++ b/plugins/aws/eks/eksSecretsEncrypted.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/', recommended_action: 'Modify EKS clusters to enable envelope encryption for Kubernetes secrets', apis: ['EKS:listClusters', 'EKS:describeCluster', 'STS:getCallerIdentity'], + realtime_triggers: ['eks:CreateCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/eks/eksSecurityGroups.js b/plugins/aws/eks/eksSecurityGroups.js index 9c38fc7927..d8b4cbf7d7 100644 --- a/plugins/aws/eks/eksSecurityGroups.js +++ b/plugins/aws/eks/eksSecurityGroups.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html', recommended_action: 'Configure security groups for the EKS control plane to allow access only on port 443.', apis: ['EKS:listClusters', 'EKS:describeCluster', 'EC2:describeSecurityGroups', 'STS:getCallerIdentity'], + realtime_triggers: ['eks:CreateCluster', 'ec2:RevokeSecurityGroupIngress', 'ec2:AuthorizeSecurityGroupIngress'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/elasticCacheClusterHasTags.js b/plugins/aws/elasticache/elasticCacheClusterHasTags.js index 298b87a7f7..79172a0020 100644 --- a/plugins/aws/elasticache/elasticCacheClusterHasTags.js +++ b/plugins/aws/elasticache/elasticCacheClusterHasTags.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Tagging-Resources.html', recommended_action: 'Modify ElastiCache cluster and add tags.', apis: ['ElastiCache:describeCacheClusters', 'ResourceGroupsTaggingAPI:getResources'], + realtime_triggers: ['elasticache:CreateCluster', 'elasticache:AddTagsToResource', 'elasticache:RemoveTagsToResource'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/elasticacheClusterInVpc.js b/plugins/aws/elasticache/elasticacheClusterInVpc.js index c8daed166c..79ca46fa5c 100644 --- a/plugins/aws/elasticache/elasticacheClusterInVpc.js +++ b/plugins/aws/elasticache/elasticacheClusterInVpc.js @@ -10,6 +10,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VPCs.EC.html', recommended_action: 'Create ElastiCache clusters within VPC network', apis: ['ElastiCache:describeCacheClusters'], + realtime_triggers: ['elasticache:CreateCluster'], + run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/elasticache/elasticacheDefaultPorts.js b/plugins/aws/elasticache/elasticacheDefaultPorts.js index fef6c68bf0..2a57100542 100644 --- a/plugins/aws/elasticache/elasticacheDefaultPorts.js +++ b/plugins/aws/elasticache/elasticacheDefaultPorts.js @@ -9,6 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/accessing-elasticache.html', recommended_action: 'Configure ElastiCache clusters to use the non-default ports.', apis: ['ElastiCache:describeCacheClusters'], + realtime_triggers: ['elasticache:CreateCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/elasticacheInstanceGeneration.js b/plugins/aws/elasticache/elasticacheInstanceGeneration.js index d5bb0f2c87..a9a37d3cd5 100644 --- a/plugins/aws/elasticache/elasticacheInstanceGeneration.js +++ b/plugins/aws/elasticache/elasticacheInstanceGeneration.js @@ -11,6 +11,7 @@ module.exports = { link: 'https://aws.amazon.com/elasticache/previous-generation/', recommended_action: 'Upgrade ElastiCache instance generaion to the latest available generation.', apis: ['ElastiCache:describeCacheClusters'], + realtime_triggers: ['elasticache:CreateCluster', 'elasticache:ModifyCacheCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/elasticacheNodesCount.js b/plugins/aws/elasticache/elasticacheNodesCount.js index 50e30e9e49..4f1607b9a6 100644 --- a/plugins/aws/elasticache/elasticacheNodesCount.js +++ b/plugins/aws/elasticache/elasticacheNodesCount.js @@ -24,6 +24,7 @@ module.exports = { default: '200' }, }, + realtime_triggers: ['elasticache:CreateCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/elasticacheRedisMultiAZ.js b/plugins/aws/elasticache/elasticacheRedisMultiAZ.js index a886491b05..df0e0963a8 100644 --- a/plugins/aws/elasticache/elasticacheRedisMultiAZ.js +++ b/plugins/aws/elasticache/elasticacheRedisMultiAZ.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/AutoFailover.html#AutoFailover.Enable', recommended_action: 'Enable Redis Multi-AZ for ElastiCache clusters', apis: ['ElastiCache:describeCacheClusters', 'ElastiCache:describeReplicationGroups'], + realtime_triggers: ['elasticache:CreateCluster', 'elasticache:ModifyReplicationGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/elasticaheDesiredNodeType.js b/plugins/aws/elasticache/elasticaheDesiredNodeType.js index 2af8cb59ba..83cbec6f62 100644 --- a/plugins/aws/elasticache/elasticaheDesiredNodeType.js +++ b/plugins/aws/elasticache/elasticaheDesiredNodeType.js @@ -18,6 +18,7 @@ module.exports = { default:'cache.t2.micro' } }, + realtime_triggers: ['elasticache:CreateCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/idleElastiCacheNode.js b/plugins/aws/elasticache/idleElastiCacheNode.js index 214a70b32a..a966da8a75 100644 --- a/plugins/aws/elasticache/idleElastiCacheNode.js +++ b/plugins/aws/elasticache/idleElastiCacheNode.js @@ -18,6 +18,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['elasticache:CreateCluster', 'elasticache:DeleteCacheCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/redisClusterEncryptionAtRest.js b/plugins/aws/elasticache/redisClusterEncryptionAtRest.js index 537d2c101a..d328ac38b5 100644 --- a/plugins/aws/elasticache/redisClusterEncryptionAtRest.js +++ b/plugins/aws/elasticache/redisClusterEncryptionAtRest.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk', } }, + realtime_triggers: ['elasticache:CreateCluster', 'elasticache:CreateReplicationGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/redisClusterEncryptionInTransit.js b/plugins/aws/elasticache/redisClusterEncryptionInTransit.js index e6aed084a9..ffde2f95d6 100644 --- a/plugins/aws/elasticache/redisClusterEncryptionInTransit.js +++ b/plugins/aws/elasticache/redisClusterEncryptionInTransit.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html', recommended_action: 'Enable in-transit encryption for ElastiCache clusters', apis: ['ElastiCache:describeCacheClusters'], + realtime_triggers: ['elasticache:CreateCluster', 'elasticache:CreateReplicationGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/redisEngineVersions.js b/plugins/aws/elasticache/redisEngineVersions.js index 5699d16ba0..03707b8e3f 100644 --- a/plugins/aws/elasticache/redisEngineVersions.js +++ b/plugins/aws/elasticache/redisEngineVersions.js @@ -11,6 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/supported-engine-versions.html', recommended_action: 'Upgrade the version of Redis on all ElastiCache clusters to the latest available version.', apis: ['ElastiCache:describeCacheClusters'], + realtime_triggers: ['elasticache:CreateCluster', 'elasticache:ModifyCacheCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/reservedNodeLeaseExpiration.js b/plugins/aws/elasticache/reservedNodeLeaseExpiration.js index b6b2c92c91..88b1b8e4cc 100644 --- a/plugins/aws/elasticache/reservedNodeLeaseExpiration.js +++ b/plugins/aws/elasticache/reservedNodeLeaseExpiration.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/elasticache/reserved-cache-nodes/', recommended_action: 'Enable ElastiCache reserved cache nodes expiration days alert', apis: ['ElastiCache:describeReservedCacheNodes'], + realtime_triggers: ['elasticache:CreateCluster', 'elasticache:PurchaseReservedCacheNodesOffering'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/reservedNodePaymentFailed.js b/plugins/aws/elasticache/reservedNodePaymentFailed.js index 20d38c342b..6e89ec4c78 100644 --- a/plugins/aws/elasticache/reservedNodePaymentFailed.js +++ b/plugins/aws/elasticache/reservedNodePaymentFailed.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/elasticache/reserved-cache-nodes/', recommended_action: 'Identify any failed payments for ElastiCache reserved cache nodes', apis: ['ElastiCache:describeReservedCacheNodes'], + realtime_triggers: ['elasticache:CreateCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/reservedNodePaymentPending.js b/plugins/aws/elasticache/reservedNodePaymentPending.js index 4c63e2f8d8..0ac9c8e61c 100644 --- a/plugins/aws/elasticache/reservedNodePaymentPending.js +++ b/plugins/aws/elasticache/reservedNodePaymentPending.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/elasticache/reserved-cache-nodes/', recommended_action: 'Identify any pending payments for ElastiCache reserved cache nodes', apis: ['ElastiCache:describeReservedCacheNodes'], + realtime_triggers: ['elasticache:CreateCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/unusedElastiCacheReservedNode.js b/plugins/aws/elasticache/unusedElastiCacheReservedNode.js index ff41672a69..8362f32f4b 100644 --- a/plugins/aws/elasticache/unusedElastiCacheReservedNode.js +++ b/plugins/aws/elasticache/unusedElastiCacheReservedNode.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/elasticache/reserved-cache-nodes/', recommended_action: 'Enable prevention of unused reserved nodes for ElastiCache clusters', apis: ['ElastiCache:describeCacheClusters', 'ElastiCache:describeReservedCacheNodes'], + realtime_triggers: ['elasticache:CreateCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticbeanstalk/enhancedHealthReporting.js b/plugins/aws/elasticbeanstalk/enhancedHealthReporting.js index 0872b7213b..d24bfd35b9 100644 --- a/plugins/aws/elasticbeanstalk/enhancedHealthReporting.js +++ b/plugins/aws/elasticbeanstalk/enhancedHealthReporting.js @@ -12,6 +12,7 @@ module.exports = { recommended_action: 'Modify Elastic Beanstalk environmentsand enable enhanced health reporting.', link: 'https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/health-enhanced.html', apis: ['ElasticBeanstalk:describeEnvironments'], + realtime_triggers: ['elasticbeanstalk:CreateEnvironment', 'elasticbeanstalk:UpdateEnvironment'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticbeanstalk/environmentAccessLogs.js b/plugins/aws/elasticbeanstalk/environmentAccessLogs.js index de0ca10a64..55b3ea9a0c 100644 --- a/plugins/aws/elasticbeanstalk/environmentAccessLogs.js +++ b/plugins/aws/elasticbeanstalk/environmentAccessLogs.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Go to specific environment, select Configuration, edit Load Balancer category, and enable Store logs', link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html', apis: ['ElasticBeanstalk:describeEnvironments', 'ElasticBeanstalk:describeConfigurationSettings'], + realtime_triggers: ['elasticbeanstalk:CreateEnvironment', 'elasticbeanstalk:UpdateEnvironment'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticbeanstalk/environmentPersistentLogs.js b/plugins/aws/elasticbeanstalk/environmentPersistentLogs.js index 42013fb2a0..3f6fc7f4c4 100644 --- a/plugins/aws/elasticbeanstalk/environmentPersistentLogs.js +++ b/plugins/aws/elasticbeanstalk/environmentPersistentLogs.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Go to specific environment, select Configuration, edit Software category, and enable Log streaming', link: 'https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.cloudwatchlogs.html', apis: ['ElasticBeanstalk:describeEnvironments', 'ElasticBeanstalk:describeConfigurationSettings'], + realtime_triggers: ['elasticbeanstalk:CreateEnvironment', 'elasticbeanstalk:UpdateEnvironment'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticbeanstalk/managedPlatformUpdates.js b/plugins/aws/elasticbeanstalk/managedPlatformUpdates.js index c8cfd8d82e..3d7456c36c 100644 --- a/plugins/aws/elasticbeanstalk/managedPlatformUpdates.js +++ b/plugins/aws/elasticbeanstalk/managedPlatformUpdates.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environment-platform-update-managed.html', recommended_action: 'Update the environment to enable managed updates.', apis: ['ElasticBeanstalk:describeEnvironments', 'ElasticBeanstalk:describeConfigurationSettings'], + realtime_triggers: ['elasticbeanstalk:CreateEnvironment', 'elasticbeanstalk:UpdateEnvironment'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elastictranscoder/jobOutputsEncrypted.js b/plugins/aws/elastictranscoder/jobOutputsEncrypted.js index 241e39c3ae..f3a1d63a70 100644 --- a/plugins/aws/elastictranscoder/jobOutputsEncrypted.js +++ b/plugins/aws/elastictranscoder/jobOutputsEncrypted.js @@ -11,6 +11,7 @@ module.exports = { recommended_action: 'Enable encryption for Elastic Transcoder job outputs', link: 'https://docs.aws.amazon.com/elastictranscoder/latest/developerguide/encryption.html', apis: ['ElasticTranscoder:listPipelines', 'ElasticTranscoder:listJobsByPipeline'], + realtime_triggers: ['elastictranscoder:CreatePipeline', 'elastictranscoder:UpdatePipeline'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elastictranscoder/pipelineDataEncrypted.js b/plugins/aws/elastictranscoder/pipelineDataEncrypted.js index ebb4345b0c..bcc6b6dbd5 100644 --- a/plugins/aws/elastictranscoder/pipelineDataEncrypted.js +++ b/plugins/aws/elastictranscoder/pipelineDataEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk', } }, + realtime_triggers: ['elastictranscoder:CreatePipeline', 'elastictranscoder:UpdatePipeline'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/appTierElbSecurity.js b/plugins/aws/elb/appTierElbSecurity.js index 1e362c0d17..f7ac739790 100644 --- a/plugins/aws/elb/appTierElbSecurity.js +++ b/plugins/aws/elb/appTierElbSecurity.js @@ -24,6 +24,7 @@ module.exports = { default: 'ELBSecurityPolicy-2016-08,ELBSecurityPolicy-TLS-1-2-2017-01,ELBSecurityPolicy-TLS-1-1-2017-01' } }, + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancerListeners','elasticloadbalancing:CreateLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/classicELBInUse.js b/plugins/aws/elb/classicELBInUse.js index 0a365cf9d8..74e17c1353 100644 --- a/plugins/aws/elb/classicELBInUse.js +++ b/plugins/aws/elb/classicELBInUse.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/elasticloadbalancing/features/', recommended_action: 'Detach Classic Load balancer from HTTP/HTTPS applications and attach Application Load Balancer to those applications', apis: ['ELB:describeLoadBalancers', 'STS:getCallerIdentity'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/connectionDrainingEnabled.js b/plugins/aws/elb/connectionDrainingEnabled.js index 2ccf2bf33c..82f39b2b0f 100644 --- a/plugins/aws/elb/connectionDrainingEnabled.js +++ b/plugins/aws/elb/connectionDrainingEnabled.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html', recommended_action: 'Update ELBs to enable connection draining', apis: ['ELB:describeLoadBalancers', 'ELB:describeLoadBalancerAttributes', 'STS:getCallerIdentity'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elaticloadbalancing:ModifyLoadBalancerAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/crosszoneLoadBalancing.js b/plugins/aws/elb/crosszoneLoadBalancing.js index 296f746e6d..9c75590208 100644 --- a/plugins/aws/elb/crosszoneLoadBalancing.js +++ b/plugins/aws/elb/crosszoneLoadBalancing.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html', recommended_action: 'Update AWS ELB to enable cross zone load balancing', apis: ['ELB:describeLoadBalancers', 'ELB:describeLoadBalancerAttributes', 'STS:getCallerIdentity'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elaticloadbalancing:ModifyLoadBalancerAttributes', 'elasticloadbalancing:AttachLoadBalancerToSubnets'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/elbHasTags.js b/plugins/aws/elb/elbHasTags.js index b344026f07..0ce3b6542b 100644 --- a/plugins/aws/elb/elbHasTags.js +++ b/plugins/aws/elb/elbHasTags.js @@ -10,6 +10,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_AddTags.html', recommended_action: 'Modify ELB and add tags.', apis: ['ELB:describeLoadBalancers', 'ResourceGroupsTaggingAPI:getResources', 'STS:getCallerIdentity'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:AddTags', 'elasticloadbalancing:RemoveTags'], + run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/elb/elbLoggingEnabled.js b/plugins/aws/elb/elbLoggingEnabled.js index 92176f32ba..1e336b2269 100644 --- a/plugins/aws/elb/elbLoggingEnabled.js +++ b/plugins/aws/elb/elbLoggingEnabled.js @@ -22,6 +22,7 @@ module.exports = { pci: 'PCI requires logging of all network access to environments containing ' + 'cardholder data. Enable ELB logs to log these network requests.' }, + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elaticloadbalancing:ModifyLoadBalancerAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/elbNoInstances.js b/plugins/aws/elb/elbNoInstances.js index 51f17353b6..1c3135f11b 100644 --- a/plugins/aws/elb/elbNoInstances.js +++ b/plugins/aws/elb/elbNoInstances.js @@ -24,7 +24,7 @@ module.exports = { remediate: ['elasticloadbalancing:DeleteLoadBalancer'], rollback: ['elasticloadbalancing:CreateLoadBalancer'] }, - realtime_triggers: [], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/elbUnhealthyInstances.js b/plugins/aws/elb/elbUnhealthyInstances.js index 6b81584b09..ad5eda0e54 100644 --- a/plugins/aws/elb/elbUnhealthyInstances.js +++ b/plugins/aws/elb/elbUnhealthyInstances.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-healthchecks.html#check-instance-health', recommended_action: 'Investigate and resolve the health issues of the instances attached to the ELB.', apis: ['ELB:describeLoadBalancers', 'ELB:describeInstanceHealth', 'STS:getCallerIdentity'], + realtime_triggers: ['elaticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:RegisterInstancesWithLoadBalancer', 'elasticloadbalancing:DeregisterInstancesWithLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/insecureCiphers.js b/plugins/aws/elb/insecureCiphers.js index efeb7bf2fe..6d12e88a2a 100644 --- a/plugins/aws/elb/insecureCiphers.js +++ b/plugins/aws/elb/insecureCiphers.js @@ -92,6 +92,7 @@ module.exports = { pci: 'PCI requires secure transfer of cardholder data. It does not permit SSL or TLS ' + 'version 1.0. ELB listeners should be configured for TLS v1.2.' }, + realtime_triggers: ['elaticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyLoadBalancerAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2DeletionProtection.js b/plugins/aws/elbv2/elbv2DeletionProtection.js index b64a5799ac..f7faa2274e 100644 --- a/plugins/aws/elbv2/elbv2DeletionProtection.js +++ b/plugins/aws/elbv2/elbv2DeletionProtection.js @@ -11,6 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#deletion-protection', recommended_action: 'Update ELBv2 load balancers to use deletion protection to prevent accidental deletion', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeLoadBalancerAttributes'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyLoadBalancerAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js b/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js index 87cda25540..281db2f978 100644 --- a/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js +++ b/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html', recommended_action: 'Modify ELBv2 listeners with the latest predefined AWS security policies.', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeListeners'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:CreateListener', 'elasticloadbalancing:ModifyListener'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2DeregistrationDelay.js b/plugins/aws/elbv2/elbv2DeregistrationDelay.js index 6b9c6e4a70..a5b2b5531f 100644 --- a/plugins/aws/elbv2/elbv2DeregistrationDelay.js +++ b/plugins/aws/elbv2/elbv2DeregistrationDelay.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#deregistration-delay', recommended_action: 'Update ELBv2 target group attributes and set the deregistration delay value', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeTargetGroups', 'ELBv2:describeTargetGroupAttributes'], + realtime_triggers: ['elasticloadbalancing:CreateTargetGroup', 'elasticloadbalancing:ModifyTargetGroupAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2HasTags.js b/plugins/aws/elbv2/elbv2HasTags.js index 99a6c79bce..04efbc32ee 100644 --- a/plugins/aws/elbv2/elbv2HasTags.js +++ b/plugins/aws/elbv2/elbv2HasTags.js @@ -10,6 +10,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_AddTags.html', recommended_action: 'Modify ELBv2 and add tags.', apis: ['ELBv2:describeLoadBalancers', 'ResourceGroupsTaggingAPI:getResources'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:AddTags', 'elasticloadbalancing:RemoveTags'], + run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/elbv2/elbv2InsecureCiphers.js b/plugins/aws/elbv2/elbv2InsecureCiphers.js index ba2136ded2..4a2549544c 100644 --- a/plugins/aws/elbv2/elbv2InsecureCiphers.js +++ b/plugins/aws/elbv2/elbv2InsecureCiphers.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.htmll', recommended_action: 'Modify ELBv2 listeners with the predefined AWS security policies containing secure ciphers.', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeListeners'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:CreateListener', 'elasticloadbalancing:ModifyListener'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2LoggingEnabled.js b/plugins/aws/elbv2/elbv2LoggingEnabled.js index e243a5bd46..4fc6ce538f 100644 --- a/plugins/aws/elbv2/elbv2LoggingEnabled.js +++ b/plugins/aws/elbv2/elbv2LoggingEnabled.js @@ -22,6 +22,7 @@ module.exports = { pci: 'PCI requires logging of all network access to environments containing ' + 'cardholder data. Enable ELB logs to log these network requests.' }, + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyLoadBalancerAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2MinimumTargetInstances.js b/plugins/aws/elbv2/elbv2MinimumTargetInstances.js index 0fd25d3c1d..bf9f445037 100644 --- a/plugins/aws/elbv2/elbv2MinimumTargetInstances.js +++ b/plugins/aws/elbv2/elbv2MinimumTargetInstances.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html', recommended_action: 'Associate at least two healthy target instances to AWS ELBv2 load balancer', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeTargetGroups', 'ELBv2:describeTargetHealth'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyTargetGroup','elasticloadbalancing:RegisterTarget', 'elasticloadbalancing:DeregisterTargets'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2NlbListenerSecurity.js b/plugins/aws/elbv2/elbv2NlbListenerSecurity.js index 3d85f22144..34a66521e4 100644 --- a/plugins/aws/elbv2/elbv2NlbListenerSecurity.js +++ b/plugins/aws/elbv2/elbv2NlbListenerSecurity.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.amazonaws.cn/en_us/elasticloadbalancing/latest/network/create-tls-listener.html', recommended_action: 'Attach TLS listener to AWS Network Load Balancer', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeListeners'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:CreateListener', 'elasticloadbalancing:ModifyListener'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2NoInstances.js b/plugins/aws/elbv2/elbv2NoInstances.js index dcc3a79177..e7df806dde 100644 --- a/plugins/aws/elbv2/elbv2NoInstances.js +++ b/plugins/aws/elbv2/elbv2NoInstances.js @@ -24,7 +24,7 @@ module.exports = { remediate: ['elasticloadbalancing:DeleteLoadBalancer'], rollback: ['elasticloadbalancing:CreateLoadBalancer'] }, - realtime_triggers: [], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2SslTermination.js b/plugins/aws/elbv2/elbv2SslTermination.js index 130b025a4e..6961be6bd3 100644 --- a/plugins/aws/elbv2/elbv2SslTermination.js +++ b/plugins/aws/elbv2/elbv2SslTermination.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/elastic-load-balancer-support-for-ssl-termination/', recommended_action: 'Attach SSL certificate with the listener to AWS Elastic Load Balancer', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeListeners'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:CreateListeners'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js b/plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js index 6be1ff5da9..029ad4f270 100644 --- a/plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js +++ b/plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html', recommended_action: 'Update ELBv2 load balancer traffic configuration to enable TLS version and cipher headers', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeLoadBalancerAttributes'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyLoadBalancerAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2UnhealthyInstance.js b/plugins/aws/elbv2/elbv2UnhealthyInstance.js index 2f6b29936f..dcaa8c6bb3 100644 --- a/plugins/aws/elbv2/elbv2UnhealthyInstance.js +++ b/plugins/aws/elbv2/elbv2UnhealthyInstance.js @@ -11,6 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html', recommended_action: 'Investigate and resolve the health issues with the instances attached to the ELB.', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeTargetGroups', 'ELBv2:describeTargetHealth'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyTargetGroups', 'elasticloadbalancing:RegisterTarget', 'elasticloadbalancing:DeregisterTargets'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2WafEnabled.js b/plugins/aws/elbv2/elbv2WafEnabled.js index 9aad094062..0ca97f0a97 100644 --- a/plugins/aws/elbv2/elbv2WafEnabled.js +++ b/plugins/aws/elbv2/elbv2WafEnabled.js @@ -10,6 +10,8 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/', recommended_action: '1. Enter the WAF service. 2. Enter Web ACLs and filter by the region the Application Load Balancer is in. 3. If no Web ACL is found, Create a new Web ACL in the region the ALB resides and in Resource type to associate with web ACL, select the Load Balancer. ', apis: ['ELBv2:describeLoadBalancers', 'WAFV2:listWebACLs', 'WAFRegional:listWebACLs', 'WAFV2:listResourcesForWebACL', 'WAFRegional:listResourcesForWebACL'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'wafv2:CreateWebAcl', 'wafv2:UpdateWebAacl', 'wafregional:CreateWebAcl', 'wafregional:UpdateWebAcl'], + run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js b/plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js index dde5f491dd..b565f0c3c1 100644 --- a/plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js +++ b/plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html', recommended_action: 'Update AWS ELBv2 load balancers to enable cross zone load balancing.', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeLoadBalancerAttributes'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyLoadBalancerAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/emr/emrClusterHasTags.js b/plugins/aws/emr/emrClusterHasTags.js index 455d148705..2ea372c999 100644 --- a/plugins/aws/emr/emrClusterHasTags.js +++ b/plugins/aws/emr/emrClusterHasTags.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-tags-add-new.html', recommended_action: 'Modify EMR cluster and add tags.', apis: ['EMR:listClusters', 'EMR:describeCluster'], + realtime_triggers: ['emr:CreateCluster', 'emr:AddTags', 'emr:RemoveTags'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/emr/emrClusterInVPC.js b/plugins/aws/emr/emrClusterInVPC.js index cadb97ad1c..935f505f7d 100644 --- a/plugins/aws/emr/emrClusterInVPC.js +++ b/plugins/aws/emr/emrClusterInVPC.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-vpc-launching-job-flows.htmll', recommended_action: 'EMR clusters Available in VPC', apis: ['EC2:describeAccountAttributes','EMR:listClusters', 'EMR:describeCluster'], + realtime_triggers: ['emr:CreateCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/emr/emrClusterLogging.js b/plugins/aws/emr/emrClusterLogging.js index a2a276c5a1..e10e9f7986 100644 --- a/plugins/aws/emr/emrClusterLogging.js +++ b/plugins/aws/emr/emrClusterLogging.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-debugging.html', recommended_action: 'Modify EMR clusters to enable cluster logging', apis: ['EMR:listClusters', 'EMR:describeCluster'], + realtime_triggers: ['emr:CreateCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/emr/emrDesiredInstanceType.js b/plugins/aws/emr/emrDesiredInstanceType.js index 5235297e2d..d5e51fc040 100644 --- a/plugins/aws/emr/emrDesiredInstanceType.js +++ b/plugins/aws/emr/emrDesiredInstanceType.js @@ -24,6 +24,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['emr:CreateCluster'], run: function(cache, settings, callback) { const results = []; diff --git a/plugins/aws/emr/emrEncryptionAtRest.js b/plugins/aws/emr/emrEncryptionAtRest.js index 61c8db121a..b51a45f99e 100644 --- a/plugins/aws/emr/emrEncryptionAtRest.js +++ b/plugins/aws/emr/emrEncryptionAtRest.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-data-encryption-options.html', recommended_action: 'Update security configuration associated with EMR cluster to enable encryption at rest for local disks.', apis: ['EMR:listClusters', 'EMR:describeCluster', 'EMR:describeSecurityConfiguration'], + realtime_triggers: ['emr:CreateCluster', 'emr:CreateSecurityConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/emr/emrEncryptionInTransit.js b/plugins/aws/emr/emrEncryptionInTransit.js index 431f68798a..e64f6b8e34 100644 --- a/plugins/aws/emr/emrEncryptionInTransit.js +++ b/plugins/aws/emr/emrEncryptionInTransit.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-data-encryption-options.html', recommended_action: 'Update security configuration associated with EMR cluster to enable encryption in transit.', apis: ['EMR:listClusters', 'EMR:describeCluster', 'EMR:describeSecurityConfiguration'], + realtime_triggers: ['emr:CreateCluster', 'emr:CreateSecurityConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/emr/emrInstanceCount.js b/plugins/aws/emr/emrInstanceCount.js index cbe2918414..417dbc8171 100644 --- a/plugins/aws/emr/emrInstanceCount.js +++ b/plugins/aws/emr/emrInstanceCount.js @@ -25,6 +25,7 @@ module.exports = { default: 100 } }, + realtime_triggers: ['emr:CreateCluster'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/eventbridge/eventBusCrossAccountAccess.js b/plugins/aws/eventbridge/eventBusCrossAccountAccess.js index 783fcaaec7..60dcc6d85d 100644 --- a/plugins/aws/eventbridge/eventBusCrossAccountAccess.js +++ b/plugins/aws/eventbridge/eventBusCrossAccountAccess.js @@ -37,6 +37,7 @@ module.exports = { default: 'aws:PrincipalArn,aws:PrincipalAccount,aws:PrincipalOrgID,aws:SourceAccount,aws:SourceArn,aws:SourceOwner' }, }, + realtime_triggers: ['eventbridge:CreateEventBus'], run: function(cache, settings, callback) { var config= { diff --git a/plugins/aws/eventbridge/eventBusPublicAccess.js b/plugins/aws/eventbridge/eventBusPublicAccess.js index fc16d17fa5..233ede8d51 100644 --- a/plugins/aws/eventbridge/eventBusPublicAccess.js +++ b/plugins/aws/eventbridge/eventBusPublicAccess.js @@ -19,6 +19,7 @@ module.exports = { default: 'aws:PrincipalArn,aws:PrincipalAccount,aws:PrincipalOrgID,aws:SourceOwner,aws:SourceArn,aws:SourceAccount' } }, + realtime_triggers: ['eventbridge:CreateEventBus', 'eventbridge:PutRule', 'eventbridge:PutTarget'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/eventbridge/eventsInUse.js b/plugins/aws/eventbridge/eventsInUse.js index 18800a31dc..9ceb27d54a 100644 --- a/plugins/aws/eventbridge/eventsInUse.js +++ b/plugins/aws/eventbridge/eventsInUse.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html', recommended_action: 'Create EventBridge event rules to meet regulatory and compliance requirement within your organization.', apis: ['EventBridge:listRules'], + realtime_triggers: ['eventbridge:PutRules', 'eventbridge:EnableRule'], run: function(cache, settings, callback) { var results = []; From 76e37fff86715dace7576ae2ff684e80cd0a3926 Mon Sep 17 00:00:00 2001 From: --global Date: Thu, 14 Sep 2023 15:50:25 +0500 Subject: [PATCH 005/498] added tiggers for f,g,h and connect --- plugins/aws/connect/customerProfilesDomainEncrypted.js | 1 + plugins/aws/connect/instanceAttachmentsEncrypted.js | 1 + plugins/aws/connect/instanceCallRecordingEncrypted.js | 2 ++ plugins/aws/connect/instanceMediaStreamsEncrypted.js | 1 + plugins/aws/connect/instanceReportsEncrypted.js | 1 + plugins/aws/connect/instanceTranscriptsEncrypted.js | 1 + plugins/aws/connect/voiceIdDomainEncrypted.js | 1 + plugins/aws/connect/wisdomDomainEncrypted.js | 1 + plugins/aws/finspace/finspaceEnvironmentEncrypted.js | 1 + plugins/aws/firehose/deliveryStreamEncrypted.js | 1 + plugins/aws/firehose/firehoseEncrypted.js | 1 + plugins/aws/forecast/datasetExportEncrypted.js | 1 + plugins/aws/forecast/forecastDatasetEncrypted.js | 2 ++ plugins/aws/frauddetector/fraudDetectorDataEncrypted.js | 1 + plugins/aws/fsx/fsxFileSystemEncrypted.js | 2 ++ plugins/aws/glue/bookmarkEncryptionEnabled.js | 1 + plugins/aws/glue/dataCatalogCmkEncrypted.js | 1 + plugins/aws/glue/glueCloudwatchLogsEncrypted.js | 1 + plugins/aws/glue/glueS3EncryptionEnabled.js | 1 + plugins/aws/gluedatabrew/databrewJobOutputEncrypted.js | 1 + plugins/aws/guardduty/exportedFindingsEncrypted.js | 1 + plugins/aws/guardduty/guarddutyEnabled.js | 1 + plugins/aws/guardduty/guarddutyMaster.js | 1 + plugins/aws/guardduty/noActiveFindings.js | 1 + plugins/aws/guardduty/s3ProtectionEnabled.js | 3 ++- plugins/aws/healthlake/dataStoreEncrypted.js | 1 + 26 files changed, 30 insertions(+), 1 deletion(-) diff --git a/plugins/aws/connect/customerProfilesDomainEncrypted.js b/plugins/aws/connect/customerProfilesDomainEncrypted.js index c7341479e1..fedef11522 100644 --- a/plugins/aws/connect/customerProfilesDomainEncrypted.js +++ b/plugins/aws/connect/customerProfilesDomainEncrypted.js @@ -18,6 +18,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['customerprofiles:CreateDomain', 'customerprofiles:UpdateDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/connect/instanceAttachmentsEncrypted.js b/plugins/aws/connect/instanceAttachmentsEncrypted.js index 044894f6b3..2bfbed1ae7 100644 --- a/plugins/aws/connect/instanceAttachmentsEncrypted.js +++ b/plugins/aws/connect/instanceAttachmentsEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/connect/instanceCallRecordingEncrypted.js b/plugins/aws/connect/instanceCallRecordingEncrypted.js index e5f6c84901..05e49a7fa2 100644 --- a/plugins/aws/connect/instanceCallRecordingEncrypted.js +++ b/plugins/aws/connect/instanceCallRecordingEncrypted.js @@ -19,6 +19,8 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/connect/instanceMediaStreamsEncrypted.js b/plugins/aws/connect/instanceMediaStreamsEncrypted.js index 0b3ff40a84..3f8246d899 100644 --- a/plugins/aws/connect/instanceMediaStreamsEncrypted.js +++ b/plugins/aws/connect/instanceMediaStreamsEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/connect/instanceReportsEncrypted.js b/plugins/aws/connect/instanceReportsEncrypted.js index b40a127136..1a8ec48222 100644 --- a/plugins/aws/connect/instanceReportsEncrypted.js +++ b/plugins/aws/connect/instanceReportsEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/connect/instanceTranscriptsEncrypted.js b/plugins/aws/connect/instanceTranscriptsEncrypted.js index 791b8c886b..fec487e987 100644 --- a/plugins/aws/connect/instanceTranscriptsEncrypted.js +++ b/plugins/aws/connect/instanceTranscriptsEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/connect/voiceIdDomainEncrypted.js b/plugins/aws/connect/voiceIdDomainEncrypted.js index f3c7324898..3d63b606a0 100644 --- a/plugins/aws/connect/voiceIdDomainEncrypted.js +++ b/plugins/aws/connect/voiceIdDomainEncrypted.js @@ -22,6 +22,7 @@ module.exports = { default: 'awskms' } }, + realtime_triggers: ['voiceid:CreateDomain', 'voiceid:UpdateDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/connect/wisdomDomainEncrypted.js b/plugins/aws/connect/wisdomDomainEncrypted.js index d757207d95..a7f1e149ee 100644 --- a/plugins/aws/connect/wisdomDomainEncrypted.js +++ b/plugins/aws/connect/wisdomDomainEncrypted.js @@ -22,6 +22,7 @@ module.exports = { default: 'awskms' } }, + realtime_triggers: ['wisdom:CreateAssistant'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/finspace/finspaceEnvironmentEncrypted.js b/plugins/aws/finspace/finspaceEnvironmentEncrypted.js index 7a3e6dadeb..0cf83b46f8 100644 --- a/plugins/aws/finspace/finspaceEnvironmentEncrypted.js +++ b/plugins/aws/finspace/finspaceEnvironmentEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['finspace:CreateEnnviromennt'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/firehose/deliveryStreamEncrypted.js b/plugins/aws/firehose/deliveryStreamEncrypted.js index 203250bca8..c14bc2f6e1 100644 --- a/plugins/aws/firehose/deliveryStreamEncrypted.js +++ b/plugins/aws/firehose/deliveryStreamEncrypted.js @@ -20,6 +20,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['firehose:UpdateDestination'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/firehose/firehoseEncrypted.js b/plugins/aws/firehose/firehoseEncrypted.js index 3340988ead..1d69545d2a 100644 --- a/plugins/aws/firehose/firehoseEncrypted.js +++ b/plugins/aws/firehose/firehoseEncrypted.js @@ -17,6 +17,7 @@ module.exports = { 'AWS KMS encryption ensures that the Firehose payload meets the ' + 'encryption in transit and at rest requirements of HIPAA.' }, + realtime_triggers: ['firehose:StartDeliveryStreamEncryption', 'kinesis:StartStreamEncryption'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/forecast/datasetExportEncrypted.js b/plugins/aws/forecast/datasetExportEncrypted.js index afa8e9c6d8..4161ae839f 100644 --- a/plugins/aws/forecast/datasetExportEncrypted.js +++ b/plugins/aws/forecast/datasetExportEncrypted.js @@ -18,6 +18,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['forecast:CreateForecastExportJob'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/forecast/forecastDatasetEncrypted.js b/plugins/aws/forecast/forecastDatasetEncrypted.js index 4bb1eaeb98..742d74ba3d 100644 --- a/plugins/aws/forecast/forecastDatasetEncrypted.js +++ b/plugins/aws/forecast/forecastDatasetEncrypted.js @@ -19,6 +19,8 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['forecastservice:CreateDataset'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/frauddetector/fraudDetectorDataEncrypted.js b/plugins/aws/frauddetector/fraudDetectorDataEncrypted.js index 73933815e4..ca4de0ea64 100644 --- a/plugins/aws/frauddetector/fraudDetectorDataEncrypted.js +++ b/plugins/aws/frauddetector/fraudDetectorDataEncrypted.js @@ -18,6 +18,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['frauddetector:PutKMSEncryptionKey'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/fsx/fsxFileSystemEncrypted.js b/plugins/aws/fsx/fsxFileSystemEncrypted.js index 0e1de5f3db..8741ee2dc5 100644 --- a/plugins/aws/fsx/fsxFileSystemEncrypted.js +++ b/plugins/aws/fsx/fsxFileSystemEncrypted.js @@ -18,6 +18,8 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['fsx:CreateFileSystem'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/glue/bookmarkEncryptionEnabled.js b/plugins/aws/glue/bookmarkEncryptionEnabled.js index e37c3bfd19..01d98e8c5f 100644 --- a/plugins/aws/glue/bookmarkEncryptionEnabled.js +++ b/plugins/aws/glue/bookmarkEncryptionEnabled.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Recreate Glue security configurations and enable job bookmark encryption', link: 'https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html', apis: ['Glue:getSecurityConfigurations', 'STS:getCallerIdentity'], + realtime_triggers: ['glue:CreateSecurityConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/glue/dataCatalogCmkEncrypted.js b/plugins/aws/glue/dataCatalogCmkEncrypted.js index 4834134bf9..4f162a0399 100644 --- a/plugins/aws/glue/dataCatalogCmkEncrypted.js +++ b/plugins/aws/glue/dataCatalogCmkEncrypted.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Modify Glue data catalog to use CMK instead of AWS-managed Key to encrypt Metadata', link: 'https://docs.aws.amazon.com/glue/latest/dg/encrypt-glue-data-catalog.html', apis: ['Glue:getDataCatalogEncryptionSettings', 'KMS:listKeys', 'KMS:describeKey'], + realtime_triggers: ['glue:PutDataCatalogEncryptionSettings'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/glue/glueCloudwatchLogsEncrypted.js b/plugins/aws/glue/glueCloudwatchLogsEncrypted.js index d6a9f26bcc..15be118c76 100644 --- a/plugins/aws/glue/glueCloudwatchLogsEncrypted.js +++ b/plugins/aws/glue/glueCloudwatchLogsEncrypted.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Modify Glue Security Configurations to enable CloudWatch logs encryption at-rest', link: 'https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html', apis: ['Glue:getSecurityConfigurations', 'STS:getCallerIdentity'], + realtime_triggers: ['glue:CreateSecurityConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/glue/glueS3EncryptionEnabled.js b/plugins/aws/glue/glueS3EncryptionEnabled.js index ad4dd82f8c..60a74c9cc0 100644 --- a/plugins/aws/glue/glueS3EncryptionEnabled.js +++ b/plugins/aws/glue/glueS3EncryptionEnabled.js @@ -18,6 +18,7 @@ module.exports = { default: 'awscmk', } }, + realtime_triggers: ['glue:CreateSecurityConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/gluedatabrew/databrewJobOutputEncrypted.js b/plugins/aws/gluedatabrew/databrewJobOutputEncrypted.js index 3ce1c9fb58..64b37025d0 100644 --- a/plugins/aws/gluedatabrew/databrewJobOutputEncrypted.js +++ b/plugins/aws/gluedatabrew/databrewJobOutputEncrypted.js @@ -18,6 +18,7 @@ module.exports = { default: 'awscmk', } }, + realtime_triggers: ['databrew:CreateRecipeJob', 'databrew:UpdateRecipeJob'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/guardduty/exportedFindingsEncrypted.js b/plugins/aws/guardduty/exportedFindingsEncrypted.js index 11adb8fcb7..3585989616 100644 --- a/plugins/aws/guardduty/exportedFindingsEncrypted.js +++ b/plugins/aws/guardduty/exportedFindingsEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['guardduty:CreateDetector'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/guardduty/guarddutyEnabled.js b/plugins/aws/guardduty/guarddutyEnabled.js index fb85846c5b..ffd4dd65b4 100644 --- a/plugins/aws/guardduty/guarddutyEnabled.js +++ b/plugins/aws/guardduty/guarddutyEnabled.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Enable GuardDuty for all AWS accounts.', link: 'https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html', apis: ['GuardDuty:listDetectors', 'GuardDuty:getDetector', 'STS:getCallerIdentity'], + realtime_triggers: ['guardduty:CreateDetector'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/guardduty/guarddutyMaster.js b/plugins/aws/guardduty/guarddutyMaster.js index 9ae9b96931..7354f3a721 100644 --- a/plugins/aws/guardduty/guarddutyMaster.js +++ b/plugins/aws/guardduty/guarddutyMaster.js @@ -18,6 +18,7 @@ module.exports = { default: '', }, }, + realtime_triggers: ['guardduty:CreateDetector', 'guardduty:CreateMembers'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/guardduty/noActiveFindings.js b/plugins/aws/guardduty/noActiveFindings.js index b928b275ef..9230ca27a5 100644 --- a/plugins/aws/guardduty/noActiveFindings.js +++ b/plugins/aws/guardduty/noActiveFindings.js @@ -20,6 +20,7 @@ module.exports = { default: '48' } }, + realtime_triggers: ['guardduty:CreateDetector', 'guardduty:ArchiveFindings'], run: function(cache, settings, callback) { const results = []; diff --git a/plugins/aws/guardduty/s3ProtectionEnabled.js b/plugins/aws/guardduty/s3ProtectionEnabled.js index b5e8008c40..76cdf1ad85 100644 --- a/plugins/aws/guardduty/s3ProtectionEnabled.js +++ b/plugins/aws/guardduty/s3ProtectionEnabled.js @@ -10,7 +10,8 @@ module.exports = { recommended_action: 'Enable GuardDuty S3 protection for all AWS accounts.', link: 'https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html', apis: ['GuardDuty:listDetectors', 'GuardDuty:getDetector', 'STS:getCallerIdentity'], - + realtime_triggers: ['guardduty:CreateDetector', 'guardduty:UpdateDetector'], + run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/healthlake/dataStoreEncrypted.js b/plugins/aws/healthlake/dataStoreEncrypted.js index 1fad1ee32e..1ac5ac19b7 100644 --- a/plugins/aws/healthlake/dataStoreEncrypted.js +++ b/plugins/aws/healthlake/dataStoreEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['healthlake:CreateFHIRDatastore'], run: function(cache, settings, callback) { var results = []; From 6e85d2c3a260b354bda4af8d295c5fb65b7ff7a1 Mon Sep 17 00:00:00 2001 From: --global Date: Thu, 14 Sep 2023 16:12:47 +0500 Subject: [PATCH 006/498] added tiggers --- plugins/aws/kms/kmsDefaultKeyUsage.js | 1 + plugins/aws/lambda/envVarsClientSideEncryption.js | 1 + plugins/aws/lambda/lambdaAdminPrivileges.js | 3 ++- plugins/aws/lambda/lambdaHasTags.js | 2 +- plugins/aws/lambda/lambdaLogGroups.js | 1 + plugins/aws/lambda/lambdaOldRuntimes.js | 1 + plugins/aws/lambda/lambdaPublicAccess.js | 1 + plugins/aws/lambda/lambdaTracingEnabled.js | 1 + plugins/aws/lambda/lambdaUniqueExecutionRole.js | 2 +- plugins/aws/lambda/lambdaVpcConfig.js | 1 + plugins/aws/lex/lexAudioLogsEncrypted.js | 1 + plugins/aws/location/geoCollectionDataEncrypted.js | 1 + plugins/aws/location/trackerDataEncrypted.js | 1 + plugins/aws/lookout/anomalyDetectorEncrypted.js | 1 + plugins/aws/lookout/equipmentdatasetEncrypted.js | 1 + plugins/aws/lookout/modelDataEncrypted.js | 1 + plugins/aws/managedblockchain/networkMemberDataEncrypted.js | 1 + plugins/aws/memorydb/memorydbClusterEncrypted.js | 1 + plugins/aws/mq/mqAutoMinorVersionUpgrade.js | 1 + 19 files changed, 20 insertions(+), 3 deletions(-) diff --git a/plugins/aws/kms/kmsDefaultKeyUsage.js b/plugins/aws/kms/kmsDefaultKeyUsage.js index 1ae39f5955..dc0ef308db 100644 --- a/plugins/aws/kms/kmsDefaultKeyUsage.js +++ b/plugins/aws/kms/kmsDefaultKeyUsage.js @@ -20,6 +20,7 @@ module.exports = { 'passwords, it is still strongly encouraged to use a ' + 'customer-provided CMK rather than the default KMS key.' }, + realtime_triggers: ['kms:CreateKey', 'kms:CreateAlias','cloudtrail:CreateTrail', 'ec2:CreateVolume','elastictranscoder:CreatePipline', 'rds:CreateDBInstance', 'redshift:CreateCluster', 's3:CreateBucket','s3:putBucketEncryption','ses:CreateEmailIdentity', 'workspace:CreateWorkSpaces', 'lambda:CreateFunction', 'cloudwatchlogs:CreateLogGroup', 'efs:CreateFileSystem'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lambda/envVarsClientSideEncryption.js b/plugins/aws/lambda/envVarsClientSideEncryption.js index dfe36b0aa6..805d313ac1 100644 --- a/plugins/aws/lambda/envVarsClientSideEncryption.js +++ b/plugins/aws/lambda/envVarsClientSideEncryption.js @@ -20,6 +20,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['lambda:CreateFunction', 'lambda:UpdateFunctionConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lambda/lambdaAdminPrivileges.js b/plugins/aws/lambda/lambdaAdminPrivileges.js index 3ff5f9c251..ea7b795e83 100644 --- a/plugins/aws/lambda/lambdaAdminPrivileges.js +++ b/plugins/aws/lambda/lambdaAdminPrivileges.js @@ -11,7 +11,8 @@ module.exports = { recommended_action: 'Modify IAM role attached with Lambda function to provide the minimal amount of access required to perform its tasks', apis: ['Lambda:listFunctions', 'IAM:listRoles', 'IAM:listAttachedRolePolicies', 'IAM:listRolePolicies', 'IAM:listPolicies', 'IAM:getPolicy', 'IAM:getPolicyVersion', 'IAM:getRolePolicy'], - + realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration' ], + run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/lambda/lambdaHasTags.js b/plugins/aws/lambda/lambdaHasTags.js index 49e16a98d9..f73023ba66 100644 --- a/plugins/aws/lambda/lambdaHasTags.js +++ b/plugins/aws/lambda/lambdaHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/lambda/latest/dg/configuration-tags.html', recommended_action: 'Modify Lambda function configurations and add new tags', apis: ['Lambda:listFunctions', 'ResourceGroupsTaggingAPI:getResources'], - + realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lambda/lambdaLogGroups.js b/plugins/aws/lambda/lambdaLogGroups.js index ac2b2c0444..580ae37921 100644 --- a/plugins/aws/lambda/lambdaLogGroups.js +++ b/plugins/aws/lambda/lambdaLogGroups.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/lambda/latest/dg/monitoring-cloudwatchlogs.html', recommended_action: 'Update the Lambda function permissions to allow CloudWatch logging.', apis: ['Lambda:listFunctions', 'CloudWatchLogs:describeLogGroups'], + realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lambda/lambdaOldRuntimes.js b/plugins/aws/lambda/lambdaOldRuntimes.js index 9ba49b5e22..f8e985c9b7 100644 --- a/plugins/aws/lambda/lambdaOldRuntimes.js +++ b/plugins/aws/lambda/lambdaOldRuntimes.js @@ -18,6 +18,7 @@ module.exports = { default: 0 } }, + realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lambda/lambdaPublicAccess.js b/plugins/aws/lambda/lambdaPublicAccess.js index 4157d95d9b..e8544a0dac 100644 --- a/plugins/aws/lambda/lambdaPublicAccess.js +++ b/plugins/aws/lambda/lambdaPublicAccess.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html', recommended_action: 'Update the Lambda policy to prevent access from the public.', apis: ['Lambda:listFunctions', 'Lambda:getPolicy'], + realtime_triggers: ['lambda:CreateFunction','lambda:AddPermission', 'lambda:RemovePermission'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lambda/lambdaTracingEnabled.js b/plugins/aws/lambda/lambdaTracingEnabled.js index 0c8b197d27..653359f466 100644 --- a/plugins/aws/lambda/lambdaTracingEnabled.js +++ b/plugins/aws/lambda/lambdaTracingEnabled.js @@ -18,6 +18,7 @@ module.exports = { default: 'Aqua-CSPM-Token-Rotator-Function,-CreateCSPMKeyFunction-,-TriggerDiscoveryFunction-,-GenerateVolumeScanningEx-,-GenerateCSPMExternalIdFu-' } }, + realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lambda/lambdaUniqueExecutionRole.js b/plugins/aws/lambda/lambdaUniqueExecutionRole.js index b5fcb90aad..1122894a1f 100644 --- a/plugins/aws/lambda/lambdaUniqueExecutionRole.js +++ b/plugins/aws/lambda/lambdaUniqueExecutionRole.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html', recommended_action: 'Modify Lambda function and add new execution role.', apis: ['Lambda:listFunctions'], - + realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration', 'lambda:DeleteFunction'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lambda/lambdaVpcConfig.js b/plugins/aws/lambda/lambdaVpcConfig.js index d0528130f5..a3f1b175dd 100644 --- a/plugins/aws/lambda/lambdaVpcConfig.js +++ b/plugins/aws/lambda/lambdaVpcConfig.js @@ -18,6 +18,7 @@ module.exports = { default: 'Aqua-CSPM-Token-Rotator-Function,-CreateCSPMKeyFunction-,-TriggerDiscoveryFunction-,-GenerateVolumeScanningEx-,-GenerateCSPMExternalIdFu-' } }, + realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lex/lexAudioLogsEncrypted.js b/plugins/aws/lex/lexAudioLogsEncrypted.js index bcce83a295..90b5d890a5 100644 --- a/plugins/aws/lex/lexAudioLogsEncrypted.js +++ b/plugins/aws/lex/lexAudioLogsEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['lexmodelsV2:CreateBot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/location/geoCollectionDataEncrypted.js b/plugins/aws/location/geoCollectionDataEncrypted.js index 4ccc08d85c..1b1bbe5e34 100644 --- a/plugins/aws/location/geoCollectionDataEncrypted.js +++ b/plugins/aws/location/geoCollectionDataEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['location:CreateGeofenceCollection'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/location/trackerDataEncrypted.js b/plugins/aws/location/trackerDataEncrypted.js index daf490c9b7..e08309df68 100644 --- a/plugins/aws/location/trackerDataEncrypted.js +++ b/plugins/aws/location/trackerDataEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['location:CreateTracker'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lookout/anomalyDetectorEncrypted.js b/plugins/aws/lookout/anomalyDetectorEncrypted.js index 41235b54c7..4ef6523358 100644 --- a/plugins/aws/lookout/anomalyDetectorEncrypted.js +++ b/plugins/aws/lookout/anomalyDetectorEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['lookoutmetrics:CreateAnomalyDetector', 'lookoutmetrics:UpdateAnomalyDetector'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lookout/equipmentdatasetEncrypted.js b/plugins/aws/lookout/equipmentdatasetEncrypted.js index aa82b5cf7f..b9cc94fe5e 100644 --- a/plugins/aws/lookout/equipmentdatasetEncrypted.js +++ b/plugins/aws/lookout/equipmentdatasetEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['lookoutequipment:CreateDataset'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lookout/modelDataEncrypted.js b/plugins/aws/lookout/modelDataEncrypted.js index 4f5b08f04f..364fd81aaa 100644 --- a/plugins/aws/lookout/modelDataEncrypted.js +++ b/plugins/aws/lookout/modelDataEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['lookoutvision:CreateModel'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/managedblockchain/networkMemberDataEncrypted.js b/plugins/aws/managedblockchain/networkMemberDataEncrypted.js index a6833a7178..4f341ae76b 100644 --- a/plugins/aws/managedblockchain/networkMemberDataEncrypted.js +++ b/plugins/aws/managedblockchain/networkMemberDataEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk', } }, + realtime_triggers: ['managedblockchain:CreateNetwork'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/memorydb/memorydbClusterEncrypted.js b/plugins/aws/memorydb/memorydbClusterEncrypted.js index c24201fc69..6c66c26614 100644 --- a/plugins/aws/memorydb/memorydbClusterEncrypted.js +++ b/plugins/aws/memorydb/memorydbClusterEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk', } }, + realtime_triggers: ['MemoryDB:CreateCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mq/mqAutoMinorVersionUpgrade.js b/plugins/aws/mq/mqAutoMinorVersionUpgrade.js index 5cee02e62f..0a9a6f2f8c 100644 --- a/plugins/aws/mq/mqAutoMinorVersionUpgrade.js +++ b/plugins/aws/mq/mqAutoMinorVersionUpgrade.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Enabled Auto Minor Version Upgrade feature for MQ brokers', link: 'https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker.html', apis: ['MQ:listBrokers', 'MQ:describeBroker'], + realtime_triggers: ['mq:CreateBrocker'], run: function(cache, settings, callback) { var results = []; From 10ed5be1f3abaefbaab3224d30c93c13091251c8 Mon Sep 17 00:00:00 2001 From: --global Date: Thu, 14 Sep 2023 16:37:32 +0500 Subject: [PATCH 007/498] added tiggers for l,m,n,o --- plugins/aws/mq/mqAutoMinorVersionUpgrade.js | 2 +- plugins/aws/mq/mqBrokerEncrypted.js | 1 + plugins/aws/mq/mqBrokerPublicAccess.js | 1 + plugins/aws/mq/mqDeploymentMode.js | 1 + plugins/aws/mq/mqDesiredInstanceType.js | 1 + plugins/aws/mq/mqLatestEngineVersion.js | 1 + plugins/aws/mq/mqLogExports.js | 1 + plugins/aws/msk/mskClusterCBEncryption.js | 1 + plugins/aws/msk/mskClusterEncryptionAtRest.js | 2 ++ plugins/aws/msk/mskClusterEncryptionInTransit.js | 1 + plugins/aws/msk/mskClusterPublicAccess.js | 1 + plugins/aws/msk/mskClusterUnauthAccess.js | 1 + plugins/aws/mwaa/environmentAdminPrivileges.js | 1 + plugins/aws/mwaa/environmentDataEncrypted.js | 1 + plugins/aws/mwaa/webServerPublicAccess.js | 1 + plugins/aws/neptune/neptuneDBInstanceEncrypted.js | 1 + .../openSearchServerless/opensearchCollectionCmkEncrypted.js | 2 ++ .../openSearchServerless/opensearchCollectionPublicAccess.js | 1 + plugins/aws/opensearch/opensearchAccessFromIps.js | 1 + plugins/aws/opensearch/opensearchClusterStatus.js | 1 + plugins/aws/opensearch/opensearchCrossAccountAccess.js | 2 ++ plugins/aws/opensearch/opensearchDedicatedMasterEnabled.js | 1 + plugins/aws/opensearch/opensearchDesiredInstanceTypes.js | 1 + plugins/aws/opensearch/opensearchDomainEncryptionEnabled.js | 1 + plugins/aws/opensearch/opensearchExposedDomain.js | 1 + plugins/aws/opensearch/opensearchLoggingEnabled.js | 1 + plugins/aws/opensearch/opensearchPublicEndpoint.js | 1 + plugins/aws/opensearch/opensearchRequireIAMAuth.js | 1 + plugins/aws/opensearch/opensearchTlsVersion.js | 1 + plugins/aws/opensearch/opensearchUpgradeAvailable.js | 1 + plugins/aws/opensearch/opensearchVersion.js | 1 + plugins/aws/opensearch/opensearchZoneAwarenessEnabled.js | 2 +- plugins/aws/organizations/enableAllFeatures.js | 1 + plugins/aws/organizations/organizationInvite.js | 1 + 34 files changed, 37 insertions(+), 2 deletions(-) diff --git a/plugins/aws/mq/mqAutoMinorVersionUpgrade.js b/plugins/aws/mq/mqAutoMinorVersionUpgrade.js index 0a9a6f2f8c..daea040839 100644 --- a/plugins/aws/mq/mqAutoMinorVersionUpgrade.js +++ b/plugins/aws/mq/mqAutoMinorVersionUpgrade.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enabled Auto Minor Version Upgrade feature for MQ brokers', link: 'https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker.html', apis: ['MQ:listBrokers', 'MQ:describeBroker'], - realtime_triggers: ['mq:CreateBrocker'], + realtime_triggers: ['mq:CreateBrocker', 'mq:UpdateBrocker'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mq/mqBrokerEncrypted.js b/plugins/aws/mq/mqBrokerEncrypted.js index 8d6e63c2ce..7a24a7c42f 100644 --- a/plugins/aws/mq/mqBrokerEncrypted.js +++ b/plugins/aws/mq/mqBrokerEncrypted.js @@ -18,6 +18,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['mq:CreateBrocker'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mq/mqBrokerPublicAccess.js b/plugins/aws/mq/mqBrokerPublicAccess.js index 85252797f4..2af4dd8429 100644 --- a/plugins/aws/mq/mqBrokerPublicAccess.js +++ b/plugins/aws/mq/mqBrokerPublicAccess.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Review and update the security group settings to restrict public access to Amazon MQ brokers.', link: 'https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/using-amazon-mq-securely.html', apis: ['MQ:listBrokers', 'MQ:describeBroker', 'EC2:describeSecurityGroups'], + realtime_triggers: ['mq:CreateBrocker', 'mq:UpdateBroker'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mq/mqDeploymentMode.js b/plugins/aws/mq/mqDeploymentMode.js index 03c4401ddf..075c609d51 100644 --- a/plugins/aws/mq/mqDeploymentMode.js +++ b/plugins/aws/mq/mqDeploymentMode.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Enabled Deployment Mode feature for MQ brokers', link: 'https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/active-standby-broker-deployment.html', apis: ['MQ:listBrokers'], + realtime_triggers: ['mq:CreateBrocker', 'mq:UpdateBroker'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mq/mqDesiredInstanceType.js b/plugins/aws/mq/mqDesiredInstanceType.js index 243270dd32..b1159480de 100644 --- a/plugins/aws/mq/mqDesiredInstanceType.js +++ b/plugins/aws/mq/mqDesiredInstanceType.js @@ -18,6 +18,7 @@ module.exports = { default:'' } }, + realtime_triggers: ['mq:CreateBrocker'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mq/mqLatestEngineVersion.js b/plugins/aws/mq/mqLatestEngineVersion.js index 17c171c69d..04cfb51244 100644 --- a/plugins/aws/mq/mqLatestEngineVersion.js +++ b/plugins/aws/mq/mqLatestEngineVersion.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Update Amazon MQ brokers to the latest version of Apache ActiveMQ broker engine.', link: 'https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/activemq-version-management.html', apis: ['MQ:listBrokers', 'MQ:describeBroker'], + realtime_triggers: ['mq:CreateBrocker', 'mq:CreateConfiguration','mq:UpdateConfiguration', 'mq:UpdateBrocker'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mq/mqLogExports.js b/plugins/aws/mq/mqLogExports.js index d6872417a5..6bbb6a34a0 100644 --- a/plugins/aws/mq/mqLogExports.js +++ b/plugins/aws/mq/mqLogExports.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Enable Log Exports feature for MQ brokers', link: 'https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/security-logging-monitoring.html', apis: ['MQ:listBrokers', 'MQ:describeBroker'], + realtime_triggers: ['mq:CreateBroker', 'mq:UpdateBroker'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/msk/mskClusterCBEncryption.js b/plugins/aws/msk/mskClusterCBEncryption.js index ed43b8f3d9..6197ff23fe 100644 --- a/plugins/aws/msk/mskClusterCBEncryption.js +++ b/plugins/aws/msk/mskClusterCBEncryption.js @@ -11,6 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html', recommended_action: 'Enable only TLS encryption between the client and broker for all MSK clusters', apis: ['Kafka:listClusters'], + realtime_triggers: ['kafka:CreateCluster','kafka:UpdateClusterConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/msk/mskClusterEncryptionAtRest.js b/plugins/aws/msk/mskClusterEncryptionAtRest.js index c5be837c95..c834c9f5e0 100644 --- a/plugins/aws/msk/mskClusterEncryptionAtRest.js +++ b/plugins/aws/msk/mskClusterEncryptionAtRest.js @@ -18,6 +18,8 @@ module.exports = { default: 'awscmk', } }, + realtime_triggers: ['kafka:CreateCluster'], + run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/msk/mskClusterEncryptionInTransit.js b/plugins/aws/msk/mskClusterEncryptionInTransit.js index fd71dd15d3..f4e4c68c1e 100644 --- a/plugins/aws/msk/mskClusterEncryptionInTransit.js +++ b/plugins/aws/msk/mskClusterEncryptionInTransit.js @@ -11,6 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html', recommended_action: 'Enable TLS encryption within the cluster for all MSK clusters', apis: ['Kafka:listClusters'], + realtime_triggers: ['kafka:CreateCluster','kafka:UpdateClusterConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/msk/mskClusterPublicAccess.js b/plugins/aws/msk/mskClusterPublicAccess.js index ac5301b4ac..7e59131891 100644 --- a/plugins/aws/msk/mskClusterPublicAccess.js +++ b/plugins/aws/msk/mskClusterPublicAccess.js @@ -11,6 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/msk/latest/developerguide/public-access.html', recommended_action: 'Check for public access feature within the cluster for all MSK clusters', apis: ['Kafka:listClusters'], + realtime_triggers: ['kafka:CreateCluster','kafka:UpdateConnectivity'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/msk/mskClusterUnauthAccess.js b/plugins/aws/msk/mskClusterUnauthAccess.js index e8725e6799..df925bcaa9 100644 --- a/plugins/aws/msk/mskClusterUnauthAccess.js +++ b/plugins/aws/msk/mskClusterUnauthAccess.js @@ -11,6 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html', recommended_action: 'Ensure that MSK clusters does not have unauthenticated access enabled.', apis: ['Kafka:listClusters'], + realtime_triggers: ['kafka:CreateCluster','kafka:UpdateClusterConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mwaa/environmentAdminPrivileges.js b/plugins/aws/mwaa/environmentAdminPrivileges.js index 12c8c397e5..38aa54aa1d 100644 --- a/plugins/aws/mwaa/environmentAdminPrivileges.js +++ b/plugins/aws/mwaa/environmentAdminPrivileges.js @@ -11,6 +11,7 @@ module.exports = { recommended_action: 'Modify IAM role attached with MWAA environment to provide the minimal amount of access required to perform its tasks', apis: ['MWAA:listEnvironments', 'MWAA:getEnvironment', 'IAM:listRoles', 'IAM:listAttachedRolePolicies', 'IAM:listRolePolicies', 'IAM:listPolicies', 'IAM:getPolicy', 'IAM:getPolicyVersion', 'IAM:getRolePolicy', 'STS:getCallerIdentity'], + realtime_triggers: ['mwaa:CreateEnvironment','mwaa:UpdateEnviroment'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mwaa/environmentDataEncrypted.js b/plugins/aws/mwaa/environmentDataEncrypted.js index 582cf5b3d2..3b315eabca 100644 --- a/plugins/aws/mwaa/environmentDataEncrypted.js +++ b/plugins/aws/mwaa/environmentDataEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['mwaa:CreateEnvironment'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mwaa/webServerPublicAccess.js b/plugins/aws/mwaa/webServerPublicAccess.js index 52d1ca99b5..44896bb915 100644 --- a/plugins/aws/mwaa/webServerPublicAccess.js +++ b/plugins/aws/mwaa/webServerPublicAccess.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/mwaa/latest/userguide/vpc-create.html', recommended_action: 'Modify Amazon MWAA environments to set web server access mode to be private only', apis: ['MWAA:listEnvironments', 'MWAA:getEnvironment', 'STS:getCallerIdentity'], + realtime_triggers: ['mwaa:CreateEnvironment','mwaa:UpdateEnviroment'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/neptune/neptuneDBInstanceEncrypted.js b/plugins/aws/neptune/neptuneDBInstanceEncrypted.js index 8c03a0d0d8..31f9dad7c1 100644 --- a/plugins/aws/neptune/neptuneDBInstanceEncrypted.js +++ b/plugins/aws/neptune/neptuneDBInstanceEncrypted.js @@ -20,6 +20,7 @@ module.exports = { default: 'awscmk', } }, + realtime_triggers: ['neptune:CreateDBCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/openSearchServerless/opensearchCollectionCmkEncrypted.js b/plugins/aws/openSearchServerless/opensearchCollectionCmkEncrypted.js index 2ecf47f671..44ad6e1da1 100644 --- a/plugins/aws/openSearchServerless/opensearchCollectionCmkEncrypted.js +++ b/plugins/aws/openSearchServerless/opensearchCollectionCmkEncrypted.js @@ -19,6 +19,8 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['opensearchserverless:CreateCollection'], + run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/openSearchServerless/opensearchCollectionPublicAccess.js b/plugins/aws/openSearchServerless/opensearchCollectionPublicAccess.js index a9abc1f1d5..c325275c26 100644 --- a/plugins/aws/openSearchServerless/opensearchCollectionPublicAccess.js +++ b/plugins/aws/openSearchServerless/opensearchCollectionPublicAccess.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-network.html', recommended_action: 'Update the network policy and remove the public access to the collection.', apis: ['OpenSearchServerless:listNetworkSecurityPolicies', 'OpenSearchServerless:getNetworkSecurityPolicy', 'OpenSearchServerless:listCollections'], + realtime_triggers: ['opensearchserverless:CreateCollection', 'opensearchserverless:CreateSecurityPolicy', 'opensearchserverless:UpdateSecurityPolicy','opensearchserverless:DeleteSecurityPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchAccessFromIps.js b/plugins/aws/opensearch/opensearchAccessFromIps.js index 3e8edb310d..2819498265 100644 --- a/plugins/aws/opensearch/opensearchAccessFromIps.js +++ b/plugins/aws/opensearch/opensearchAccessFromIps.js @@ -18,6 +18,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchClusterStatus.js b/plugins/aws/opensearch/opensearchClusterStatus.js index 20e953044d..7ef4bf389c 100644 --- a/plugins/aws/opensearch/opensearchClusterStatus.js +++ b/plugins/aws/opensearch/opensearchClusterStatus.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cloudwatch-alarms.html', recommended_action: 'Configure alarms to send notification if cluster status remains red for more than a minute.', apis: ['OpenSearch:listDomainNames', 'CloudWatch:getEsMetricStatistics', 'STS:getCallerIdentity'], + realtime_triggers: ['openSearch:CreateDomain', 'opensearch:UpdateDomainConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchCrossAccountAccess.js b/plugins/aws/opensearch/opensearchCrossAccountAccess.js index 85b3af9ea3..940a80f6c3 100644 --- a/plugins/aws/opensearch/opensearchCrossAccountAccess.js +++ b/plugins/aws/opensearch/opensearchCrossAccountAccess.js @@ -37,6 +37,8 @@ module.exports = { default: 'aws:PrincipalArn,aws:PrincipalAccount,aws:PrincipalOrgID,aws:SourceAccount,aws:SourceArn,aws:SourceOwner' }, }, + realtime_triggers: ['opensearch:CreateDomain','opensearch:UpdateDomainConfig'], + run: function(cache, settings, callback) { var config= { os_whitelisted_aws_account_principals : settings.os_whitelisted_aws_account_principals || this.settings.os_whitelisted_aws_account_principals.default, diff --git a/plugins/aws/opensearch/opensearchDedicatedMasterEnabled.js b/plugins/aws/opensearch/opensearchDedicatedMasterEnabled.js index 350c2e61c6..44b9122604 100644 --- a/plugins/aws/opensearch/opensearchDedicatedMasterEnabled.js +++ b/plugins/aws/opensearch/opensearchDedicatedMasterEnabled.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-dedicatedmasternodes.html', recommended_action: 'Update the domain to use dedicated master nodes.', apis: ['OpenSearch:listDomainNames', 'OpenSearch:describeDomain', 'STS:getCallerIdentity'], + realtime_triggers: ['opensearch:CreateDomain','opensearch:UpdateDomainConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchDesiredInstanceTypes.js b/plugins/aws/opensearch/opensearchDesiredInstanceTypes.js index 825151da71..1efad7e53f 100644 --- a/plugins/aws/opensearch/opensearchDesiredInstanceTypes.js +++ b/plugins/aws/opensearch/opensearchDesiredInstanceTypes.js @@ -24,6 +24,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['opensearch:CreateDomain'], run: function(cache, settings, callback) { const results = []; diff --git a/plugins/aws/opensearch/opensearchDomainEncryptionEnabled.js b/plugins/aws/opensearch/opensearchDomainEncryptionEnabled.js index b1e1041368..2b1f5e25cc 100644 --- a/plugins/aws/opensearch/opensearchDomainEncryptionEnabled.js +++ b/plugins/aws/opensearch/opensearchDomainEncryptionEnabled.js @@ -18,6 +18,7 @@ module.exports = { default: 'awscmk', } }, + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/opensearch/opensearchExposedDomain.js b/plugins/aws/opensearch/opensearchExposedDomain.js index d6495cef4c..4fd6aa519c 100644 --- a/plugins/aws/opensearch/opensearchExposedDomain.js +++ b/plugins/aws/opensearch/opensearchExposedDomain.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html', recommended_action: 'Update OpenSearch domain to set access control.', apis: ['OpenSearch:listDomainNames', 'OpenSearch:describeDomain', 'STS:getCallerIdentity'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchLoggingEnabled.js b/plugins/aws/opensearch/opensearchLoggingEnabled.js index 32b21bbb23..d3a7a214e0 100644 --- a/plugins/aws/opensearch/opensearchLoggingEnabled.js +++ b/plugins/aws/opensearch/opensearchLoggingEnabled.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createdomain-configure-slow-logs.html', recommended_action: 'Ensure logging is enabled and a CloudWatch log group is specified for each OpenSearch domain.', apis: ['OpenSearch:listDomainNames', 'OpenSearch:describeDomain'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchPublicEndpoint.js b/plugins/aws/opensearch/opensearchPublicEndpoint.js index 645a3db149..b273453acd 100644 --- a/plugins/aws/opensearch/opensearchPublicEndpoint.js +++ b/plugins/aws/opensearch/opensearchPublicEndpoint.js @@ -18,6 +18,7 @@ module.exports = { default: 'false' }, }, + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchRequireIAMAuth.js b/plugins/aws/opensearch/opensearchRequireIAMAuth.js index 767219c01d..747972334d 100644 --- a/plugins/aws/opensearch/opensearchRequireIAMAuth.js +++ b/plugins/aws/opensearch/opensearchRequireIAMAuth.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html', recommended_action: 'Configure the OpenSearch domain to have an access policy without a global principal or no principal', apis: ['OpenSearch:listDomainNames', 'OpenSearch:describeDomain'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchTlsVersion.js b/plugins/aws/opensearch/opensearchTlsVersion.js index 10678f12d6..26339f9188 100644 --- a/plugins/aws/opensearch/opensearchTlsVersion.js +++ b/plugins/aws/opensearch/opensearchTlsVersion.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html', recommended_action: 'Update OpenSearch domain to set TLSSecurityPolicy to contain TLS version 1.2.', apis: ['OpenSearch:listDomainNames', 'OpenSearch:describeDomain', 'STS:getCallerIdentity'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], run: function(cache, settings, callback) { const results = []; diff --git a/plugins/aws/opensearch/opensearchUpgradeAvailable.js b/plugins/aws/opensearch/opensearchUpgradeAvailable.js index b1a6d0d3da..98ecfbc3ca 100644 --- a/plugins/aws/opensearch/opensearchUpgradeAvailable.js +++ b/plugins/aws/opensearch/opensearchUpgradeAvailable.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/version-migration.html', recommended_action: 'Ensure each OpenSearch domain is running the latest service software and update out-of-date domains.', apis: ['OpenSearch:listDomainNames', 'OpenSearch:describeDomain'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchVersion.js b/plugins/aws/opensearch/opensearchVersion.js index d67c0a53fe..c4b66531e8 100644 --- a/plugins/aws/opensearch/opensearchVersion.js +++ b/plugins/aws/opensearch/opensearchVersion.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html', recommended_action: 'Update OpenSearch domain to set to latest engine version.', apis: ['OpenSearch:listDomainNames', 'OpenSearch:describeDomain'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], run:function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchZoneAwarenessEnabled.js b/plugins/aws/opensearch/opensearchZoneAwarenessEnabled.js index 7263710ea9..fba41f24cd 100644 --- a/plugins/aws/opensearch/opensearchZoneAwarenessEnabled.js +++ b/plugins/aws/opensearch/opensearchZoneAwarenessEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/', recommended_action: 'Modify OpenSearch domain configuration and enable domain zone awareness.', apis: ['OpenSearch:listDomainNames', 'OpenSearch:describeDomain', 'STS:getCallerIdentity'], - + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/organizations/enableAllFeatures.js b/plugins/aws/organizations/enableAllFeatures.js index 6d24df8faf..1d00b26e7b 100644 --- a/plugins/aws/organizations/enableAllFeatures.js +++ b/plugins/aws/organizations/enableAllFeatures.js @@ -9,6 +9,7 @@ module.exports = { recommended_action: 'Enable all AWS Organizations features.', link: 'https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html?icmpid=docs_orgs_console', apis: ['Organizations:describeOrganization'], + realtime_triggers: ['organizations:CreateOrganization', 'organizations:EnableAllFeatures'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/organizations/organizationInvite.js b/plugins/aws/organizations/organizationInvite.js index 842c80564f..273576d215 100644 --- a/plugins/aws/organizations/organizationInvite.js +++ b/plugins/aws/organizations/organizationInvite.js @@ -9,6 +9,7 @@ module.exports = { recommended_action: 'Enable all AWS Organizations features', link: 'https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html?icmpid=docs_orgs_console', apis: ['Organizations:listHandshakesForAccount'], + realtime_triggers: ['organizations:CreateOrganization', 'organizations:AcceptHandshake' ,'organizations:DeclineHandshake', 'organizations:CancleHandshake'], run: function(cache, settings, callback) { var results = []; From 983e56316b25c855d7254043a0100f611c118905 Mon Sep 17 00:00:00 2001 From: --global Date: Thu, 14 Sep 2023 17:03:54 +0500 Subject: [PATCH 008/498] added tiggers for p,q,r,w --- plugins/aws/proton/environmentTemplateEncrypted.js | 1 + plugins/aws/qldb/ledgerEncrypted.js | 1 + plugins/aws/rds/iamDbAuthenticationEnabled.js | 1 + plugins/aws/rds/idleRDSInstance.js | 1 + plugins/aws/rds/mysqlVulnerabilityCheck.js | 1 + plugins/aws/rds/overutilizedRDSInstance.js | 1 + plugins/aws/rds/rdsAutomatedBackups.js | 1 + plugins/aws/rds/rdsCmkEncryptionEnabled.js | 1 + plugins/aws/rds/rdsDefaultPort.js | 1 + plugins/aws/rds/rdsDefaultUsername.js | 1 + plugins/aws/rds/rdsDeletionProtectionEnabled.js | 1 + plugins/aws/rds/rdsEncryptionEnabled.js | 1 + plugins/aws/rds/rdsInstanceGeneration.js | 1 + plugins/aws/rds/rdsInstanceHasTags.js | 1 + plugins/aws/rds/rdsLoggingEnabled.js | 1 + plugins/aws/rds/rdsMinorVersionUpgrade.js | 1 + plugins/aws/rds/rdsMultiAz.js | 1 + plugins/aws/rds/rdsPublicSubnet.js | 1 + plugins/aws/rds/rdsPubliclyAccessible.js | 1 + plugins/aws/rds/rdsRestorable.js | 1 + plugins/aws/rds/rdsSnapshotEncryption.js | 1 + plugins/aws/rds/rdsSnapshotPubliclyAccessible.js | 1 + plugins/aws/rds/rdsTransportEncryption.js | 1 + plugins/aws/redshift/auditLoggingEnabled.js | 1 + plugins/aws/redshift/redshiftAllowVersionUpgrade.js | 1 + plugins/aws/redshift/redshiftClusterCmkEncrypted.js | 1 + plugins/aws/redshift/redshiftClusterDefaultPort.js | 1 + plugins/aws/redshift/redshiftClusterInVpc.js | 1 + plugins/aws/redshift/redshiftClusterMasterUsername.js | 1 + plugins/aws/redshift/redshiftDesiredNodeType.js | 1 + plugins/aws/redshift/redshiftEncryptionEnabled.js | 1 + plugins/aws/redshift/redshiftNodesCount.js | 1 + plugins/aws/redshift/redshiftPubliclyAccessible.js | 1 + plugins/aws/redshift/redshiftSSLEnabled.js | 1 + plugins/aws/redshift/redshiftUnusedReservedNodes.js | 1 + plugins/aws/redshift/snapshotRetentionPeriod.js | 1 + plugins/aws/redshift/underutilizedRedshiftCluster.js | 1 + plugins/aws/redshift/userActivityLoggingEnabled.js | 1 + plugins/aws/route53/danglingDnsRecords.js | 1 + plugins/aws/route53/domainAutoRenew.js | 2 ++ plugins/aws/route53/domainExpiry.js | 2 ++ plugins/aws/route53/domainTransferLock.js | 1 + plugins/aws/route53/privacyProtection.js | 1 + plugins/aws/route53/senderPolicyFwInUse.js | 1 + plugins/aws/route53/senderPolicyFwRecordPresent.js | 1 + plugins/aws/waf/wafInUse.js | 1 + plugins/aws/wafv2/aclRulesDefaultAction.js | 1 + plugins/aws/wafv2/wafv2CloudwatchMetricsEnabled.js | 1 + plugins/aws/wafv2/wafv2InUse.js | 1 + plugins/aws/workspaces/unusedWorkspaces.js | 1 + plugins/aws/workspaces/workspacesDesiredBundleType.js | 1 + plugins/aws/workspaces/workspacesInstanceCount.js | 1 + plugins/aws/workspaces/workspacesIpAccessControl.js | 1 + plugins/aws/workspaces/workspacesVolumeEncryption.js | 1 + 54 files changed, 56 insertions(+) diff --git a/plugins/aws/proton/environmentTemplateEncrypted.js b/plugins/aws/proton/environmentTemplateEncrypted.js index afa4aea489..6eff30bb69 100644 --- a/plugins/aws/proton/environmentTemplateEncrypted.js +++ b/plugins/aws/proton/environmentTemplateEncrypted.js @@ -18,6 +18,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['proton:CreateEnviromentTemplate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/qldb/ledgerEncrypted.js b/plugins/aws/qldb/ledgerEncrypted.js index 4b36718b5b..0a926e1c15 100644 --- a/plugins/aws/qldb/ledgerEncrypted.js +++ b/plugins/aws/qldb/ledgerEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['qldb:CreateLedger', 'qldb:UpdateLedger'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/iamDbAuthenticationEnabled.js b/plugins/aws/rds/iamDbAuthenticationEnabled.js index b2ef90fef1..54177a31ea 100644 --- a/plugins/aws/rds/iamDbAuthenticationEnabled.js +++ b/plugins/aws/rds/iamDbAuthenticationEnabled.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html', recommended_action: 'Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication.', apis: ['RDS:describeDBInstances'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/idleRDSInstance.js b/plugins/aws/rds/idleRDSInstance.js index dd1eb54705..b098db8692 100644 --- a/plugins/aws/rds/idleRDSInstance.js +++ b/plugins/aws/rds/idleRDSInstance.js @@ -30,6 +30,7 @@ module.exports = { default: '20' } }, + realtime_triggers: ['rds:CreateDBInstance','rds:DeleteDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/mysqlVulnerabilityCheck.js b/plugins/aws/rds/mysqlVulnerabilityCheck.js index f55d42da74..b8cf347a6c 100644 --- a/plugins/aws/rds/mysqlVulnerabilityCheck.js +++ b/plugins/aws/rds/mysqlVulnerabilityCheck.js @@ -9,6 +9,7 @@ module.exports = { link: 'https://aws.amazon.com/security/security-bulletins/mysql-5-5-and-5-6-security-advisory/', recommended_action: 'Update the MySQL engine version to a more recent, patched version to mitigate the vulnerabilities.', apis: ['RDS:describeDBInstances'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/overutilizedRDSInstance.js b/plugins/aws/rds/overutilizedRDSInstance.js index dc141e498e..2a71633222 100644 --- a/plugins/aws/rds/overutilizedRDSInstance.js +++ b/plugins/aws/rds/overutilizedRDSInstance.js @@ -18,6 +18,7 @@ module.exports = { default: '90' } }, + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsAutomatedBackups.js b/plugins/aws/rds/rdsAutomatedBackups.js index d4a258a10b..a8ec4ff0ab 100644 --- a/plugins/aws/rds/rdsAutomatedBackups.js +++ b/plugins/aws/rds/rdsAutomatedBackups.js @@ -18,6 +18,7 @@ module.exports = { default: 6 } }, + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/rds/rdsCmkEncryptionEnabled.js b/plugins/aws/rds/rdsCmkEncryptionEnabled.js index 2656eaf0a4..e729ea13c9 100644 --- a/plugins/aws/rds/rdsCmkEncryptionEnabled.js +++ b/plugins/aws/rds/rdsCmkEncryptionEnabled.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html', recommended_action: 'RDS does not currently allow modifications to encryption after the instance has been launched, so a new instance will need to be created with KMS CMK encryption enabled.', apis: ['RDS:describeDBInstances', 'KMS:listAliases'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsDefaultPort.js b/plugins/aws/rds/rdsDefaultPort.js index 18c1ba08ba..13d3380df3 100644 --- a/plugins/aws/rds/rdsDefaultPort.js +++ b/plugins/aws/rds/rdsDefaultPort.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.Connect.html', recommended_action: 'Change the default port number of the RDS instance to non-default port.', apis: ['RDS:describeDBInstances'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsDefaultUsername.js b/plugins/aws/rds/rdsDefaultUsername.js index 58636b530d..a91148e928 100644 --- a/plugins/aws/rds/rdsDefaultUsername.js +++ b/plugins/aws/rds/rdsDefaultUsername.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateDBInstance.html', recommended_action: 'Create a new RDS instance with the desired username, and migrate the database to the new instance.', apis: ['RDS:describeDBInstances'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsDeletionProtectionEnabled.js b/plugins/aws/rds/rdsDeletionProtectionEnabled.js index 271e5e1091..d9011b9251 100644 --- a/plugins/aws/rds/rdsDeletionProtectionEnabled.js +++ b/plugins/aws/rds/rdsDeletionProtectionEnabled.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/', recommended_action: 'Modify the RDS instances to enable deletion protection.', apis: ['RDS:describeDBInstances'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsEncryptionEnabled.js b/plugins/aws/rds/rdsEncryptionEnabled.js index 7688547fb2..09fabc0366 100644 --- a/plugins/aws/rds/rdsEncryptionEnabled.js +++ b/plugins/aws/rds/rdsEncryptionEnabled.js @@ -33,6 +33,7 @@ module.exports = { 'encryption should be enabled for all instances storing this type ' + 'of data.' }, + realtime_triggers: ['rds:CreateDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/rds/rdsInstanceGeneration.js b/plugins/aws/rds/rdsInstanceGeneration.js index c8c7349da9..5fcd4dd72a 100644 --- a/plugins/aws/rds/rdsInstanceGeneration.js +++ b/plugins/aws/rds/rdsInstanceGeneration.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html', recommended_action: 'Upgrade the instance to its latest generation.', apis: ['RDS:describeDBInstances'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsInstanceHasTags.js b/plugins/aws/rds/rdsInstanceHasTags.js index 32dc0568e4..147015d873 100644 --- a/plugins/aws/rds/rdsInstanceHasTags.js +++ b/plugins/aws/rds/rdsInstanceHasTags.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html', recommended_action: 'Modify the RDS instance to add tags.', apis: ['RDS:describeDBInstances'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:AddTagsToResource', 'rds:RemoveTagsToResource'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsLoggingEnabled.js b/plugins/aws/rds/rdsLoggingEnabled.js index 37b9ed703f..b68daf0347 100755 --- a/plugins/aws/rds/rdsLoggingEnabled.js +++ b/plugins/aws/rds/rdsLoggingEnabled.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html', recommended_action: 'Modify the RDS instance to enable logging as required.', apis: ['RDS:describeDBInstances', 'RDS:describeDBEngineVersions'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsMinorVersionUpgrade.js b/plugins/aws/rds/rdsMinorVersionUpgrade.js index ec91308207..dae800add9 100644 --- a/plugins/aws/rds/rdsMinorVersionUpgrade.js +++ b/plugins/aws/rds/rdsMinorVersionUpgrade.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html#USER_UpgradeDBInstance.Upgrading.AutoMinorVersionUpgrades', recommended_action: 'Enable automatic minor version upgrades on RDS and DocumentDB databases', apis: ['RDS:describeDBInstances'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsMultiAz.js b/plugins/aws/rds/rdsMultiAz.js index fcd559bcd2..2376c2dc5a 100644 --- a/plugins/aws/rds/rdsMultiAz.js +++ b/plugins/aws/rds/rdsMultiAz.js @@ -18,6 +18,7 @@ module.exports = { default: 'false' } }, + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/rds/rdsPublicSubnet.js b/plugins/aws/rds/rdsPublicSubnet.js index c596a2587d..63c3f78b3a 100644 --- a/plugins/aws/rds/rdsPublicSubnet.js +++ b/plugins/aws/rds/rdsPublicSubnet.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-public-access-check.html', recommended_action: 'Replace the subnet groups of rds instance with the private subnets.', apis: ['RDS:describeDBInstances', 'EC2:describeRouteTables', 'EC2:describeSubnets'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsPubliclyAccessible.js b/plugins/aws/rds/rdsPubliclyAccessible.js index 63422f999a..dad001a4c7 100644 --- a/plugins/aws/rds/rdsPubliclyAccessible.js +++ b/plugins/aws/rds/rdsPubliclyAccessible.js @@ -20,6 +20,7 @@ module.exports = { 'Ensure RDS instances are not accessible from the Internet ' + 'and use proper jump box access mechanisms.' }, + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsRestorable.js b/plugins/aws/rds/rdsRestorable.js index 60c2862532..45da51d01c 100644 --- a/plugins/aws/rds/rdsRestorable.js +++ b/plugins/aws/rds/rdsRestorable.js @@ -29,6 +29,7 @@ module.exports = { default: 6 } }, + realtime_triggers: ['rds:CreateDBInstance'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/rds/rdsSnapshotEncryption.js b/plugins/aws/rds/rdsSnapshotEncryption.js index 3febf98bbe..485869c9c1 100644 --- a/plugins/aws/rds/rdsSnapshotEncryption.js +++ b/plugins/aws/rds/rdsSnapshotEncryption.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html', recommended_action: 'Copy the snapshot to a new snapshot that is encrypted and delete the old snapshot.', apis: ['RDS:describeDBSnapshots'], + realtime_triggers: ['rds:CreateDBSnapshot', 'rds:CopyDBSnapshot', 'rds:DeleteDBSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsSnapshotPubliclyAccessible.js b/plugins/aws/rds/rdsSnapshotPubliclyAccessible.js index 18e2ca3267..ece0a30db4 100644 --- a/plugins/aws/rds/rdsSnapshotPubliclyAccessible.js +++ b/plugins/aws/rds/rdsSnapshotPubliclyAccessible.js @@ -11,6 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html', recommended_action: 'Ensure Amazon RDS database snapshot is not publicly accessible and available for any AWS account to copy or restore it.', apis: ['RDS:describeDBSnapshots', 'RDS:describeDBSnapshotAttributes'], + realtime_triggers: ['rds:CreateDBSnapshot', 'rds:ModifyDBSnapshotAttribute'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsTransportEncryption.js b/plugins/aws/rds/rdsTransportEncryption.js index 9bd10cfc4d..d31b08f2f7 100644 --- a/plugins/aws/rds/rdsTransportEncryption.js +++ b/plugins/aws/rds/rdsTransportEncryption.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html', recommended_action: 'Update the parameter group associated with the RDS instance to have rds.force_ssl set to true', apis: ['RDS:describeDBInstances', 'RDS:describeDBParameters', 'RDS:describeDBParameterGroups'], + realtime_triggers: ['rds:CreateDBParameterGroup', 'rds:ModifyDBParameterGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/auditLoggingEnabled.js b/plugins/aws/redshift/auditLoggingEnabled.js index 40543696c3..45f406fd46 100644 --- a/plugins/aws/redshift/auditLoggingEnabled.js +++ b/plugins/aws/redshift/auditLoggingEnabled.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing-console.html', recommended_action: 'Modify Redshift clusters to enable audit logging', apis: ['Redshift:describeClusters', 'Redshift:describeLoggingStatus', 'STS:getCallerIdentity'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:EditLogging'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftAllowVersionUpgrade.js b/plugins/aws/redshift/redshiftAllowVersionUpgrade.js index 6b47ce1d71..dd55b3fea1 100644 --- a/plugins/aws/redshift/redshiftAllowVersionUpgrade.js +++ b/plugins/aws/redshift/redshiftAllowVersionUpgrade.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.amazonaws.cn/en_us/redshift/latest/mgmt/redshift-mgmt.pdf', recommended_action: 'Modify Redshift clusters to allow version upgrade', apis: ['Redshift:describeClusters', 'STS:getCallerIdentity'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftClusterCmkEncrypted.js b/plugins/aws/redshift/redshiftClusterCmkEncrypted.js index 2e9dcf4edc..562af0988f 100644 --- a/plugins/aws/redshift/redshiftClusterCmkEncrypted.js +++ b/plugins/aws/redshift/redshiftClusterCmkEncrypted.js @@ -10,6 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html', recommended_action: 'Update Redshift clusters encryption configuration to use KMS CMKs instead of AWS managed-keys.', apis: ['Redshift:describeClusters', 'KMS:listAliases', 'STS:getCallerIdentity'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftClusterDefaultPort.js b/plugins/aws/redshift/redshiftClusterDefaultPort.js index 5e7fcc9367..55e17d3c5b 100644 --- a/plugins/aws/redshift/redshiftClusterDefaultPort.js +++ b/plugins/aws/redshift/redshiftClusterDefaultPort.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.amazonaws.cn/en_us/redshift/latest/gsg/rs-gsg-launch-sample-cluster.html', recommended_action: 'Update Amazon Redshift cluster endpoint port.', apis: ['Redshift:describeClusters', 'STS:getCallerIdentity'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftClusterInVpc.js b/plugins/aws/redshift/redshiftClusterInVpc.js index 16dd5dc6c6..756f1e7bf4 100644 --- a/plugins/aws/redshift/redshiftClusterInVpc.js +++ b/plugins/aws/redshift/redshiftClusterInVpc.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#cluster-platforms', recommended_action: 'Update Amazon Redshift cluster and attach it to VPC', apis: ['Redshift:describeClusters', 'STS:getCallerIdentity'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftClusterMasterUsername.js b/plugins/aws/redshift/redshiftClusterMasterUsername.js index 48bd0bad3e..787db8e4d6 100644 --- a/plugins/aws/redshift/redshiftClusterMasterUsername.js +++ b/plugins/aws/redshift/redshiftClusterMasterUsername.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.amazonaws.cn/en_us/redshift/latest/gsg/rs-gsg-launch-sample-cluster.html', recommended_action: 'Update Amazon Redshift cluster master username.', apis: ['Redshift:describeClusters', 'STS:getCallerIdentity'], + realtime_triggers: ['redshift:CreateCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftDesiredNodeType.js b/plugins/aws/redshift/redshiftDesiredNodeType.js index 4859257e90..56a70634b5 100644 --- a/plugins/aws/redshift/redshiftDesiredNodeType.js +++ b/plugins/aws/redshift/redshiftDesiredNodeType.js @@ -18,6 +18,7 @@ module.exports = { default: '' }, }, + realtime_triggers: ['redshift:CreateCluster'], run: function(cache, settings, callback) { var redshift_cluster_node_type = settings.redshift_cluster_node_type || this.settings.redshift_cluster_node_type.default; diff --git a/plugins/aws/redshift/redshiftEncryptionEnabled.js b/plugins/aws/redshift/redshiftEncryptionEnabled.js index 744f8b33e5..d6115beb89 100644 --- a/plugins/aws/redshift/redshiftEncryptionEnabled.js +++ b/plugins/aws/redshift/redshiftEncryptionEnabled.js @@ -16,6 +16,7 @@ module.exports = { 'is implemented by providing KMS-backed encryption for all Redshift ' + 'data.' }, + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftNodesCount.js b/plugins/aws/redshift/redshiftNodesCount.js index d2a7fc4f1a..413039c171 100644 --- a/plugins/aws/redshift/redshiftNodesCount.js +++ b/plugins/aws/redshift/redshiftNodesCount.js @@ -18,6 +18,7 @@ module.exports = { default: '100' }, }, + realtime_triggers: ['redshift:CreateCluster', 'redshift:DeleteCluster'], run: function(cache, settings, callback) { var redshift_nodes_count = parseInt(settings.redshift_nodes_count || this.settings.redshift_nodes_count.default); diff --git a/plugins/aws/redshift/redshiftPubliclyAccessible.js b/plugins/aws/redshift/redshiftPubliclyAccessible.js index 1379cf26de..6c6fc74adc 100644 --- a/plugins/aws/redshift/redshiftPubliclyAccessible.js +++ b/plugins/aws/redshift/redshiftPubliclyAccessible.js @@ -20,6 +20,7 @@ module.exports = { 'Ensure Redshift instances are not accessible from the Internet ' + 'and use proper jump box access mechanisms.' }, + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftSSLEnabled.js b/plugins/aws/redshift/redshiftSSLEnabled.js index 4b7323bed1..08c9164d4c 100644 --- a/plugins/aws/redshift/redshiftSSLEnabled.js +++ b/plugins/aws/redshift/redshiftSSLEnabled.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/redshift/latest/mgmt/connecting-ssl-support.html', recommended_action: 'Update Redshift parameter groups to have require-ssl parameter set to true.', apis: ['Redshift:describeClusters', 'Redshift:describeClusterParameterGroups', 'Redshift:describeClusterParameters', 'STS:getCallerIdentity'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyClusterParameterGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftUnusedReservedNodes.js b/plugins/aws/redshift/redshiftUnusedReservedNodes.js index da5309454b..fd06d18141 100644 --- a/plugins/aws/redshift/redshiftUnusedReservedNodes.js +++ b/plugins/aws/redshift/redshiftUnusedReservedNodes.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/redshift/latest/mgmt/purchase-reserved-node-instance.html', recommended_action: 'Provision new Redshift clusters matching the criteria of reserved nodes', apis: ['Redshift:describeClusters', 'Redshift:describeReservedNodes', 'STS:getCallerIdentity'], + realtime_triggers: ['redshift:CreateCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/snapshotRetentionPeriod.js b/plugins/aws/redshift/snapshotRetentionPeriod.js index e296e96d57..127418ec62 100644 --- a/plugins/aws/redshift/snapshotRetentionPeriod.js +++ b/plugins/aws/redshift/snapshotRetentionPeriod.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-snapshots.html', recommended_action: 'Modify Amazon Redshift cluster to set snapshot retention period', apis: ['Redshift:describeClusters', 'STS:getCallerIdentity'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/underutilizedRedshiftCluster.js b/plugins/aws/redshift/underutilizedRedshiftCluster.js index 20fac57878..bb4a0438d6 100644 --- a/plugins/aws/redshift/underutilizedRedshiftCluster.js +++ b/plugins/aws/redshift/underutilizedRedshiftCluster.js @@ -18,6 +18,7 @@ module.exports = { default: '5' } }, + realtime_triggers: ['redshift:CreateCluster','redshift:CreateClusterSnapshot', 'redshift:RestoreFromClusterSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/userActivityLoggingEnabled.js b/plugins/aws/redshift/userActivityLoggingEnabled.js index 49f9bf39f6..e3699d2a07 100644 --- a/plugins/aws/redshift/userActivityLoggingEnabled.js +++ b/plugins/aws/redshift/userActivityLoggingEnabled.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html#db-auditing-enable-logging', recommended_action: 'Update Redshift parameter groups to enable user activity logging', apis: ['Redshift:describeClusters', 'Redshift:describeClusterParameterGroups', 'Redshift:describeClusterParameters', 'STS:getCallerIdentity'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyClusterParameterGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/route53/danglingDnsRecords.js b/plugins/aws/route53/danglingDnsRecords.js index af2b947c2a..5a8a277807 100644 --- a/plugins/aws/route53/danglingDnsRecords.js +++ b/plugins/aws/route53/danglingDnsRecords.js @@ -18,6 +18,7 @@ module.exports = { default: 'false' } }, + realtime_triggers: ['route53:CreateHostedZone','route53:ChangeResourceRecordSets'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/route53/domainAutoRenew.js b/plugins/aws/route53/domainAutoRenew.js index 0d9c351be5..371d9fa390 100644 --- a/plugins/aws/route53/domainAutoRenew.js +++ b/plugins/aws/route53/domainAutoRenew.js @@ -9,6 +9,8 @@ module.exports = { link: 'http://docs.aws.amazon.com/Route53/latest/APIReference/api-enable-domain-auto-renew.html', recommended_action: 'Enable auto renew for the domain', apis: ['Route53Domains:listDomains'], + realtime_triggers: ['route53domains:RegisterDomain','route53domains:EnableAutoRenew'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/route53/domainExpiry.js b/plugins/aws/route53/domainExpiry.js index d67697fa40..4b2c327082 100644 --- a/plugins/aws/route53/domainExpiry.js +++ b/plugins/aws/route53/domainExpiry.js @@ -9,6 +9,8 @@ module.exports = { link: 'http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/registrar.html', recommended_action: 'Reregister the expiring domain', apis: ['Route53Domains:listDomains'], + realtime_triggers: ['route53domains:RegisterDomain','route53domains:RenewDomain'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/route53/domainTransferLock.js b/plugins/aws/route53/domainTransferLock.js index 9de891126f..ff0452ca00 100644 --- a/plugins/aws/route53/domainTransferLock.js +++ b/plugins/aws/route53/domainTransferLock.js @@ -9,6 +9,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-transfer-from-route-53.html', recommended_action: 'Enable the transfer lock for the domain', apis: ['Route53Domains:listDomains'], + realtime_triggers: ['route53domains:RegisterDomain', 'route53Domain:EnableDomainTransferLock'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/route53/privacyProtection.js b/plugins/aws/route53/privacyProtection.js index e76220cd49..9d0e11f32c 100644 --- a/plugins/aws/route53/privacyProtection.js +++ b/plugins/aws/route53/privacyProtection.js @@ -9,6 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-privacy-protection.html', recommended_action: 'Enable Privacy Protection for Domain', apis: ['Route53Domains:listDomains', 'Route53Domains:getDomainDetail'], + realtime_triggers: ['route53domains:RegisterDomain', 'route53domains:UpdateDomainContactPrivacy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/route53/senderPolicyFwInUse.js b/plugins/aws/route53/senderPolicyFwInUse.js index 580fbda18f..125d798bba 100644 --- a/plugins/aws/route53/senderPolicyFwInUse.js +++ b/plugins/aws/route53/senderPolicyFwInUse.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/rrsets-working-with.html', recommended_action: 'Updated the domain records to have SPF.', apis: ['Route53:listHostedZones', 'Route53:listResourceRecordSets'], + realtime_triggers: ['route53:CreateHostedZone','route53:ChangeResourceRecordSets'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/route53/senderPolicyFwRecordPresent.js b/plugins/aws/route53/senderPolicyFwRecordPresent.js index f04d966fde..4ce121e67b 100644 --- a/plugins/aws/route53/senderPolicyFwRecordPresent.js +++ b/plugins/aws/route53/senderPolicyFwRecordPresent.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html', recommended_action: 'Add SPF records to the DNS records.', apis: ['Route53:listHostedZones', 'Route53:listResourceRecordSets'], + realtime_triggers: ['route53:CreateHostedZone','route53:ChangeResourceRecordSets'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/waf/wafInUse.js b/plugins/aws/waf/wafInUse.js index 196e10cfbd..4aa76bf4e4 100644 --- a/plugins/aws/waf/wafInUse.js +++ b/plugins/aws/waf/wafInUse.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', recommended_action: 'Create one or more WAF ACLs with proper actions and rules', apis: ['WAF:listWebACLs', 'WAFRegional:listWebACLs'], + realtime_triggers: ['waf:CreateWebACL', 'waf:DeleteWebAcl'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/wafv2/aclRulesDefaultAction.js b/plugins/aws/wafv2/aclRulesDefaultAction.js index 84cf39c6e4..f9cc698c8c 100644 --- a/plugins/aws/wafv2/aclRulesDefaultAction.js +++ b/plugins/aws/wafv2/aclRulesDefaultAction.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/waf/latest/APIReference/API_DefaultAction.html', recommended_action: 'Modify Web ACL and set default action to block requests.', apis: ['WAFV2:listWebACLs', 'WAFV2:getWebACL'], + realtime_triggers: ['wafv2:CreateWebACL', 'wafv2:UpdateWebACL'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/wafv2/wafv2CloudwatchMetricsEnabled.js b/plugins/aws/wafv2/wafv2CloudwatchMetricsEnabled.js index 40c623cc5c..11f901f97b 100644 --- a/plugins/aws/wafv2/wafv2CloudwatchMetricsEnabled.js +++ b/plugins/aws/wafv2/wafv2CloudwatchMetricsEnabled.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html', recommended_action: 'Modify WAFv2 and enable cloud watch metrics.', apis: ['WAFV2:listWebACLs', 'WAFV2:getWebACL'], + realtime_triggers: ['wafv2:CreateWebACL','wafv2:updateWebACL'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/wafv2/wafv2InUse.js b/plugins/aws/wafv2/wafv2InUse.js index 77cafae4b9..3afbde73bc 100644 --- a/plugins/aws/wafv2/wafv2InUse.js +++ b/plugins/aws/wafv2/wafv2InUse.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html', recommended_action: 'Create one or more WAF ACLs with proper actions and rules', apis: ['WAFV2:listWebACLs'], + realtime_triggers: ['wafv2:CreateWebACL', 'wafv2:DeleteWebAcl'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/workspaces/unusedWorkspaces.js b/plugins/aws/workspaces/unusedWorkspaces.js index 04776256f0..1cc51794c1 100644 --- a/plugins/aws/workspaces/unusedWorkspaces.js +++ b/plugins/aws/workspaces/unusedWorkspaces.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/workspaces/pricing/', recommended_action: 'Identify and remove unused Workspaces instance', apis: ['WorkSpaces:describeWorkspacesConnectionStatus','STS:getCallerIdentity'], + realtime_triggers: ['workspace:CreateWorkSpaces','workspace:TerminateWorkspaces'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/workspaces/workspacesDesiredBundleType.js b/plugins/aws/workspaces/workspacesDesiredBundleType.js index 7309f04c4c..4690a9f408 100644 --- a/plugins/aws/workspaces/workspacesDesiredBundleType.js +++ b/plugins/aws/workspaces/workspacesDesiredBundleType.js @@ -18,6 +18,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['workspace:CreateWorkSpaces', 'workspace:UpdateWorkspaceBundle'], run: function(cache, settings, callback) { var workspace_desired_bundle_type = settings.workspace_desired_bundle_type || this.settings.workspace_desired_bundle_type.default; diff --git a/plugins/aws/workspaces/workspacesInstanceCount.js b/plugins/aws/workspaces/workspacesInstanceCount.js index b1cbcc8d80..5facb76660 100644 --- a/plugins/aws/workspaces/workspacesInstanceCount.js +++ b/plugins/aws/workspaces/workspacesInstanceCount.js @@ -18,6 +18,7 @@ module.exports = { default: '50' } }, + realtime_triggers: ['workspaces:CreateWorkspaces'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/workspaces/workspacesIpAccessControl.js b/plugins/aws/workspaces/workspacesIpAccessControl.js index f173ca98f7..34de3a145b 100644 --- a/plugins/aws/workspaces/workspacesIpAccessControl.js +++ b/plugins/aws/workspaces/workspacesIpAccessControl.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-ip-access-control-groups.html', recommended_action: 'Enable proper IP Access Controls for all workspaces', apis: ['WorkSpaces:describeWorkspaces', 'WorkSpaces:describeWorkspaceDirectories', 'WorkSpaces:describeIpGroups', 'STS:getCallerIdentity'], + realtime_triggers: ['workspaces:CreateWorkspaces', 'workspaces:ModifyWorkspaceAccessProperties'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/workspaces/workspacesVolumeEncryption.js b/plugins/aws/workspaces/workspacesVolumeEncryption.js index 7a2b18c0c1..57ffce8a51 100644 --- a/plugins/aws/workspaces/workspacesVolumeEncryption.js +++ b/plugins/aws/workspaces/workspacesVolumeEncryption.js @@ -22,6 +22,7 @@ module.exports = { default: 'awskms' } }, + realtime_triggers: ['workspace:CreateWorkSpaces'], run: function(cache, settings, callback) { var results = []; From dd407b21e04674e1fe22a5c819823f417185f50e Mon Sep 17 00:00:00 2001 From: muzzamilinovaqo Date: Thu, 14 Sep 2023 17:04:15 +0500 Subject: [PATCH 009/498] changed trigger apis to eventName --- plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js | 2 +- plugins/aws/accessanalyzer/accessAnalyzerEnabled.js | 2 +- plugins/aws/acm/acmCertificateExpiry.js | 2 +- plugins/aws/acm/acmCertificateHasTags.js | 2 +- plugins/aws/acm/acmSingleDomainNameCertificate.js | 2 +- plugins/aws/acm/acmValidation.js | 2 +- plugins/aws/apigateway/apiStageLevelCacheEncryption.js | 2 +- plugins/aws/apigateway/apigatewayAuthorization.js | 2 +- plugins/aws/apigateway/apigatewayCertificateRotation.js | 2 +- plugins/aws/apigateway/apigatewayClientCertificate.js | 2 +- plugins/aws/apigateway/apigatewayCloudwatchLogs.js | 2 +- plugins/aws/apigateway/apigatewayContentEncoding.js | 2 +- plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js | 2 +- plugins/aws/apigateway/apigatewayPrivateEndpoints.js | 2 +- plugins/aws/apigateway/apigatewayResponseCaching.js | 2 +- plugins/aws/apigateway/apigatewayTracingEnabled.js | 2 +- plugins/aws/apigateway/apigatewayWafEnabled.js | 2 +- plugins/aws/apigateway/customDomainTlsVersion.js | 2 +- plugins/aws/apigateway/detailedCloudWatchMetrics.js | 2 +- plugins/aws/appflow/flowEncrypted.js | 2 +- plugins/aws/appmesh/appmeshTLSRequired.js | 2 +- plugins/aws/appmesh/appmeshVGAccessLogging.js | 2 +- plugins/aws/appmesh/appmeshVGHealthChecks.js | 1 + plugins/aws/appmesh/restrictExternalTraffic.js | 2 +- plugins/aws/apprunner/serviceEncrypted.js | 2 +- plugins/aws/auditmanager/auditmanagerDataEncrypted.js | 2 +- plugins/aws/autoscaling/appTierAsgApprovedAmi.js | 2 +- plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js | 2 +- plugins/aws/autoscaling/appTierIamRole.js | 2 +- plugins/aws/autoscaling/asgActiveNotifications.js | 2 +- plugins/aws/autoscaling/asgCooldownPeriod.js | 2 +- plugins/aws/autoscaling/asgMissingELB.js | 2 +- plugins/aws/autoscaling/asgMissingSecurityGroups.js | 2 +- plugins/aws/autoscaling/asgMultiAz.js | 2 +- plugins/aws/autoscaling/asgSuspendedProcesses.js | 2 +- plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js | 2 +- plugins/aws/autoscaling/elbHealthCheckActive.js | 2 +- plugins/aws/autoscaling/emptyASG.js | 2 +- plugins/aws/autoscaling/sameAzElb.js | 2 +- plugins/aws/autoscaling/webTierAsgApprovedAmi.js | 2 +- plugins/aws/autoscaling/webTierAsgAssociatedElb.js | 2 +- plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js | 2 +- plugins/aws/autoscaling/webTierIamRole.js | 2 +- plugins/aws/backup/backupDeletionProtection.js | 2 +- plugins/aws/backup/backupInUseForRDSSnapshots.js | 2 +- plugins/aws/backup/backupNotificationEnabled.js | 2 +- plugins/aws/backup/backupResourceProtection.js | 2 +- plugins/aws/backup/backupVaultEncrypted.js | 2 +- plugins/aws/backup/backupVaultHasTags.js | 2 +- plugins/aws/backup/backupVaultPolicies.js | 2 +- plugins/aws/backup/compliantLifecycleConfigured.js | 2 +- plugins/aws/cloudformation/cloudformationAdminPriviliges.js | 2 +- plugins/aws/cloudformation/cloudformationInUse.js | 2 +- plugins/aws/cloudformation/driftDetection.js | 2 +- plugins/aws/cloudformation/plainTextParameters.js | 2 +- plugins/aws/cloudformation/stackFailedStatus.js | 2 +- plugins/aws/cloudformation/stackNotifications.js | 2 +- plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js | 2 +- plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js | 2 +- plugins/aws/cloudfront/cloudfrontGeoRestriction.js | 2 +- plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js | 2 +- plugins/aws/cloudtrail/cloudtrailBucketDelete.js | 2 +- plugins/aws/cloudtrail/cloudtrailBucketPrivate.js | 2 +- plugins/aws/cloudtrail/cloudtrailDataEvents.js | 2 +- plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js | 2 +- plugins/aws/cloudtrail/cloudtrailEnabled.js | 2 +- plugins/aws/cloudtrail/cloudtrailHasTags.js | 2 +- plugins/aws/cloudtrail/cloudtrailManagementEvents.js | 2 +- plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js | 2 +- plugins/aws/cloudtrail/cloudtrailObjectLock.js | 2 +- plugins/aws/cloudtrail/cloudtrailS3Bucket.js | 2 +- plugins/aws/cloudtrail/cloudtrailToCloudwatch.js | 2 +- plugins/aws/cloudtrail/globalLoggingDuplicated.js | 2 +- plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js | 2 +- plugins/aws/cloudwatchlogs/logGroupsEncrypted.js | 2 +- plugins/aws/cloudwatchlogs/logRetentionPeriod.js | 2 +- plugins/aws/cloudwatchlogs/monitoringMetrics.js | 2 +- plugins/aws/codeartifact/codeartifactDomainEncrypted.js | 2 +- plugins/aws/codebuild/codebuildValidSourceProviders.js | 2 +- plugins/aws/codebuild/projectArtifactsEncrypted.js | 2 +- plugins/aws/codepipeline/pipelineArtifactsEncrypted.js | 2 +- plugins/aws/codestar/codestarValidRepoProviders.js | 2 +- plugins/aws/cognito/cognitoHasWafEnabled.js | 2 +- plugins/aws/cognito/cognitoMFAEnabled.js | 2 +- plugins/aws/comprehend/outputResultEncryption.js | 2 +- plugins/aws/comprehend/volumeEncryption.js | 2 +- plugins/aws/computeoptimizer/asgOptimized.js | 2 +- plugins/aws/computeoptimizer/ebsVolumesOptimized.js | 2 +- plugins/aws/computeoptimizer/ec2InstancesOptimized.js | 2 +- plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js | 2 +- plugins/aws/computeoptimizer/optimizerRecommendationsEnabled.js | 2 +- plugins/aws/configservice/configComplaintRules.js | 2 +- plugins/aws/configservice/configDeliveryFailing.js | 2 +- plugins/aws/configservice/configServiceEnabled.js | 2 +- plugins/aws/configservice/configServiceMissingBucket.js | 2 +- plugins/aws/configservice/servicesInUse.js | 2 +- plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js | 2 +- plugins/aws/dms/autoMinorVersionUpgrade.js | 2 +- plugins/aws/dms/dmsEncryptionEnabled.js | 2 +- plugins/aws/dms/dmsMultiAZFeatureEnabled.js | 2 +- plugins/aws/dms/dmsPubliclyAccessibleInstances.js | 2 +- plugins/aws/documentDB/docdbClusterBackupRetention.js | 2 +- plugins/aws/documentDB/docdbClusterEncrypted.js | 2 +- plugins/aws/dynamodb/daxClusterEncryption.js | 2 +- plugins/aws/dynamodb/dynamoContinuousBackups.js | 2 +- plugins/aws/dynamodb/dynamoTableBackupExists.js | 2 +- plugins/aws/dynamodb/dynamoTableHasTags.js | 2 +- plugins/aws/dynamodb/dynamoUnusedTable.js | 2 +- plugins/aws/iam/accessKeysExtra.js | 2 +- plugins/aws/iam/accessKeysLastUsed.js | 2 +- plugins/aws/iam/accessKeysRotated.js | 2 +- plugins/aws/iam/canaryKeysUsed.js | 2 +- plugins/aws/iam/certificateExpiry.js | 2 +- plugins/aws/iam/crossAccountMfaExtIdAccess.js | 2 +- plugins/aws/iam/emptyGroups.js | 2 +- plugins/aws/iam/groupInlinePolicies.js | 2 +- plugins/aws/iam/iamMasterManagerRoles.js | 2 +- plugins/aws/iam/iamPoliciesPresent.js | 2 +- plugins/aws/iam/iamRoleHasTags.js | 2 +- plugins/aws/iam/iamRoleLastUsed.js | 2 +- plugins/aws/iam/iamRolePolicies.js | 2 +- plugins/aws/iam/iamSupportPolicy.js | 2 +- plugins/aws/iam/iamUserAdmins.js | 2 +- plugins/aws/iam/iamUserHasTags.js | 2 +- plugins/aws/iam/iamUserInUse.js | 2 +- plugins/aws/iam/iamUserNameRegex.js | 2 +- plugins/aws/iam/iamUserNotInUse.js | 2 +- plugins/aws/iam/iamUserPresent.js | 2 +- plugins/aws/iam/iamUserUnauthorizedToEdit.js | 2 +- plugins/aws/iam/iamUserWithoutPermissions.js | 2 +- plugins/aws/iam/maxPasswordAge.js | 2 +- plugins/aws/iam/minPasswordLength.js | 2 +- plugins/aws/iam/noUserIamPolicies.js | 2 +- plugins/aws/iam/passwordExpiration.js | 2 +- plugins/aws/iam/passwordPolicyExists.js | 2 +- plugins/aws/iam/passwordRequiresLowercase.js | 2 +- plugins/aws/iam/passwordRequiresNumbers.js | 2 +- plugins/aws/iam/passwordRequiresSymbols.js | 2 +- plugins/aws/iam/passwordRequiresUppercase.js | 2 +- plugins/aws/iam/passwordReusePrevention.js | 2 +- plugins/aws/iam/policyAllowsToChangePassword.js | 2 +- plugins/aws/iam/rolePolicyUnusedServices.js | 2 +- plugins/aws/iam/rootAccessKeys.js | 2 +- plugins/aws/iam/rootAccountInUse.js | 2 +- plugins/aws/iam/rootHardwareMfa.js | 2 +- plugins/aws/iam/rootMfaEnabled.js | 2 +- plugins/aws/iam/rootSigningCertificate.js | 2 +- plugins/aws/iam/sshKeysRotated.js | 2 +- plugins/aws/iam/trustedCrossAccountRoles.js | 2 +- plugins/aws/iam/usersMfaEnabled.js | 2 +- plugins/aws/iam/usersPasswordAndKeys.js | 2 +- plugins/aws/iam/usersPasswordLastUsed.js | 2 +- plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js | 2 +- plugins/aws/imagebuilder/enhancedMetadataEnabled.js | 2 +- plugins/aws/imagebuilder/imageRecipeVolumeEncrypted.js | 2 +- plugins/aws/imagebuilder/imgBuilderComponentsEncrypted.js | 2 +- plugins/aws/imagebuilder/infraConfigNotificationEnabled.js | 2 +- plugins/aws/iotsitewise/iotsitewiseDataEncrypted.js | 2 +- plugins/aws/kendra/kendraIndexEncrypted.js | 2 +- plugins/aws/kinesis/kinesisDataStreamsEncrypted.js | 2 +- plugins/aws/kinesisvideo/videostreamDataEncrypted.js | 2 +- plugins/aws/kms/kmsAppTierCmk.js | 2 +- plugins/aws/kms/kmsDefaultKeyUsage.js | 2 +- plugins/aws/kms/kmsDuplicateGrants.js | 2 +- plugins/aws/kms/kmsGrantLeastPrivilege.js | 2 +- plugins/aws/kms/kmsKeyPolicy.js | 2 +- plugins/aws/kms/kmsKeyRotation.js | 2 +- plugins/aws/kms/kmsScheduledDeletion.js | 2 +- 168 files changed, 168 insertions(+), 167 deletions(-) diff --git a/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js b/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js index db016cfcbc..26d6f60714 100644 --- a/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js +++ b/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-work-with-findings.html', recommended_action: 'Investigate into active findings in your account and do the needful until you have zero active findings.', apis: ['AccessAnalyzer:listAnalyzers', 'AccessAnalyzer:listFindings'], - realtime_triggers: ['AccessAnalyzer:createAnalyzer','AccessAnalyzer:createArchiveRule','AccessAnalyzer:updateArchiveRule'], + realtime_triggers: ['AccessAnalyzer:CreateAnalyzer','AccessAnalyzer:CreateArchiveRule','AccessAnalyzer:UpdateArchiveRule'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/accessanalyzer/accessAnalyzerEnabled.js b/plugins/aws/accessanalyzer/accessAnalyzerEnabled.js index 7e00de06f9..ba28e880ee 100644 --- a/plugins/aws/accessanalyzer/accessAnalyzerEnabled.js +++ b/plugins/aws/accessanalyzer/accessAnalyzerEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html', recommended_action: 'Enable Access Analyzer for all regions', apis: ['AccessAnalyzer:listAnalyzers'], - realtime_triggers: ['AccessAnalyzer:createAnalyzer'], + realtime_triggers: ['AccessAnalyzer:CreateAnalyzer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/acm/acmCertificateExpiry.js b/plugins/aws/acm/acmCertificateExpiry.js index 2f8164a1fc..4557293884 100644 --- a/plugins/aws/acm/acmCertificateExpiry.js +++ b/plugins/aws/acm/acmCertificateExpiry.js @@ -27,7 +27,7 @@ module.exports = { default: 30 } }, - realtime_triggers: ['ACM:requestCertificate','ACM:importCertificate'], + realtime_triggers: ['ACM:RequestCertificate','ACM:ImportCertificate'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/acm/acmCertificateHasTags.js b/plugins/aws/acm/acmCertificateHasTags.js index c6af468e7f..76fee20768 100644 --- a/plugins/aws/acm/acmCertificateHasTags.js +++ b/plugins/aws/acm/acmCertificateHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/acm/latest/userguide/tags.html', recommended_action: 'Modify ACM certificate and add tags.', apis: ['ACM:listCertificates', 'ResourceGroupsTaggingAPI:getResources'], - realtime_triggers: ['ACM:requestCertificate','ACM:importCertificate','ACM:addTagsToCertificate', 'ACM:removeTagsFromCertificate'], + realtime_triggers: ['ACM:RequestCertificate','ACM:ImportCertificate','ACM:AddTagsToCertificate', 'ACM:RemoveTagsFromCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/acm/acmSingleDomainNameCertificate.js b/plugins/aws/acm/acmSingleDomainNameCertificate.js index 48eddd9009..1cb61402e3 100644 --- a/plugins/aws/acm/acmSingleDomainNameCertificate.js +++ b/plugins/aws/acm/acmSingleDomainNameCertificate.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html', recommended_action: 'Configure ACM managed certificates to use single name domain instead of wildcards.', apis: ['ACM:listCertificates', 'ACM:describeCertificate'], - realtime_triggers: ['ACM:requestCertificate','ACM:importCertificate'], + realtime_triggers: ['ACM:RequestCertificate','ACM:ImportCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/acm/acmValidation.js b/plugins/aws/acm/acmValidation.js index c9e35a52a2..43178516d2 100644 --- a/plugins/aws/acm/acmValidation.js +++ b/plugins/aws/acm/acmValidation.js @@ -11,7 +11,7 @@ module.exports = { cs_link: 'https://cloudsploit.com/remediations/aws/acm/acm-certificate-validation', recommended_action: 'Configure ACM managed certificates to use DNS validation.', apis: ['ACM:listCertificates', 'ACM:describeCertificate'], - realtime_triggers: ['ACM:requestCertificate','ACM:importCertificate'], + realtime_triggers: ['ACM:RequestCertificate','ACM:ImportCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apiStageLevelCacheEncryption.js b/plugins/aws/apigateway/apiStageLevelCacheEncryption.js index 33edac70f4..3c7986b0da 100644 --- a/plugins/aws/apigateway/apiStageLevelCacheEncryption.js +++ b/plugins/aws/apigateway/apiStageLevelCacheEncryption.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway API stages to enable encryption on cache data', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/data-protection-encryption.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['APIGateway:createStage','APIGateway:updateStage'], + realtime_triggers: ['APIGateway:CreateStage','APIGateway:UpdateStage'], run: function(cache, settings, callback) { diff --git a/plugins/aws/apigateway/apigatewayAuthorization.js b/plugins/aws/apigateway/apigatewayAuthorization.js index 25991892c5..e3f28d2cae 100644 --- a/plugins/aws/apigateway/apigatewayAuthorization.js +++ b/plugins/aws/apigateway/apigatewayAuthorization.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway configuration and ensure that appropriate authorizers are set up for each API.', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html', apis: ['APIGateway:getRestApis', 'APIGateway:getAuthorizers'], - realtime_triggers: ['APIGateway:createRestApi','APIGateway:createAuthorizer'], + realtime_triggers: ['APIGateway:CreateRestApi','APIGateway:CreateAuthorizer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayCertificateRotation.js b/plugins/aws/apigateway/apigatewayCertificateRotation.js index 894ad24b47..9b95e7a2e0 100644 --- a/plugins/aws/apigateway/apigatewayCertificateRotation.js +++ b/plugins/aws/apigateway/apigatewayCertificateRotation.js @@ -18,7 +18,7 @@ module.exports = { default: '30', } }, - realtime_triggers: ['APIGateway:createRestApi','APIGateway:generateClientCertificate','APIGateway:deleteClientCertificate'], + realtime_triggers: ['APIGateway:CreateRestApi','APIGateway:GenerateClientCertificate','APIGateway:DeleteClientCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayClientCertificate.js b/plugins/aws/apigateway/apigatewayClientCertificate.js index ef8234dc3c..22737c314b 100644 --- a/plugins/aws/apigateway/apigatewayClientCertificate.js +++ b/plugins/aws/apigateway/apigatewayClientCertificate.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Attach client certificate to API Gateway API stages', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['APIGateway:createStage','APIGateway:updateStage'], + realtime_triggers: ['APIGateway:CreateStage','APIGateway:UpdateStage'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayCloudwatchLogs.js b/plugins/aws/apigateway/apigatewayCloudwatchLogs.js index 1c83af7d91..4e47592c4c 100644 --- a/plugins/aws/apigateway/apigatewayCloudwatchLogs.js +++ b/plugins/aws/apigateway/apigatewayCloudwatchLogs.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway API stages to enable CloudWatch Logs', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['APIGateway:createStage','APIGateway:updateStage'], + realtime_triggers: ['APIGateway:CreateStage','APIGateway:UpdateStage'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayContentEncoding.js b/plugins/aws/apigateway/apigatewayContentEncoding.js index 00a5aac864..b4a15af76a 100644 --- a/plugins/aws/apigateway/apigatewayContentEncoding.js +++ b/plugins/aws/apigateway/apigatewayContentEncoding.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable content encoding and set minimum compression size of API Gateway API response', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-gzip-compression-decompression.html', apis: ['APIGateway:getRestApis'], - realtime_triggers: ['APIGateway:createRestApi','APIGateway:updateRestApi'], + realtime_triggers: ['APIGateway:CreateRestApi','APIGateway:UpdateRestApi'], run: function(cache, settings, callback) { diff --git a/plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js b/plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js index a287ce3427..fdde20a4e0 100644 --- a/plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js +++ b/plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway to disable default execute-api endpoint.', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html', apis: ['APIGateway:getRestApis'], - realtime_triggers: ['APIGateway:createRestApi','APIGateway:updateRestApi'], + realtime_triggers: ['APIGateway:CreateRestApi','APIGateway:UpdateRestApi'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayPrivateEndpoints.js b/plugins/aws/apigateway/apigatewayPrivateEndpoints.js index 9c74ceb6a9..947c958803 100644 --- a/plugins/aws/apigateway/apigatewayPrivateEndpoints.js +++ b/plugins/aws/apigateway/apigatewayPrivateEndpoints.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Set API Gateway API endpoint configuration to private', link: 'https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints', apis: ['APIGateway:getRestApis'], - realtime_triggers: ['APIGateway:createRestApi','APIGateway:updateRestApi'], + realtime_triggers: ['APIGateway:CreateRestApi','APIGateway:UpdateRestApi'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayResponseCaching.js b/plugins/aws/apigateway/apigatewayResponseCaching.js index 25155f0065..d14894204d 100644 --- a/plugins/aws/apigateway/apigatewayResponseCaching.js +++ b/plugins/aws/apigateway/apigatewayResponseCaching.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Modify API Gateway API stages to enable API cache', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['APIGateway:createStage','APIGateway:updateStage'], + realtime_triggers: ['APIGateway:CreateStage','APIGateway:UpdateStage'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayTracingEnabled.js b/plugins/aws/apigateway/apigatewayTracingEnabled.js index a58921c684..ddb679bbbe 100644 --- a/plugins/aws/apigateway/apigatewayTracingEnabled.js +++ b/plugins/aws/apigateway/apigatewayTracingEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable tracing on API Gateway API stages', link: 'https://docs.aws.amazon.com/xray/latest/devguide/xray-services-apigateway.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['APIGateway:createStage','APIGateway:updateStage'], + realtime_triggers: ['APIGateway:CreateStage','APIGateway:UpdateStage'], run: function(cache, settings, callback) { diff --git a/plugins/aws/apigateway/apigatewayWafEnabled.js b/plugins/aws/apigateway/apigatewayWafEnabled.js index 50fd77b7e0..537f27a3e9 100644 --- a/plugins/aws/apigateway/apigatewayWafEnabled.js +++ b/plugins/aws/apigateway/apigatewayWafEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Associate API Gateway API with Web Application Firewall', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['APIGateway:createRestApi','WAFRegional:associateWebACL'], + realtime_triggers: ['APIGateway:CreateRestApi','WAFRegional:AssociateWebACL'], run: function(cache, settings, callback) { diff --git a/plugins/aws/apigateway/customDomainTlsVersion.js b/plugins/aws/apigateway/customDomainTlsVersion.js index 11343ec30d..00841398c1 100644 --- a/plugins/aws/apigateway/customDomainTlsVersion.js +++ b/plugins/aws/apigateway/customDomainTlsVersion.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway custom domain security policy and specify new TLS version.', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html', apis: ['APIGateway:getDomainNames'], - realtime_triggers: ['APIGateway:createDomainName','APIGateway:updateDomainName'], + realtime_triggers: ['APIGateway:CreateDomainName','APIGateway:UpdateDomainName'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/detailedCloudWatchMetrics.js b/plugins/aws/apigateway/detailedCloudWatchMetrics.js index 40b85d39ef..2ca4243788 100644 --- a/plugins/aws/apigateway/detailedCloudWatchMetrics.js +++ b/plugins/aws/apigateway/detailedCloudWatchMetrics.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Add CloudWatch role ARN to API settings and enabled detailed metrics for each stage', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-metrics.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['APIGateway:createStage','APIGateway:updateStage'], + realtime_triggers: ['APIGateway:CreateStage','APIGateway:UpdateStage'], run: function(cache, settings, callback) { diff --git a/plugins/aws/appflow/flowEncrypted.js b/plugins/aws/appflow/flowEncrypted.js index 548a6e23e4..3d4fa39b35 100644 --- a/plugins/aws/appflow/flowEncrypted.js +++ b/plugins/aws/appflow/flowEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['Appflow:createFlow','Appflow:updateFlow'], + realtime_triggers: ['Appflow:CreateFlow','Appflow:UpdateFlow'], run: function(cache, settings, callback) { diff --git a/plugins/aws/appmesh/appmeshTLSRequired.js b/plugins/aws/appmesh/appmeshTLSRequired.js index 53aa53ca77..429c336d23 100644 --- a/plugins/aws/appmesh/appmeshTLSRequired.js +++ b/plugins/aws/appmesh/appmeshTLSRequired.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/app-mesh/latest/APIReference/API_ListenerTls.html', recommended_action: 'Restrict AWS App Mesh virtual gateway listeners to accept only TLS enabled connections.', apis: ['AppMesh:listMeshes', 'AppMesh:listVirtualGateways', 'AppMesh:describeVirtualGateway'], - realtime_triggers: ['AppMesh:createVirtualGateway','AppMesh:updateVirtualGateway'], + realtime_triggers: ['AppMesh:CreateVirtualGateway','AppMesh:UpdateVirtualGateway'], run: function(cache, settings, callback) { diff --git a/plugins/aws/appmesh/appmeshVGAccessLogging.js b/plugins/aws/appmesh/appmeshVGAccessLogging.js index c815dcefde..994e6d312f 100644 --- a/plugins/aws/appmesh/appmeshVGAccessLogging.js +++ b/plugins/aws/appmesh/appmeshVGAccessLogging.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/app-mesh/latest/userguide/envoy-logs.html', recommended_action: 'To enable access logging, modify virtual gateway configuration settings and configure the file path to write access logs to.', apis: ['AppMesh:listMeshes', 'AppMesh:listVirtualGateways', 'AppMesh:describeVirtualGateway'], - realtime_triggers: ['AppMesh:createVirtualGateway','AppMesh:updateVirtualGateway'], + realtime_triggers: ['AppMesh:CreateVirtualGateway','AppMesh:UpdateVirtualGateway'], run: function(cache, settings, callback) { diff --git a/plugins/aws/appmesh/appmeshVGHealthChecks.js b/plugins/aws/appmesh/appmeshVGHealthChecks.js index b81ca14c7a..494bc7b924 100644 --- a/plugins/aws/appmesh/appmeshVGHealthChecks.js +++ b/plugins/aws/appmesh/appmeshVGHealthChecks.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_gateway_health_checks.html', recommended_action: 'Configure health check policies for the virtual gateway listeners in your App Mesh, specifying values for healthy threshold, health check interval, health check protocol, timeout period, and unhealthy threshold.', apis: ['AppMesh:listMeshes', 'AppMesh:listVirtualGateways', 'AppMesh:describeVirtualGateway'], + realtime_triggers: ['AppMesh:CreateVirtualGateway','AppMesh:UpdateVirtualGateway'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/appmesh/restrictExternalTraffic.js b/plugins/aws/appmesh/restrictExternalTraffic.js index 02c8711beb..aaa77d85ca 100644 --- a/plugins/aws/appmesh/restrictExternalTraffic.js +++ b/plugins/aws/appmesh/restrictExternalTraffic.js @@ -12,7 +12,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/app-mesh/latest/userguide/security.html', recommended_action: 'Deny all traffic to the external services', apis: ['AppMesh:listMeshes', 'AppMesh:describeMesh'], - realtime_triggers: ['AppMesh:createMesh','AppMesh:updateMesh'], + realtime_triggers: ['AppMesh:CreateMesh','AppMesh:UpdateMesh'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apprunner/serviceEncrypted.js b/plugins/aws/apprunner/serviceEncrypted.js index ddcd9a0193..f42658719f 100644 --- a/plugins/aws/apprunner/serviceEncrypted.js +++ b/plugins/aws/apprunner/serviceEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['AppRunner:createService','AppRunner:updateService'], + realtime_triggers: ['AppRunner:CreateService','AppRunner:UpdateService'], run: function(cache, settings, callback) { diff --git a/plugins/aws/auditmanager/auditmanagerDataEncrypted.js b/plugins/aws/auditmanager/auditmanagerDataEncrypted.js index 61ff3ae17a..0e076f670c 100644 --- a/plugins/aws/auditmanager/auditmanagerDataEncrypted.js +++ b/plugins/aws/auditmanager/auditmanagerDataEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['AuditManager:updateSettings'], + realtime_triggers: ['AuditManager:UpdateSettings'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/appTierAsgApprovedAmi.js b/plugins/aws/autoscaling/appTierAsgApprovedAmi.js index 3da850f053..881ce7d57b 100644 --- a/plugins/aws/autoscaling/appTierAsgApprovedAmi.js +++ b/plugins/aws/autoscaling/appTierAsgApprovedAmi.js @@ -24,7 +24,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], + realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js b/plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js index 89362c87e5..38baa7a031 100644 --- a/plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js +++ b/plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js @@ -32,7 +32,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], + realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/appTierIamRole.js b/plugins/aws/autoscaling/appTierIamRole.js index 0c21310829..4e46863b9b 100644 --- a/plugins/aws/autoscaling/appTierIamRole.js +++ b/plugins/aws/autoscaling/appTierIamRole.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], + realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgActiveNotifications.js b/plugins/aws/autoscaling/asgActiveNotifications.js index aa7ba42c4b..d0c5cee0cf 100644 --- a/plugins/aws/autoscaling/asgActiveNotifications.js +++ b/plugins/aws/autoscaling/asgActiveNotifications.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/ASGettingNotifications.html', recommended_action: 'Add a notification endpoint to the auto scaling group.', apis: ['AutoScaling:describeAutoScalingGroups', 'AutoScaling:describeNotificationConfigurations'], - realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:putNotificationConfiguration'], + realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:PutNotificationConfiguration'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/asgCooldownPeriod.js b/plugins/aws/autoscaling/asgCooldownPeriod.js index 43dbb96158..1cc3adfee6 100644 --- a/plugins/aws/autoscaling/asgCooldownPeriod.js +++ b/plugins/aws/autoscaling/asgCooldownPeriod.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/Cooldown.html', recommended_action: 'Implement proper cool down period for Auto Scaling groups to temporarily suspend any scaling actions.', apis: ['AutoScaling:describeAutoScalingGroups'], - realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], + realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgMissingELB.js b/plugins/aws/autoscaling/asgMissingELB.js index 6aaceb2b9a..05f5208fc0 100644 --- a/plugins/aws/autoscaling/asgMissingELB.js +++ b/plugins/aws/autoscaling/asgMissingELB.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/attach-load-balancer-asg.html', recommended_action: 'Ensure that the Auto Scaling group load balancer has not been deleted. If so, remove it from the ASG.', apis: ['AutoScaling:describeAutoScalingGroups', 'ELB:describeLoadBalancers', 'ELBv2:describeLoadBalancers'], - realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:attachLoadBalancers'], + realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:AttachLoadBalancers'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgMissingSecurityGroups.js b/plugins/aws/autoscaling/asgMissingSecurityGroups.js index 60d52b9fd1..81057348a3 100644 --- a/plugins/aws/autoscaling/asgMissingSecurityGroups.js +++ b/plugins/aws/autoscaling/asgMissingSecurityGroups.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/GettingStartedTutorial.html', recommended_action: 'Ensure that the launch configuration security group has not been deleted. If so, remove it from launch configurations', apis: ['AutoScaling:describeLaunchConfigurations', 'EC2:describeSecurityGroups'], - realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], + realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgMultiAz.js b/plugins/aws/autoscaling/asgMultiAz.js index 5686e6b136..ef9e63b127 100644 --- a/plugins/aws/autoscaling/asgMultiAz.js +++ b/plugins/aws/autoscaling/asgMultiAz.js @@ -10,7 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/autoscaling/latest/userguide/AutoScalingGroup.html', recommended_action: 'Modify the autoscaling instance to enable scaling across multiple availability zones.', apis: ['AutoScaling:describeAutoScalingGroups'], - realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], + realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/asgSuspendedProcesses.js b/plugins/aws/autoscaling/asgSuspendedProcesses.js index 0571bf533e..01e5a9a89b 100644 --- a/plugins/aws/autoscaling/asgSuspendedProcesses.js +++ b/plugins/aws/autoscaling/asgSuspendedProcesses.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-suspend-resume-processes.html', recommended_action: 'Update the AutoScaling group to resume the suspended processes.', apis: ['AutoScaling:describeAutoScalingGroups'], - realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:resumeProcesses'], + realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:ResumeProcesses'], diff --git a/plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js b/plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js index 1c7f05d99c..6351020166 100644 --- a/plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js +++ b/plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/LaunchConfiguration.html', recommended_action: 'Identify and remove any Auto Scaling Launch Configuration templates that are not associated anymore with ASGs available in the selected AWS region.', apis: ['AutoScaling:describeAutoScalingGroups', 'AutoScaling:describeLaunchConfigurations'], - realtime_triggers: ['AutoScaling:createLaunchConfiguration','AutoScaling:deleteLaunchConfiguration'], + realtime_triggers: ['AutoScaling:CreateLaunchConfiguration','AutoScaling:DeleteLaunchConfiguration'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/elbHealthCheckActive.js b/plugins/aws/autoscaling/elbHealthCheckActive.js index 3b65f46103..b9add4b697 100644 --- a/plugins/aws/autoscaling/elbHealthCheckActive.js +++ b/plugins/aws/autoscaling/elbHealthCheckActive.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-elb-healthcheck.html', recommended_action: 'Enable ELB health check for the Auto Scaling groups.', apis: ['AutoScaling:describeAutoScalingGroups'], - realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], + realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/emptyASG.js b/plugins/aws/autoscaling/emptyASG.js index d148d6da1e..94599c1bb8 100644 --- a/plugins/aws/autoscaling/emptyASG.js +++ b/plugins/aws/autoscaling/emptyASG.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroup.html', recommended_action: 'Delete the unused AutoScaling group.', apis: ['AutoScaling:describeAutoScalingGroups'], - realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:deleteAutoScalingGroup'], + realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:DeleteAutoScalingGroup'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/sameAzElb.js b/plugins/aws/autoscaling/sameAzElb.js index bc5976353d..41831d26c9 100644 --- a/plugins/aws/autoscaling/sameAzElb.js +++ b/plugins/aws/autoscaling/sameAzElb.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-availability-zone.html', recommended_action: 'Update the ELB to use the same availability zones as the autoscaling group.', apis: ['AutoScaling:describeAutoScalingGroups', 'ELB:describeLoadBalancers', 'ELBv2:describeLoadBalancers'], - realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], + realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], diff --git a/plugins/aws/autoscaling/webTierAsgApprovedAmi.js b/plugins/aws/autoscaling/webTierAsgApprovedAmi.js index 8e6f8e3fa6..b35818902d 100644 --- a/plugins/aws/autoscaling/webTierAsgApprovedAmi.js +++ b/plugins/aws/autoscaling/webTierAsgApprovedAmi.js @@ -24,7 +24,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], + realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/webTierAsgAssociatedElb.js b/plugins/aws/autoscaling/webTierAsgAssociatedElb.js index 7a9c2fb36c..ab8946cbb5 100644 --- a/plugins/aws/autoscaling/webTierAsgAssociatedElb.js +++ b/plugins/aws/autoscaling/webTierAsgAssociatedElb.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:attachLoadBalancers'], + realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:AttachLoadBalancers'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js b/plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js index b9cc310f1d..3baab1f218 100644 --- a/plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js +++ b/plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js @@ -32,7 +32,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], + realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/webTierIamRole.js b/plugins/aws/autoscaling/webTierIamRole.js index 18283a5398..88d9cf745d 100644 --- a/plugins/aws/autoscaling/webTierIamRole.js +++ b/plugins/aws/autoscaling/webTierIamRole.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup'], + realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/backupDeletionProtection.js b/plugins/aws/backup/backupDeletionProtection.js index 428ae755ab..4117f3a0b7 100644 --- a/plugins/aws/backup/backupDeletionProtection.js +++ b/plugins/aws/backup/backupDeletionProtection.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Add a statement in Backup vault access policy which denies global access to action: backup:DeleteRecoveryPoint', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-vault-access-policy.html', apis: ['Backup:listBackupVaults', 'Backup:getBackupVaultAccessPolicy'], - realtime_triggers: ['Backup:createBackupVault','Backup:putBackupVaultAccessPolicy'], + realtime_triggers: ['Backup:CreateBackupVault','Backup:PutBackupVaultAccessPolicy'], run: function(cache, settings, callback) { diff --git a/plugins/aws/backup/backupInUseForRDSSnapshots.js b/plugins/aws/backup/backupInUseForRDSSnapshots.js index 7023570b25..4e12c2b7d3 100644 --- a/plugins/aws/backup/backupInUseForRDSSnapshots.js +++ b/plugins/aws/backup/backupInUseForRDSSnapshots.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Enable RDS database instance snapshots to improve the reliability of your backup strategy.', link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html', apis: ['RDS:describeDBSnapshots'], - realtime_triggers: ['Backup:createBackupPlan','Backup:createBackupSelection'], + realtime_triggers: ['Backup:CreateBackupPlan','Backup:CreateBackupSelection'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/backupNotificationEnabled.js b/plugins/aws/backup/backupNotificationEnabled.js index eb7a83817c..342c919b4d 100644 --- a/plugins/aws/backup/backupNotificationEnabled.js +++ b/plugins/aws/backup/backupNotificationEnabled.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Configure Backup vaults to sent notifications alert for failed backup job events.', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/sns-notifications.html', apis: ['Backup:listBackupVaults', 'Backup:getBackupVaultNotifications'], - realtime_triggers: ['Backup:createBackupVault','Backup:putBackupVaultNotifications'], + realtime_triggers: ['Backup:CreateBackupVault','Backup:PutBackupVaultNotifications'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/backupResourceProtection.js b/plugins/aws/backup/backupResourceProtection.js index b95653fbee..bd67870ff3 100644 --- a/plugins/aws/backup/backupResourceProtection.js +++ b/plugins/aws/backup/backupResourceProtection.js @@ -19,7 +19,7 @@ module.exports = { default:'' } }, - realtime_triggers: ['Backup:updateRegionSettings'], + realtime_triggers: ['Backup:UpdateRegionSettings'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/backup/backupVaultEncrypted.js b/plugins/aws/backup/backupVaultEncrypted.js index 59307670fc..f726a36f0b 100644 --- a/plugins/aws/backup/backupVaultEncrypted.js +++ b/plugins/aws/backup/backupVaultEncrypted.js @@ -18,7 +18,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['Backup:createBackupVault','Backup:updateBackupPlan'], + realtime_triggers: ['Backup:CreateBackupVault','Backup:UpdateBackupPlan'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/backupVaultHasTags.js b/plugins/aws/backup/backupVaultHasTags.js index 551912b7f1..b5fc81c0d8 100644 --- a/plugins/aws/backup/backupVaultHasTags.js +++ b/plugins/aws/backup/backupVaultHasTags.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify Backup Vault and add tags.', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-vault.html', apis: ['Backup:listBackupVaults', 'ResourceGroupsTaggingAPI:getResources'], - realtime_triggers: ['Backup:createBackupVault','Backup:tagResource'], + realtime_triggers: ['Backup:CreateBackupVault','Backup:TagResource'], run: function(cache, settings, callback) { diff --git a/plugins/aws/backup/backupVaultPolicies.js b/plugins/aws/backup/backupVaultPolicies.js index 152084c5a1..168fa8d9b5 100644 --- a/plugins/aws/backup/backupVaultPolicies.js +++ b/plugins/aws/backup/backupVaultPolicies.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Ensure that all Backup Vault policies are scoped to specific services and API calls.', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-vault-access-policy.html', apis: ['Backup:listBackupVaults', 'Backup:getBackupVaultAccessPolicy', 'STS:getCallerIdentity'], - realtime_triggers: ['Backup:createBackupVault','Backup:putBackupVaultAccessPolicy'], + realtime_triggers: ['Backup:CreateBackupVault','Backup:PutBackupVaultAccessPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/compliantLifecycleConfigured.js b/plugins/aws/backup/compliantLifecycleConfigured.js index 8423c941d2..7083e333f0 100644 --- a/plugins/aws/backup/compliantLifecycleConfigured.js +++ b/plugins/aws/backup/compliantLifecycleConfigured.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable compliant lifecycle configuration for your Amazon Backup plans', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/API_Lifecycle.html', apis: ['Backup:listBackupPlans', 'Backup:getBackupPlan'], - realtime_triggers: ['Backup:createBackupPlan','Backup:updateBackupPlan'], + realtime_triggers: ['Backup:CreateBackupPlan','Backup:UpdateBackupPlan'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/cloudformationAdminPriviliges.js b/plugins/aws/cloudformation/cloudformationAdminPriviliges.js index e59d016487..775f91c5bd 100644 --- a/plugins/aws/cloudformation/cloudformationAdminPriviliges.js +++ b/plugins/aws/cloudformation/cloudformationAdminPriviliges.js @@ -14,7 +14,7 @@ module.exports = { recommended_action: 'Modify IAM role attached with AWS CloudFormation stack to provide the minimal amount of access required to perform its tasks', apis: ['CloudFormation:listStacks', 'CloudFormation:describeStacks', 'IAM:listRoles', 'IAM:listAttachedRolePolicies', 'IAM:listRolePolicies', 'IAM:listPolicies', 'IAM:getPolicy', 'IAM:getPolicyVersion', 'IAM:getRolePolicy'], - realtime_triggers: ['CloudFormation:createStack','IAM:createPolicyVersion','IAM:putRolePolicy'], + realtime_triggers: ['CloudFormation:CreateStack','IAM:CreatePolicyVersion','IAM:PutRolePolicy'], run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudformation/cloudformationInUse.js b/plugins/aws/cloudformation/cloudformationInUse.js index 0401bc8dfe..2ff8fcc57e 100644 --- a/plugins/aws/cloudformation/cloudformationInUse.js +++ b/plugins/aws/cloudformation/cloudformationInUse.js @@ -12,7 +12,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html', recommended_action: 'Check if CloudFormation is in use or not by observing the stacks', apis: ['CloudFormation:describeStacks'], - realtime_triggers: ['CloudFormation:createStack'], + realtime_triggers: ['CloudFormation:CreateStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/driftDetection.js b/plugins/aws/cloudformation/driftDetection.js index 463c8207f6..9345987dad 100644 --- a/plugins/aws/cloudformation/driftDetection.js +++ b/plugins/aws/cloudformation/driftDetection.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-resolve-drift.html', recommended_action: 'Resolve CloudFormation stack drift by importing drifted resource back to the stack.', apis: ['CloudFormation:listStacks'], - realtime_triggers: ['CloudFormation:createStack','CloudFormation:updateStack'], + realtime_triggers: ['CloudFormation:CreateStack','CloudFormation:UpdateStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/plainTextParameters.js b/plugins/aws/cloudformation/plainTextParameters.js index a6c206489e..c5e72bc7f0 100644 --- a/plugins/aws/cloudformation/plainTextParameters.js +++ b/plugins/aws/cloudformation/plainTextParameters.js @@ -18,7 +18,7 @@ module.exports = { default: 'secret,password,privatekey' } }, - realtime_triggers: ['CloudFormation:createStack','CloudFormation:updateStack'], + realtime_triggers: ['CloudFormation:CreateStack','CloudFormation:UpdateStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/stackFailedStatus.js b/plugins/aws/cloudformation/stackFailedStatus.js index 004590a2ce..b9f327617f 100644 --- a/plugins/aws/cloudformation/stackFailedStatus.js +++ b/plugins/aws/cloudformation/stackFailedStatus.js @@ -18,7 +18,7 @@ module.exports = { default: 0 } }, - realtime_triggers: ['CloudFormation:createStack','CloudFormation:deleteStack'], + realtime_triggers: ['CloudFormation:CreateStack','CloudFormation:DeleteStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/stackNotifications.js b/plugins/aws/cloudformation/stackNotifications.js index cd912c145b..73c9b5c891 100644 --- a/plugins/aws/cloudformation/stackNotifications.js +++ b/plugins/aws/cloudformation/stackNotifications.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-view-stack-data-resources.html', recommended_action: 'Associate an Amazon SNS topic to all CloudFormation stacks', apis: ['CloudFormation:listStacks', 'CloudFormation:describeStacks'], - realtime_triggers: ['CloudFormation:createStack','CloudFormation:updateStack'], + realtime_triggers: ['CloudFormation:CreateStack','CloudFormation:UpdateStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js b/plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js index 4c27de3741..1b5cafea25 100644 --- a/plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js +++ b/plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html', recommended_action: 'Modify CloudFront distribution and update the Origin Protocol Policy setting to HTTPS Only.', apis: ['CloudFront:listDistributions'], - realtime_triggers: ['CloudFront:createDistribution','CloudFront:updateDistribution'], + realtime_triggers: ['CloudFront:CreateDistribution','CloudFront:UpdateDistribution'], run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js b/plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js index f5ee3e9f09..6cf133a302 100644 --- a/plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js +++ b/plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html', recommended_action: 'Enable field-level encryption for CloudFront distributions.', apis: ['CloudFront:listDistributions'], - realtime_triggers: ['CloudFront:createDistribution','CloudFront:updateDistribution'], + realtime_triggers: ['CloudFront:CreateDistribution','CloudFront:UpdateDistribution'], run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudfront/cloudfrontGeoRestriction.js b/plugins/aws/cloudfront/cloudfrontGeoRestriction.js index dd27bde079..c49a4cb5eb 100644 --- a/plugins/aws/cloudfront/cloudfrontGeoRestriction.js +++ b/plugins/aws/cloudfront/cloudfrontGeoRestriction.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['CloudFront:createDistribution','CloudFront:updateDistribution'], + realtime_triggers: ['CloudFront:CreateDistribution','CloudFront:UpdateDistribution'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js b/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js index 7b8709d3dc..d458657d84 100644 --- a/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js +++ b/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js @@ -26,7 +26,7 @@ module.exports = { default: '', } }, - realtime_triggers: ['CloudTrail:createTrail', 'S3:putBucketLogging'], + realtime_triggers: ['CloudTrail:CreateTrail', 'S3:PutBucketLogging'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/cloudtrail/cloudtrailBucketDelete.js b/plugins/aws/cloudtrail/cloudtrailBucketDelete.js index f723c93959..1981b46d28 100644 --- a/plugins/aws/cloudtrail/cloudtrailBucketDelete.js +++ b/plugins/aws/cloudtrail/cloudtrailBucketDelete.js @@ -24,7 +24,7 @@ module.exports = { default: '', } }, - realtime_triggers: ['CloudTrail:createTrail', 'S3:putBucketVersioning'], + realtime_triggers: ['CloudTrail:CreateTrail', 'S3:PutBucketVersioning'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js b/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js index b85dd0cc5b..43be3a9924 100644 --- a/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js +++ b/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js @@ -22,7 +22,7 @@ module.exports = { } }, - realtime_triggers: ['CloudTrail:createTrail', 'S3:putBucketAcl'], + realtime_triggers: ['CloudTrail:CreateTrail', 'S3:PutBucketAcl'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/cloudtrail/cloudtrailDataEvents.js b/plugins/aws/cloudtrail/cloudtrailDataEvents.js index 5883fbd478..776fc10c15 100644 --- a/plugins/aws/cloudtrail/cloudtrailDataEvents.js +++ b/plugins/aws/cloudtrail/cloudtrailDataEvents.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update CloudTrail to enable data events.', link: 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html', apis: ['CloudTrail:describeTrails', 'CloudTrail:getEventSelectors'], - realtime_triggers: ['CloudTrail:createTrail', 'CloudTrail:putEventSelectors'], + realtime_triggers: ['CloudTrail:CreateTrail', 'CloudTrail:PutEventSelectors'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js b/plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js index e552db1c9e..90ea38cef4 100644 --- a/plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js +++ b/plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['CloudTrail:createTrail', 'CloudTrail:updateTrail'], + realtime_triggers: ['CloudTrail:CreateTrail', 'CloudTrail:UpdateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailEnabled.js b/plugins/aws/cloudtrail/cloudtrailEnabled.js index ea906a2dd3..67278dad83 100644 --- a/plugins/aws/cloudtrail/cloudtrailEnabled.js +++ b/plugins/aws/cloudtrail/cloudtrailEnabled.js @@ -19,7 +19,7 @@ module.exports = { 'within environments containing cardholder data.', cis1: '2.1 Ensure CloudTrail is enabled in all regions' }, - realtime_triggers: ['CloudTrail:createTrail', 'CloudTrail:updateTrail'], + realtime_triggers: ['CloudTrail:CreateTrail', 'CloudTrail:UpdateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailHasTags.js b/plugins/aws/cloudtrail/cloudtrailHasTags.js index ecd8c553bc..d49fcd9c43 100644 --- a/plugins/aws/cloudtrail/cloudtrailHasTags.js +++ b/plugins/aws/cloudtrail/cloudtrailHasTags.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify CloudTrail trails and add tags.', link: 'https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AddTags.html', apis: ['CloudTrail:describeTrails', 'CloudTrail:listTags'], - realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:addTags','cloudtrail:removeTags'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:AddTags','cloudtrail:RemoveTags'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailManagementEvents.js b/plugins/aws/cloudtrail/cloudtrailManagementEvents.js index d8b3b28313..edcd236056 100644 --- a/plugins/aws/cloudtrail/cloudtrailManagementEvents.js +++ b/plugins/aws/cloudtrail/cloudtrailManagementEvents.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update CloudTrail to enable management events logging', link: 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html', apis: ['CloudTrail:describeTrails', 'CloudTrail:getEventSelectors'], - realtime_triggers: ['CloudTrail:createTrail', 'CloudTrail:putEventSelectors'], + realtime_triggers: ['CloudTrail:CreateTrail', 'CloudTrail:PutEventSelectors'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js b/plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js index 611ba0221f..7a934d2e35 100644 --- a/plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js +++ b/plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Make sure that CloudTrail trails are using active SNS topics and that SNS topics have not been deleted after trail creation.', link: 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html', apis: ['CloudTrail:describeTrails', 'SNS:listTopics', 'SNS:getTopicAttributes'], - realtime_triggers: ['CloudTrail:createTrail', 'CloudTrail:updateTrail'], + realtime_triggers: ['CloudTrail:CreateTrail', 'CloudTrail:UpdateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailObjectLock.js b/plugins/aws/cloudtrail/cloudtrailObjectLock.js index 9fe6333447..5f120a01fe 100644 --- a/plugins/aws/cloudtrail/cloudtrailObjectLock.js +++ b/plugins/aws/cloudtrail/cloudtrailObjectLock.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Edit trail to use a bucket with object locking enabled.', link: 'https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-managing.html', apis: ['CloudTrail:describeTrails', 'S3:getObjectLockConfiguration', 'S3:listBuckets'], - realtime_triggers: ['CloudTrail:createTrail', 'CloudTrail:updateTrail'], + realtime_triggers: ['CloudTrail:CreateTrail', 'CloudTrail:UpdateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailS3Bucket.js b/plugins/aws/cloudtrail/cloudtrailS3Bucket.js index 9a47bafeaa..e7e7859790 100644 --- a/plugins/aws/cloudtrail/cloudtrailS3Bucket.js +++ b/plugins/aws/cloudtrail/cloudtrailS3Bucket.js @@ -24,7 +24,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['CloudTrail:createTrail', 'CloudTrail:updateTrail'], + realtime_triggers: ['CloudTrail:CreateTrail', 'CloudTrail:UpdateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailToCloudwatch.js b/plugins/aws/cloudtrail/cloudtrailToCloudwatch.js index c9f3885f60..c9b975ee73 100644 --- a/plugins/aws/cloudtrail/cloudtrailToCloudwatch.js +++ b/plugins/aws/cloudtrail/cloudtrailToCloudwatch.js @@ -13,7 +13,7 @@ module.exports = { compliance: { cis1: '2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs' }, - realtime_triggers: ['CloudTrail:createTrail', 'CloudTrail:updateTrail'], + realtime_triggers: ['CloudTrail:CreateTrail', 'CloudTrail:UpdateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/globalLoggingDuplicated.js b/plugins/aws/cloudtrail/globalLoggingDuplicated.js index 438780e849..f88068e28a 100644 --- a/plugins/aws/cloudtrail/globalLoggingDuplicated.js +++ b/plugins/aws/cloudtrail/globalLoggingDuplicated.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update CloudTrail trails to log global services events enabled for only one trail', link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html', apis: ['CloudTrail:describeTrails'], - realtime_triggers: ['CloudTrail:createTrail', 'CloudTrail:updateTrail'], + realtime_triggers: ['CloudTrail:CreateTrail', 'CloudTrail:UpdateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js b/plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js index b542873886..545a0e4893 100644 --- a/plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js +++ b/plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js @@ -21,7 +21,7 @@ module.exports = { default: 'vpc_flow_logs' } }, - realtime_triggers: ['CloudWatchLogs:putMetricFilter', 'CloudWatch:putMetricAlarm'], + realtime_triggers: ['CloudWatchLogs:PutMetricFilter', 'CloudWatch:PutMetricAlarm'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudwatchlogs/logGroupsEncrypted.js b/plugins/aws/cloudwatchlogs/logGroupsEncrypted.js index a980409d2e..967af4dd50 100644 --- a/plugins/aws/cloudwatchlogs/logGroupsEncrypted.js +++ b/plugins/aws/cloudwatchlogs/logGroupsEncrypted.js @@ -26,7 +26,7 @@ module.exports = { default: 'Aqua-CSPM-Token-Rotator-Function,-CreateCSPMKeyFunction-,-TriggerDiscoveryFunction-,-GenerateVolumeScanningEx-,-GenerateCSPMExternalIdFu-' } }, - realtime_triggers: ['CloudWatchLogs:createLogGroup', 'CloudWatchLogs:associateKmsKey'], + realtime_triggers: ['CloudWatchLogs:CreateLogGroup', 'CloudWatchLogs:AssociateKmsKey'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudwatchlogs/logRetentionPeriod.js b/plugins/aws/cloudwatchlogs/logRetentionPeriod.js index ee8f0f0276..ea950fd6e0 100644 --- a/plugins/aws/cloudwatchlogs/logRetentionPeriod.js +++ b/plugins/aws/cloudwatchlogs/logRetentionPeriod.js @@ -18,7 +18,7 @@ module.exports = { default: '90' } }, - realtime_triggers: ['CloudWatchLogs:createLogGroup', 'CloudWatchLogs:putRetentionPolicy'], + realtime_triggers: ['CloudWatchLogs:CreateLogGroup', 'CloudWatchLogs:PutRetentionPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/cloudwatchlogs/monitoringMetrics.js b/plugins/aws/cloudwatchlogs/monitoringMetrics.js index 59872407e7..232bbc3b70 100644 --- a/plugins/aws/cloudwatchlogs/monitoringMetrics.js +++ b/plugins/aws/cloudwatchlogs/monitoringMetrics.js @@ -76,7 +76,7 @@ module.exports = { compliance: { cis1: '3.0 Monitoring metrics are enabled' }, - realtime_triggers: ['CloudWatchLogs:createLogGroup', 'CloudWatchLogs:putMetricFilter'], + realtime_triggers: ['CloudWatchLogs:CreateLogGroup', 'CloudWatchLogs:PutMetricFilter'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codeartifact/codeartifactDomainEncrypted.js b/plugins/aws/codeartifact/codeartifactDomainEncrypted.js index c730cf4072..670976468f 100644 --- a/plugins/aws/codeartifact/codeartifactDomainEncrypted.js +++ b/plugins/aws/codeartifact/codeartifactDomainEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['CodeArtifact:createDomain', 'CodeArtifact:deleteDomain'], + realtime_triggers: ['CodeArtifact:CreateDomain', 'CodeArtifact:DeleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codebuild/codebuildValidSourceProviders.js b/plugins/aws/codebuild/codebuildValidSourceProviders.js index 5ca91b7b77..fff7772c9e 100644 --- a/plugins/aws/codebuild/codebuildValidSourceProviders.js +++ b/plugins/aws/codebuild/codebuildValidSourceProviders.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['CodeBuild:createProject', 'CodeBuild:updateProject'], + realtime_triggers: ['CodeBuild:CreateProject', 'CodeBuild:UpdateProject'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codebuild/projectArtifactsEncrypted.js b/plugins/aws/codebuild/projectArtifactsEncrypted.js index 54a43d0c9b..906ba6fde6 100644 --- a/plugins/aws/codebuild/projectArtifactsEncrypted.js +++ b/plugins/aws/codebuild/projectArtifactsEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['CodeBuild:createProject', 'CodeBuild:updateProject'], + realtime_triggers: ['CodeBuild:CreateProject', 'CodeBuild:UpdateProject'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js b/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js index 230c063411..48845e436d 100644 --- a/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js +++ b/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['CodePipeline:createPipeline', 'CodePipeline:updatePipeline'], + realtime_triggers: ['CodePipeline:CreatePipeline', 'CodePipeline:UpdatePipeline'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codestar/codestarValidRepoProviders.js b/plugins/aws/codestar/codestarValidRepoProviders.js index 10d1cf9a2a..efedc097d2 100644 --- a/plugins/aws/codestar/codestarValidRepoProviders.js +++ b/plugins/aws/codestar/codestarValidRepoProviders.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['CodeStar:createProject','CodeStar:updateProject'], + realtime_triggers: ['CodeStar:CreateProject','CodeStar:UpdateProject'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js index 0300236552..dab74fef36 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html', recommended_action: '1. Enter the Cognito service. 2. Enter user pools and enable WAF from properties.', apis: ['CognitoIdentityServiceProvider:listUserPools', 'WAFV2:getWebACLForCognitoUserPool', 'STS:getCallerIdentity'], - realtime_triggers: ['CognitoIdentityServiceProvider:createUserPool','CognitoIdentityServiceProvider:updateUserPool'], + realtime_triggers: ['CognitoIdentityServiceProvider:CreateUserPool','CognitoIdentityServiceProvider:UpdateUserPool'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cognito/cognitoMFAEnabled.js b/plugins/aws/cognito/cognitoMFAEnabled.js index 05c459cce9..01e542ef64 100644 --- a/plugins/aws/cognito/cognitoMFAEnabled.js +++ b/plugins/aws/cognito/cognitoMFAEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html', recommended_action: '1. Enter the Cognito service. 2. Enter user pools and enable MFA from sign in experience.', apis: ['CognitoIdentityServiceProvider:listUserPools', 'CognitoIdentityServiceProvider:describeUserPool', 'STS:getCallerIdentity'], - realtime_triggers: ['CognitoIdentityServiceProvider:createUserPool','CognitoIdentityServiceProvider:updateUserPool'], + realtime_triggers: ['CognitoIdentityServiceProvider:CreateUserPool','CognitoIdentityServiceProvider:UpdateUserPool'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/comprehend/outputResultEncryption.js b/plugins/aws/comprehend/outputResultEncryption.js index ff02147ad4..86ab0f46f1 100644 --- a/plugins/aws/comprehend/outputResultEncryption.js +++ b/plugins/aws/comprehend/outputResultEncryption.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Enable output result encryption for the Comprehend job', apis: ['Comprehend:listEntitiesDetectionJobs', 'Comprehend:listDominantLanguageDetectionJobs', 'Comprehend:listTopicsDetectionJobs', 'Comprehend:listDocumentClassificationJobs', 'Comprehend:listKeyPhrasesDetectionJobs', 'Comprehend:listSentimentDetectionJobs'], - realtime_triggers: ['Comprehend:startEntitiesDetectionJob'], + realtime_triggers: ['Comprehend:StartEntitiesDetectionJob'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/comprehend/volumeEncryption.js b/plugins/aws/comprehend/volumeEncryption.js index 7333a87afd..1c7b1a47c7 100644 --- a/plugins/aws/comprehend/volumeEncryption.js +++ b/plugins/aws/comprehend/volumeEncryption.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Enable volume encryption for the Comprehend job', apis: ['Comprehend:listEntitiesDetectionJobs', 'Comprehend:listDominantLanguageDetectionJobs', 'Comprehend:listTopicsDetectionJobs', 'Comprehend:listDocumentClassificationJobs', 'Comprehend:listKeyPhrasesDetectionJobs', 'Comprehend:listSentimentDetectionJobs'], - realtime_triggers: ['Comprehend:startEntitiesDetectionJob'], + realtime_triggers: ['Comprehend:StartEntitiesDetectionJob'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/asgOptimized.js b/plugins/aws/computeoptimizer/asgOptimized.js index 3751d3a102..e047ccc0a0 100644 --- a/plugins/aws/computeoptimizer/asgOptimized.js +++ b/plugins/aws/computeoptimizer/asgOptimized.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-asg-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for Auto Scaling groups.', apis: ['ComputeOptimizer:getRecommendationSummaries'], - realtime_triggers: ['AutoScaling:createAutoScalingGroup','AutoScaling:updateAutoScalingGroup','AutoScaling:startInstanceRefresh'], + realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup','AutoScaling:StartInstanceRefresh'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/ebsVolumesOptimized.js b/plugins/aws/computeoptimizer/ebsVolumesOptimized.js index f4d5873303..b702d3ef8c 100644 --- a/plugins/aws/computeoptimizer/ebsVolumesOptimized.js +++ b/plugins/aws/computeoptimizer/ebsVolumesOptimized.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-ebs-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for EBS volumes.', apis: ['ComputeOptimizer:getRecommendationSummaries'], - realtime_triggers: ['EC2:createVolume','EC2:modifyVolume'], + realtime_triggers: ['EC2:CreateVolume','EC2:ModifyVolume'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/ec2InstancesOptimized.js b/plugins/aws/computeoptimizer/ec2InstancesOptimized.js index 0e0e951ac4..96ae3e62a7 100644 --- a/plugins/aws/computeoptimizer/ec2InstancesOptimized.js +++ b/plugins/aws/computeoptimizer/ec2InstancesOptimized.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-ec2-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for EC2 instances.', apis: ['ComputeOptimizer:getRecommendationSummaries'], - realtime_triggers: ['EC2:runInstances','EC2:modifyInstanceAttribute','EC2:startInstances'], + realtime_triggers: ['EC2:RunInstances','EC2:ModifyInstanceAttribute','EC2:StartInstances'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js b/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js index 0e1b49731d..42bda2e194 100644 --- a/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js +++ b/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-lambda-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for Lambda functions.', apis: ['ComputeOptimizer:getRecommendationSummaries'], - realtime_triggers: ['Lambda:createFunction','Lambda:updateFunctionConfiguration'], + realtime_triggers: ['Lambda:CreateFunction','Lambda:UpdateFunctionConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/optimizerRecommendationsEnabled.js b/plugins/aws/computeoptimizer/optimizerRecommendationsEnabled.js index 8f7f0ef549..c52a979811 100644 --- a/plugins/aws/computeoptimizer/optimizerRecommendationsEnabled.js +++ b/plugins/aws/computeoptimizer/optimizerRecommendationsEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/what-is-compute-optimizer.html', recommended_action: 'Enable Compute Optimizer Opt In options for current of all AWS account in your organization.', apis: ['ComputeOptimizer:getRecommendationSummaries'], - realtime_triggers: ['ComputeOptimizer:updateEnrollmentStatus'], + realtime_triggers: ['ComputeOptimizer:UpdateEnrollmentStatus'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/configComplaintRules.js b/plugins/aws/configservice/configComplaintRules.js index 8e900bf622..d9e6b75dd9 100644 --- a/plugins/aws/configservice/configComplaintRules.js +++ b/plugins/aws/configservice/configComplaintRules.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Enable the AWS Config Service rules for compliance checks and close security gaps.', link: 'https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html', apis: ['ConfigService:describeConfigRules', 'ConfigService:getComplianceDetailsByConfigRule'], - realtime_triggers: ['ConfigService:startConfigurationRecorder','ConfigService:putConfigRule'], + realtime_triggers: ['ConfigService:StartConfigurationRecorder','ConfigService:PutConfigRule'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/configDeliveryFailing.js b/plugins/aws/configservice/configDeliveryFailing.js index d4fc02edc7..160dd6e297 100644 --- a/plugins/aws/configservice/configDeliveryFailing.js +++ b/plugins/aws/configservice/configDeliveryFailing.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Configure AWS Config log files to be delivered without any failures to designated S3 bucket.', link: 'https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html', apis: ['ConfigService:describeConfigurationRecorderStatus'], - realtime_triggers: ['ConfigService:startConfigurationRecorder','ConfigService:putDeliveryChannel'], + realtime_triggers: ['ConfigService:StartConfigurationRecorder','ConfigService:PutDeliveryChannel'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/configServiceEnabled.js b/plugins/aws/configservice/configServiceEnabled.js index 5e6239fb12..1c3cdb4384 100644 --- a/plugins/aws/configservice/configServiceEnabled.js +++ b/plugins/aws/configservice/configServiceEnabled.js @@ -17,7 +17,7 @@ module.exports = { 'could introduce security risks.', cis1: '2.5 Ensure AWS Config is enabled in all regions' }, - realtime_triggers: ['ConfigService:startConfigurationRecorder','ConfigService:stopConfigurationRecorder'], + realtime_triggers: ['ConfigService:StartConfigurationRecorder','ConfigService:StopConfigurationRecorder'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/configServiceMissingBucket.js b/plugins/aws/configservice/configServiceMissingBucket.js index 782f940e0a..f1ca8942f0 100644 --- a/plugins/aws/configservice/configServiceMissingBucket.js +++ b/plugins/aws/configservice/configServiceMissingBucket.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Ensure that Amazon Config service is referencing an active S3 bucket in order to save configuration information.', link: 'https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html', apis: ['S3:listBuckets', 'ConfigService:describeDeliveryChannels', 'S3:headBucket'], - realtime_triggers: ['ConfigService:startConfigurationRecorder','ConfigService:putDeliveryChannel'], + realtime_triggers: ['ConfigService:StartConfigurationRecorder','ConfigService:PutDeliveryChannel'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/servicesInUse.js b/plugins/aws/configservice/servicesInUse.js index bf7bd8b2c8..4d426f2a80 100644 --- a/plugins/aws/configservice/servicesInUse.js +++ b/plugins/aws/configservice/servicesInUse.js @@ -25,7 +25,7 @@ module.exports = { default:'' }, }, - realtime_triggers: ['ConfigService:startConfigurationRecorder','ConfigService:startConfigRulesEvaluation'], + realtime_triggers: ['ConfigService:StartConfigurationRecorder','ConfigService:StartConfigRulesEvaluation'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js b/plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js index bf463f5041..6913387a6e 100644 --- a/plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js +++ b/plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Add a notification channel to DevOps Guru', link: 'https://docs.aws.amazon.com/devops-guru/latest/userguide/setting-up.html', apis: ['DevOpsGuru:listNotificationChannels'], - realtime_triggers: ['DevOpsGuru:addNotificationChannel'], + realtime_triggers: ['DevOpsGuru:AddNotificationChannel'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dms/autoMinorVersionUpgrade.js b/plugins/aws/dms/autoMinorVersionUpgrade.js index e48003d580..21936447d2 100644 --- a/plugins/aws/dms/autoMinorVersionUpgrade.js +++ b/plugins/aws/dms/autoMinorVersionUpgrade.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable Auto Minor Version Upgrade feature in order to automatically receive minor engine upgrades for improved performance and security', link: 'https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.Modifying.html', apis: ['DMS:describeReplicationInstances'], - realtime_triggers: ['DMS:createReplicationInstance','DMS:modifyReplicationInstance'], + realtime_triggers: ['DMS:CreateReplicationInstance','DMS:ModifyReplicationInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dms/dmsEncryptionEnabled.js b/plugins/aws/dms/dmsEncryptionEnabled.js index c423d9fb39..c6b1780e80 100644 --- a/plugins/aws/dms/dmsEncryptionEnabled.js +++ b/plugins/aws/dms/dmsEncryptionEnabled.js @@ -29,7 +29,7 @@ module.exports = { default: false } }, - realtime_triggers: ['DMS:createReplicationInstance'], + realtime_triggers: ['DMS:CreateReplicationInstance'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/dms/dmsMultiAZFeatureEnabled.js b/plugins/aws/dms/dmsMultiAZFeatureEnabled.js index 554959e1f0..bdfb32b843 100644 --- a/plugins/aws/dms/dmsMultiAZFeatureEnabled.js +++ b/plugins/aws/dms/dmsMultiAZFeatureEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable Multi-AZ deployment feature in order to get high availability and failover support', link: 'https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.html', apis: ['DMS:describeReplicationInstances'], - realtime_triggers: ['DMS:createReplicationInstance','DMS:modifyReplicationInstance'], + realtime_triggers: ['DMS:CreateReplicationInstance','DMS:ModifyReplicationInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dms/dmsPubliclyAccessibleInstances.js b/plugins/aws/dms/dmsPubliclyAccessibleInstances.js index adf4cdeb71..b484cdc59b 100644 --- a/plugins/aws/dms/dmsPubliclyAccessibleInstances.js +++ b/plugins/aws/dms/dmsPubliclyAccessibleInstances.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Ensure that DMS replication instances have only private IP address and not public IP address', link: 'https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.PublicPrivate.html', apis: ['DMS:describeReplicationInstances'], - realtime_triggers: ['DMS:createReplicationInstance'], + realtime_triggers: ['DMS:CreateReplicationInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/documentDB/docdbClusterBackupRetention.js b/plugins/aws/documentDB/docdbClusterBackupRetention.js index fdd57ae1df..5668b30387 100644 --- a/plugins/aws/documentDB/docdbClusterBackupRetention.js +++ b/plugins/aws/documentDB/docdbClusterBackupRetention.js @@ -18,7 +18,7 @@ module.exports = { default: 7 } }, - realtime_triggers: ['DocDB:createDBCluster','DocDB:modifyDBCluster'], + realtime_triggers: ['DocDB:CreateDBCluster','DocDB:ModifyDBCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/documentDB/docdbClusterEncrypted.js b/plugins/aws/documentDB/docdbClusterEncrypted.js index 269efff794..7efb61a400 100644 --- a/plugins/aws/documentDB/docdbClusterEncrypted.js +++ b/plugins/aws/documentDB/docdbClusterEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['DocDB:createDBCluster','DocDB:createDBInstance'], + realtime_triggers: ['DocDB:CreateDBCluster','DocDB:CreateDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/daxClusterEncryption.js b/plugins/aws/dynamodb/daxClusterEncryption.js index 0ae7b3c373..0eb9ac5970 100644 --- a/plugins/aws/dynamodb/daxClusterEncryption.js +++ b/plugins/aws/dynamodb/daxClusterEncryption.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionAtRest.html', recommended_action: 'Enable encryption for DAX cluster.', apis: ['DAX:describeClusters'], - realtime_triggers: ['DAX:createCluster'], + realtime_triggers: ['DAX:CreateCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/dynamoContinuousBackups.js b/plugins/aws/dynamodb/dynamoContinuousBackups.js index 838fb12ab8..ec071ef569 100644 --- a/plugins/aws/dynamodb/dynamoContinuousBackups.js +++ b/plugins/aws/dynamodb/dynamoContinuousBackups.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/new-amazon-dynamodb-continuous-backups-and-point-in-time-recovery-pitr/', recommended_action: 'Enable Continuous Backups and Point-In-Time Recovery (PITR) features.', apis: ['DynamoDB:listTables', 'DynamoDB:describeContinuousBackups', 'STS:getCallerIdentity'], - realtime_triggers: ['DynamoDB:createTable','DynamoDB:updateContinuousBackups'], + realtime_triggers: ['DynamoDB:CreateTable','DynamoDB:UpdateContinuousBackups'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/dynamoTableBackupExists.js b/plugins/aws/dynamodb/dynamoTableBackupExists.js index db800ecdaa..2510c1bd70 100644 --- a/plugins/aws/dynamodb/dynamoTableBackupExists.js +++ b/plugins/aws/dynamodb/dynamoTableBackupExists.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/BackupRestore.html', recommended_action: 'Create on-demand backups for DynamoDB tables.', apis: ['DynamoDB:listTables', 'DynamoDB:listBackups', 'STS:getCallerIdentity'], - realtime_triggers: ['DynamoDB:createTable','DynamoDB:createBackup'], + realtime_triggers: ['DynamoDB:CreateTable','DynamoDB:CreateBackup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/dynamoTableHasTags.js b/plugins/aws/dynamodb/dynamoTableHasTags.js index 3f06cb6f11..0139aa23ae 100644 --- a/plugins/aws/dynamodb/dynamoTableHasTags.js +++ b/plugins/aws/dynamodb/dynamoTableHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Tagging.html', recommended_action: 'Modify DynamoDB table and add tags.', apis: ['DynamoDB:listTables', 'ResourceGroupsTaggingAPI:getResources', 'STS:getCallerIdentity'], - realtime_triggers: ['DynamoDB:createTable','DynamoDB:tagResource','DynamoDB:untagResource'], + realtime_triggers: ['DynamoDB:CreateTable','DynamoDB:TagResource','DynamoDB:UntagResource'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/dynamoUnusedTable.js b/plugins/aws/dynamodb/dynamoUnusedTable.js index ce6ded72ed..7d60fa9e85 100644 --- a/plugins/aws/dynamodb/dynamoUnusedTable.js +++ b/plugins/aws/dynamodb/dynamoUnusedTable.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithTables.Basics.html', recommended_action: 'Remove unused tables if you no longer need them.', apis: ['DynamoDB:listTables', 'DynamoDB:describeTable', 'STS:getCallerIdentity'], - realtime_triggers: ['DynamoDB:createTable','DynamoDB:deleteTable'], + realtime_triggers: ['DynamoDB:CreateTable','DynamoDB:DeleteTable'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/accessKeysExtra.js b/plugins/aws/iam/accessKeysExtra.js index 8e1fd07027..a47e734f36 100644 --- a/plugins/aws/iam/accessKeysExtra.js +++ b/plugins/aws/iam/accessKeysExtra.js @@ -27,7 +27,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:createAccessKey,IAM:deleteAccessKey'], + realtime_triggers: ['IAM:CreateAccessKey,IAM:DeleteAccessKey'], run: function(cache, settings, callback) { diff --git a/plugins/aws/iam/accessKeysLastUsed.js b/plugins/aws/iam/accessKeysLastUsed.js index f11d5dc38e..065c717ffc 100644 --- a/plugins/aws/iam/accessKeysLastUsed.js +++ b/plugins/aws/iam/accessKeysLastUsed.js @@ -41,7 +41,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:deleteAccessKey'], + realtime_triggers: ['IAM:DeleteAccessKey'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/accessKeysRotated.js b/plugins/aws/iam/accessKeysRotated.js index 90d9e61bbd..bfca705f77 100644 --- a/plugins/aws/iam/accessKeysRotated.js +++ b/plugins/aws/iam/accessKeysRotated.js @@ -33,7 +33,7 @@ module.exports = { default: 90 } }, - realtime_triggers: ['IAM:createAccessKey,IAM:deleteAccessKey'], + realtime_triggers: ['IAM:CreateAccessKey,IAM:DeleteAccessKey'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/canaryKeysUsed.js b/plugins/aws/iam/canaryKeysUsed.js index 8054a99629..a6edda8275 100644 --- a/plugins/aws/iam/canaryKeysUsed.js +++ b/plugins/aws/iam/canaryKeysUsed.js @@ -32,7 +32,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:createUser'], + realtime_triggers: ['IAM:CreateUser'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/certificateExpiry.js b/plugins/aws/iam/certificateExpiry.js index 5080112e09..20fd0e3599 100644 --- a/plugins/aws/iam/certificateExpiry.js +++ b/plugins/aws/iam/certificateExpiry.js @@ -35,7 +35,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:uploadServerCertificate,ELB:setLoadBalancerListenerSSLCertificate'], + realtime_triggers: ['IAM:UploadServerCertificate,ELB:SetLoadBalancerListenerSSLCertificate'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/crossAccountMfaExtIdAccess.js b/plugins/aws/iam/crossAccountMfaExtIdAccess.js index 3c376490ec..b3a1f1912b 100644 --- a/plugins/aws/iam/crossAccountMfaExtIdAccess.js +++ b/plugins/aws/iam/crossAccountMfaExtIdAccess.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/mfa-protection-for-cross-account-access/', recommended_action: 'Update the IAM role to either require MFA or use an external ID.', apis: ['IAM:listRoles', 'STS:getCallerIdentity'], - realtime_triggers: ['IAM:createRole,IAM:updateAssumeRolePolicy'], + realtime_triggers: ['IAM:CreateRole,IAM:UpdateAssumeRolePolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/emptyGroups.js b/plugins/aws/iam/emptyGroups.js index 3209c0a826..be624e1911 100644 --- a/plugins/aws/iam/emptyGroups.js +++ b/plugins/aws/iam/emptyGroups.js @@ -22,7 +22,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:createGroup,IAM:deleteGroup'], + realtime_triggers: ['IAM:CreateGroup,IAM:DeleteGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/groupInlinePolicies.js b/plugins/aws/iam/groupInlinePolicies.js index 7d2b7e32fd..495c14c400 100644 --- a/plugins/aws/iam/groupInlinePolicies.js +++ b/plugins/aws/iam/groupInlinePolicies.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html', recommended_action: 'Remove inline policies attached to groups', apis: ['IAM:listGroups', 'IAM:listGroupPolicies'], - realtime_triggers: ['IAM:createPolicy,IAM:deleteGroupPolicy'], + realtime_triggers: ['IAM:CreatePolicy,IAM:DeleteGroupPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamMasterManagerRoles.js b/plugins/aws/iam/iamMasterManagerRoles.js index 5c6a748b78..346ec5582f 100644 --- a/plugins/aws/iam/iamMasterManagerRoles.js +++ b/plugins/aws/iam/iamMasterManagerRoles.js @@ -129,7 +129,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['IAM:createRole'], + realtime_triggers: ['IAM:CreateRole'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamPoliciesPresent.js b/plugins/aws/iam/iamPoliciesPresent.js index b3861c67a3..f9c76082fa 100644 --- a/plugins/aws/iam/iamPoliciesPresent.js +++ b/plugins/aws/iam/iamPoliciesPresent.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['IAM:createPolicy,IAM:createPolicyVersion,IAM:putRolePolicy,IAM:updateAssumeRolePolicy'], + realtime_triggers: ['IAM:CreatePolicy,IAM:CreatePolicyVersion,IAM:PutRolePolicy,IAM:UpdateAssumeRolePolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamRoleHasTags.js b/plugins/aws/iam/iamRoleHasTags.js index 4ded449a96..586b4cd895 100644 --- a/plugins/aws/iam/iamRoleHasTags.js +++ b/plugins/aws/iam/iamRoleHasTags.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html', recommended_action: 'Modify Roles to add tags.', apis: ['IAM:listRoles', 'IAM:getRole'], - realtime_triggers: ['IAM:createRole,IAM:tagRole,IAM:untagRole'], + realtime_triggers: ['IAM:CreateRole,IAM:TagRole,IAM:UntagRole'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamRoleLastUsed.js b/plugins/aws/iam/iamRoleLastUsed.js index 84c7f95025..eaf0cc26dc 100644 --- a/plugins/aws/iam/iamRoleLastUsed.js +++ b/plugins/aws/iam/iamRoleLastUsed.js @@ -54,7 +54,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:createRole,IAM:deleteRole'], + realtime_triggers: ['IAM:CreateRole,IAM:DeleteRole'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamRolePolicies.js b/plugins/aws/iam/iamRolePolicies.js index 2d1d36d974..7e738430a9 100644 --- a/plugins/aws/iam/iamRolePolicies.js +++ b/plugins/aws/iam/iamRolePolicies.js @@ -82,7 +82,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['IAM:createPolicy,IAM:createPolicyVersion,IAM:putRolePolicy,IAM:updateAssumeRolePolicy'], + realtime_triggers: ['IAM:CreatePolicy,IAM:CreatePolicyVersion,IAM:PutRolePolicy,IAM:UpdateAssumeRolePolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamSupportPolicy.js b/plugins/aws/iam/iamSupportPolicy.js index 9f455d8d92..fcbf15407a 100644 --- a/plugins/aws/iam/iamSupportPolicy.js +++ b/plugins/aws/iam/iamSupportPolicy.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html', recommended_action: 'Ensure that an IAM role has permission to access support center.', apis: ['IAM:listPolicies'], - realtime_triggers: ['IAM:createPolicy,IAM:createPolicyVersion'], + realtime_triggers: ['IAM:CreatePolicy,IAM:CreatePolicyVersion'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserAdmins.js b/plugins/aws/iam/iamUserAdmins.js index fa727f6c4c..04429e25c1 100644 --- a/plugins/aws/iam/iamUserAdmins.js +++ b/plugins/aws/iam/iamUserAdmins.js @@ -33,7 +33,7 @@ module.exports = { default: 2 } }, - realtime_triggers: ['IAM:addUserToGroup,IAM:removeUserFromGroup,IAM:attachGroupPolicy,IAM:detachGroupPolicy,IAM:attachUserPolicy,IAM:detachUserPolicy,IAM:putUserPolicy'], + realtime_triggers: ['IAM:AddUserToGroup,IAM:RemoveUserFromGroup,IAM:AttachGroupPolicy,IAM:DetachGroupPolicy,IAM:AttachUserPolicy,IAM:DetachUserPolicy,IAM:PutUserPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamUserHasTags.js b/plugins/aws/iam/iamUserHasTags.js index 0320cefec9..394063fac5 100644 --- a/plugins/aws/iam/iamUserHasTags.js +++ b/plugins/aws/iam/iamUserHasTags.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags_users.html', recommended_action: 'Modify IAM User and add tags', apis: ['IAM:listUsers', 'IAM:getUser'], - realtime_triggers: ['IAM:createUser,IAM:tagUser,IAM:untagUser'], + realtime_triggers: ['IAM:CreateUser,IAM:TagUser,IAM:UntagUser'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserInUse.js b/plugins/aws/iam/iamUserInUse.js index eb456b9867..0d7b4b9298 100644 --- a/plugins/aws/iam/iamUserInUse.js +++ b/plugins/aws/iam/iamUserInUse.js @@ -17,7 +17,7 @@ module.exports = { default: '15' } }, - realtime_triggers: ['IAM:createUser,IAM:deleteUser'], + realtime_triggers: ['IAM:CreateUser,IAM:DeleteUser'], run: function(cache, settings, callback) { const config = { diff --git a/plugins/aws/iam/iamUserNameRegex.js b/plugins/aws/iam/iamUserNameRegex.js index b4cd32a785..cbb04e9d50 100644 --- a/plugins/aws/iam/iamUserNameRegex.js +++ b/plugins/aws/iam/iamUserNameRegex.js @@ -30,7 +30,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:createUser,IAM:deleteUser,IAM:updateUser'], + realtime_triggers: ['IAM:CreateUser,IAM:DeleteUser,IAM:UpdateUser'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserNotInUse.js b/plugins/aws/iam/iamUserNotInUse.js index 8fc8f51568..d69b56914c 100644 --- a/plugins/aws/iam/iamUserNotInUse.js +++ b/plugins/aws/iam/iamUserNotInUse.js @@ -17,7 +17,7 @@ module.exports = { default: '90' } }, - realtime_triggers: ['IAM:createUser,IAM:deleteUser'], + realtime_triggers: ['IAM:CreateUser,IAM:DeleteUser'], run: function(cache, settings, callback) { const config = { diff --git a/plugins/aws/iam/iamUserPresent.js b/plugins/aws/iam/iamUserPresent.js index 35be2f0767..cdc696e429 100644 --- a/plugins/aws/iam/iamUserPresent.js +++ b/plugins/aws/iam/iamUserPresent.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html', recommended_action: 'Create IAM user(s) and use them to access AWS services and resources.', apis: ['IAM:listUsers'], - realtime_triggers: ['IAM:createUser'], + realtime_triggers: ['IAM:CreateUser'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserUnauthorizedToEdit.js b/plugins/aws/iam/iamUserUnauthorizedToEdit.js index f6fcdf6b84..b3a36a5d32 100644 --- a/plugins/aws/iam/iamUserUnauthorizedToEdit.js +++ b/plugins/aws/iam/iamUserUnauthorizedToEdit.js @@ -45,7 +45,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['IAM:addUserToGroup,IAM:removeUserFromGroup,IAM:attachGroupPolicy,IAM:detachGroupPolicy,IAM:attachUserPolicy,IAM:detachUserPolicy,IAM:putUserPolicy'], + realtime_triggers: ['IAM:AddUserToGroup,IAM:RemoveUserFromGroup,IAM:AttachGroupPolicy,IAM:DetachGroupPolicy,IAM:AttachUserPolicy,IAM:DetachUserPolicy,IAM:PutUserPolicy'], run: function(cache, settings, callback) { var whitelisted_users = settings.iam_authorized_user_arns || this.settings.iam_authorized_user_arns.default; diff --git a/plugins/aws/iam/iamUserWithoutPermissions.js b/plugins/aws/iam/iamUserWithoutPermissions.js index d424eaf5ed..ea1dca91e8 100644 --- a/plugins/aws/iam/iamUserWithoutPermissions.js +++ b/plugins/aws/iam/iamUserWithoutPermissions.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Modify IAM user and attach new permissions or delete the user.', apis: ['IAM:listUsers', 'IAM:listUserPolicies', 'IAM:listAttachedUserPolicies', 'IAM:getPolicyVersion' ,'IAM:listGroupsForUser', 'IAM:listGroups', 'IAM:listGroupPolicies', 'IAM:listAttachedGroupPolicies'], - realtime_triggers: ['IAM:addUserToGroup,IAM:removeUserFromGroup,IAM:attachGroupPolicy,IAM:detachGroupPolicy,IAM:attachUserPolicy,IAM:detachUserPolicy,IAM:putUserPolicy'], + realtime_triggers: ['IAM:AddUserToGroup,IAM:RemoveUserFromGroup,IAM:AttachGroupPolicy,IAM:DetachGroupPolicy,IAM:AttachUserPolicy,IAM:DetachUserPolicy,IAM:PutUserPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/maxPasswordAge.js b/plugins/aws/iam/maxPasswordAge.js index e8d662f229..f7e88aa1ce 100644 --- a/plugins/aws/iam/maxPasswordAge.js +++ b/plugins/aws/iam/maxPasswordAge.js @@ -58,7 +58,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:updateAccountPasswordPolicy'], + realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/minPasswordLength.js b/plugins/aws/iam/minPasswordLength.js index a9a0f4f933..b6c6553b73 100644 --- a/plugins/aws/iam/minPasswordLength.js +++ b/plugins/aws/iam/minPasswordLength.js @@ -59,7 +59,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:updateAccountPasswordPolicy'], + realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/noUserIamPolicies.js b/plugins/aws/iam/noUserIamPolicies.js index 4ed3bced74..cf944987f7 100644 --- a/plugins/aws/iam/noUserIamPolicies.js +++ b/plugins/aws/iam/noUserIamPolicies.js @@ -13,7 +13,7 @@ module.exports = { compliance: { cis1: '1.16 Ensure IAM policies are attached only to groups or roles' }, - realtime_triggers: ['IAM:attachUserPolicy,IAM:detachUserPolicy'], + realtime_triggers: ['IAM:AttachUserPolicy,IAM:DetachUserPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordExpiration.js b/plugins/aws/iam/passwordExpiration.js index a024448deb..cd5a32334b 100644 --- a/plugins/aws/iam/passwordExpiration.js +++ b/plugins/aws/iam/passwordExpiration.js @@ -39,7 +39,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:updateAccountPasswordPolicy'], + realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordPolicyExists.js b/plugins/aws/iam/passwordPolicyExists.js index 488c9d082a..a4e89f032f 100644 --- a/plugins/aws/iam/passwordPolicyExists.js +++ b/plugins/aws/iam/passwordPolicyExists.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html', recommended_action: 'Create a password policy under account settings in IAM', apis: ['IAM:getAccountPasswordPolicy'], - realtime_triggers: ['IAM:updateAccountPasswordPolicy'], + realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordRequiresLowercase.js b/plugins/aws/iam/passwordRequiresLowercase.js index 88a1e258e1..936bce03ff 100644 --- a/plugins/aws/iam/passwordRequiresLowercase.js +++ b/plugins/aws/iam/passwordRequiresLowercase.js @@ -27,7 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.6 Ensure IAM password policy require at least one lowercase letter' }, - realtime_triggers: ['IAM:updateAccountPasswordPolicy'], + realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordRequiresNumbers.js b/plugins/aws/iam/passwordRequiresNumbers.js index dcec0228d0..89eef9734a 100644 --- a/plugins/aws/iam/passwordRequiresNumbers.js +++ b/plugins/aws/iam/passwordRequiresNumbers.js @@ -27,7 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.8 Ensure IAM password policy require at least one number' }, - realtime_triggers: ['IAM:updateAccountPasswordPolicy'], + realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordRequiresSymbols.js b/plugins/aws/iam/passwordRequiresSymbols.js index e2f656068c..dd8ea144f3 100644 --- a/plugins/aws/iam/passwordRequiresSymbols.js +++ b/plugins/aws/iam/passwordRequiresSymbols.js @@ -27,7 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.7 Ensure IAM password policy require at least one symbol' }, - realtime_triggers: ['IAM:updateAccountPasswordPolicy'], + realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordRequiresUppercase.js b/plugins/aws/iam/passwordRequiresUppercase.js index 0ec0b9758c..5727d2bb2a 100644 --- a/plugins/aws/iam/passwordRequiresUppercase.js +++ b/plugins/aws/iam/passwordRequiresUppercase.js @@ -27,7 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.5 Ensure IAM password policy requires at least one uppercase letter' }, - realtime_triggers: ['IAM:updateAccountPasswordPolicy'], + realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordReusePrevention.js b/plugins/aws/iam/passwordReusePrevention.js index c38e947201..0dd25b5a1e 100644 --- a/plugins/aws/iam/passwordReusePrevention.js +++ b/plugins/aws/iam/passwordReusePrevention.js @@ -47,7 +47,7 @@ module.exports = { default: 24 } }, - realtime_triggers: ['IAM:updateAccountPasswordPolicy'], + realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/policyAllowsToChangePassword.js b/plugins/aws/iam/policyAllowsToChangePassword.js index 2d15150fdb..184889ef11 100644 --- a/plugins/aws/iam/policyAllowsToChangePassword.js +++ b/plugins/aws/iam/policyAllowsToChangePassword.js @@ -27,7 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.6 Ensure IAM password policy allows users to change their passwords' }, - realtime_triggers: ['IAM:updateAccountPasswordPolicy'], + realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/rolePolicyUnusedServices.js b/plugins/aws/iam/rolePolicyUnusedServices.js index f9951a21fc..d9066b098b 100644 --- a/plugins/aws/iam/rolePolicyUnusedServices.js +++ b/plugins/aws/iam/rolePolicyUnusedServices.js @@ -94,7 +94,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['IAM:createPolicy,IAM:updatePolicy,IAM:putRolePolicy'], + realtime_triggers: ['IAM:CreatePolicy,IAM:UpdatePolicy,IAM:PutRolePolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/rootAccessKeys.js b/plugins/aws/iam/rootAccessKeys.js index d1bc1b7347..09cd7842df 100644 --- a/plugins/aws/iam/rootAccessKeys.js +++ b/plugins/aws/iam/rootAccessKeys.js @@ -16,7 +16,7 @@ module.exports = { 'should not be used.', cis1: '1.12 Ensure no root account access key exists' }, - realtime_triggers: ['IAM:createAccessKey,IAM:deleteAccessKey'], + realtime_triggers: ['IAM:CreateAccessKey,IAM:DeleteAccessKey'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/rootAccountInUse.js b/plugins/aws/iam/rootAccountInUse.js index 5353f8164e..5caef68f3b 100644 --- a/plugins/aws/iam/rootAccountInUse.js +++ b/plugins/aws/iam/rootAccountInUse.js @@ -27,7 +27,7 @@ module.exports = { default: 15 } }, - realtime_triggers: ['IAM:createUser'], + realtime_triggers: ['IAM:CreateUser'], run: function(cache, settings, callback) { this._run(cache, settings, callback, new Date()); diff --git a/plugins/aws/iam/rootHardwareMfa.js b/plugins/aws/iam/rootHardwareMfa.js index 5b449a376a..cb758af795 100644 --- a/plugins/aws/iam/rootHardwareMfa.js +++ b/plugins/aws/iam/rootHardwareMfa.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html', recommended_action: 'Enable a hardware MFA device for the root account and disable any virtual devices', apis: ['IAM:listVirtualMFADevices', 'IAM:getAccountSummary'], - realtime_triggers: ['IAM:enableMFADevice,IAM:deactivateMFADevice'], + realtime_triggers: ['IAM:EnableMFADevice,IAM:DeactivateMFADevice'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/rootMfaEnabled.js b/plugins/aws/iam/rootMfaEnabled.js index 01a403787e..8703c2f8ca 100644 --- a/plugins/aws/iam/rootMfaEnabled.js +++ b/plugins/aws/iam/rootMfaEnabled.js @@ -15,7 +15,7 @@ module.exports = { 'a safe location for use as backup for named IAM users.', cis1: '1.13 Ensure MFA is enabled for the "root" account' }, - realtime_triggers: ['IAM:enableMFADevice,IAM:deactivateMFADevice'], + realtime_triggers: ['IAM:EnableMFADevice,IAM:DeactivateMFADevice'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/rootSigningCertificate.js b/plugins/aws/iam/rootSigningCertificate.js index c968a08401..d9d2a7fa7a 100644 --- a/plugins/aws/iam/rootSigningCertificate.js +++ b/plugins/aws/iam/rootSigningCertificate.js @@ -15,7 +15,7 @@ module.exports = { 'since it is not tied to a specific user. The root signing keys ' + 'should not be used.' }, - realtime_triggers: ['IAM:deleteSigningCertificate'], + realtime_triggers: ['IAM:DeleteSigningCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/sshKeysRotated.js b/plugins/aws/iam/sshKeysRotated.js index 5b5b7e3cd7..4e2a979b5a 100644 --- a/plugins/aws/iam/sshKeysRotated.js +++ b/plugins/aws/iam/sshKeysRotated.js @@ -23,7 +23,7 @@ module.exports = { default: 180 } }, - realtime_triggers: ['IAM:uploadSSHPublicKey'], + realtime_triggers: ['IAM:UploadSSHPublicKey'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/trustedCrossAccountRoles.js b/plugins/aws/iam/trustedCrossAccountRoles.js index a4211f4915..48808fb72c 100644 --- a/plugins/aws/iam/trustedCrossAccountRoles.js +++ b/plugins/aws/iam/trustedCrossAccountRoles.js @@ -30,7 +30,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['IAM:createRole,IAM:updateAssumeRolePolicy,IAM:deleteRole'], + realtime_triggers: ['IAM:CreateRole,IAM:UpdateAssumeRolePolicy,IAM:DeleteRole'], run: function(cache, settings, callback) { var config= { diff --git a/plugins/aws/iam/usersMfaEnabled.js b/plugins/aws/iam/usersMfaEnabled.js index e6cf593c4b..9e281ba1df 100644 --- a/plugins/aws/iam/usersMfaEnabled.js +++ b/plugins/aws/iam/usersMfaEnabled.js @@ -31,7 +31,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:enableMFADevice,IAM:deactivateMFADevice'], + realtime_triggers: ['IAM:EnableMFADevice,IAM:DeactivateMFADevice'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/usersPasswordAndKeys.js b/plugins/aws/iam/usersPasswordAndKeys.js index 1f8ff6286d..f097c97d72 100644 --- a/plugins/aws/iam/usersPasswordAndKeys.js +++ b/plugins/aws/iam/usersPasswordAndKeys.js @@ -18,7 +18,7 @@ module.exports = { default: '^.*$' } }, - realtime_triggers: ['IAM:createAccessKey,IAM:deleteAccessKey'], + realtime_triggers: ['IAM:CreateAccessKey,IAM:DeleteAccessKey'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/usersPasswordLastUsed.js b/plugins/aws/iam/usersPasswordLastUsed.js index a3bf2a4e03..13bbed2af9 100644 --- a/plugins/aws/iam/usersPasswordLastUsed.js +++ b/plugins/aws/iam/usersPasswordLastUsed.js @@ -32,7 +32,7 @@ module.exports = { default: 90 } }, - realtime_triggers: ['IAM:createUser,IAM:deleteUser'], + realtime_triggers: ['IAM:CreateUser,IAM:DeleteUser'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js b/plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js index 47d282a498..6fc8ca8676 100644 --- a/plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js +++ b/plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['Imagebuilder:createContainerRecipe'], + realtime_triggers: ['Imagebuilder:CreateContainerRecipe'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/imagebuilder/enhancedMetadataEnabled.js b/plugins/aws/imagebuilder/enhancedMetadataEnabled.js index cfcf61f25d..749b97c770 100644 --- a/plugins/aws/imagebuilder/enhancedMetadataEnabled.js +++ b/plugins/aws/imagebuilder/enhancedMetadataEnabled.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/imagebuilder/latest/userguide/start-build-image-pipeline.html', recommended_action: 'Enable enhanced metadata collection for image pipeline.', apis: ['Imagebuilder:listImagePipelines'], - realtime_triggers: ['Imagebuilder:createImagePipeline,Imagebuilder:updateImagePipeline'], + realtime_triggers: ['Imagebuilder:CreateImagePipeline,Imagebuilder:UpdateImagePipeline'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/imagebuilder/imageRecipeVolumeEncrypted.js b/plugins/aws/imagebuilder/imageRecipeVolumeEncrypted.js index ae4af17183..1adf301224 100644 --- a/plugins/aws/imagebuilder/imageRecipeVolumeEncrypted.js +++ b/plugins/aws/imagebuilder/imageRecipeVolumeEncrypted.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['Imagebuilder:createImageRecipe'], + realtime_triggers: ['Imagebuilder:CreateImageRecipe'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/imagebuilder/imgBuilderComponentsEncrypted.js b/plugins/aws/imagebuilder/imgBuilderComponentsEncrypted.js index 0da4cad8e8..5a7321912c 100644 --- a/plugins/aws/imagebuilder/imgBuilderComponentsEncrypted.js +++ b/plugins/aws/imagebuilder/imgBuilderComponentsEncrypted.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['Imagebuilder:createComponent'], + realtime_triggers: ['Imagebuilder:CreateComponent'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js b/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js index 58ac575b5a..0373cc995e 100644 --- a/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js +++ b/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/imagebuilder/latest/userguide/manage-infra-config.html', recommended_action: 'Enable SNS notification in EC2 Image Builder infrastructure configurations to get notified of any changes in the service.', apis: ['Imagebuilder:listInfrastructureConfigurations', 'Imagebuilder:getInfrastructureConfiguration'], - realtime_triggers: ['Imagebuilder:createInfrastructureConfiguration,Imagebuilder:updateInfrastructureConfiguration'], + realtime_triggers: ['Imagebuilder:CreateInfrastructureConfiguration,Imagebuilder:UpdateInfrastructureConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iotsitewise/iotsitewiseDataEncrypted.js b/plugins/aws/iotsitewise/iotsitewiseDataEncrypted.js index fc1c72660f..0c51ec6dc5 100644 --- a/plugins/aws/iotsitewise/iotsitewiseDataEncrypted.js +++ b/plugins/aws/iotsitewise/iotsitewiseDataEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['Imagebuilder:putDefaultEncryptionConfiguration'], + realtime_triggers: ['Imagebuilder:PutDefaultEncryptionConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kendra/kendraIndexEncrypted.js b/plugins/aws/kendra/kendraIndexEncrypted.js index a3c9dcc4ed..ecad5d974b 100644 --- a/plugins/aws/kendra/kendraIndexEncrypted.js +++ b/plugins/aws/kendra/kendraIndexEncrypted.js @@ -18,7 +18,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['Kendra:createIndex,Kendra:updateIndex'], + realtime_triggers: ['Kendra:CreateIndex,Kendra:UpdateIndex'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js b/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js index 926b04f5e3..aaad913ab2 100644 --- a/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js +++ b/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['Kinesis:createStream,Kinesis:startStreamEncryption'], + realtime_triggers: ['Kinesis:CreateStream,Kinesis:StartStreamEncryption'], run: function(cache, settings, callback) { diff --git a/plugins/aws/kinesisvideo/videostreamDataEncrypted.js b/plugins/aws/kinesisvideo/videostreamDataEncrypted.js index 66cd533d2f..5da384d1ea 100644 --- a/plugins/aws/kinesisvideo/videostreamDataEncrypted.js +++ b/plugins/aws/kinesisvideo/videostreamDataEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['KinesisVideo:CreateStream', 'KinesisVideo:updateStream'], + realtime_triggers: ['KinesisVideo:CreateStream', 'KinesisVideo:UpdateStream'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsAppTierCmk.js b/plugins/aws/kms/kmsAppTierCmk.js index 584dfb417d..a5d8530a85 100644 --- a/plugins/aws/kms/kmsAppTierCmk.js +++ b/plugins/aws/kms/kmsAppTierCmk.js @@ -18,7 +18,7 @@ module.exports = { default: '' }, }, - realtime_triggers: ['KMS:createKey,KMS:tagResource'], + realtime_triggers: ['KMS:CreateKey,KMS:TagResource'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsDefaultKeyUsage.js b/plugins/aws/kms/kmsDefaultKeyUsage.js index 910e333ee9..4f505fb396 100644 --- a/plugins/aws/kms/kmsDefaultKeyUsage.js +++ b/plugins/aws/kms/kmsDefaultKeyUsage.js @@ -20,7 +20,7 @@ module.exports = { 'passwords, it is still strongly encouraged to use a ' + 'customer-provided CMK rather than the default KMS key.' }, - realtime_triggers: ['CloudTrail:createTrail,CloudTrail:updateTrail,EC2:createVolume,ElasticTranscoder:updatePipeline,ElasticTranscoder:createPipeline,RDS:createDBInstance,RDS:modifyDBInstance,Redshift:createCluster,Redshift:modifyCluster,S3:createBucket,S3:putBucketEncryption,SES:createReceiptRule,SES:updateReceiptRule,Workspaces:createWorkspaces,Lambda:updateFunctionConfiguration,Lambda:createFunction,CloudWatchLogs:createLogGroup,CloudWatchLogs:associateKmsKey,EFS:createFileSystem'], + realtime_triggers: ['CloudTrail:CreateTrail,CloudTrail:UpdateTrail,EC2:CreateVolume,ElasticTranscoder:UpdatePipeline,ElasticTranscoder:CreatePipeline,RDS:CreateDBInstance,RDS:ModifyDBInstance,Redshift:CreateCluster,Redshift:ModifyCluster,S3:CreateBucket,S3:PutBucketEncryption,SES:CreateReceiptRule,SES:UpdateReceiptRule,Workspaces:CreateWorkspaces,Lambda:UpdateFunctionConfiguration,Lambda:CreateFunction,CloudWatchLogs:CreateLogGroup,CloudWatchLogs:AssociateKmsKey,EFS:CreateFileSystem'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsDuplicateGrants.js b/plugins/aws/kms/kmsDuplicateGrants.js index f0cf55100d..0f592618d8 100644 --- a/plugins/aws/kms/kmsDuplicateGrants.js +++ b/plugins/aws/kms/kmsDuplicateGrants.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Delete duplicate grants for AWS KMS keys', link: 'https://docs.aws.amazon.com/kms/latest/developerguide/grants.html', apis: ['KMS:listKeys', 'KMS:listGrants', 'KMS:describeKey'], - realtime_triggers: ['KMS:createKey,KMS:revokeGrant'], + realtime_triggers: ['KMS:CreateKey,KMS:RevokeGrant'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsGrantLeastPrivilege.js b/plugins/aws/kms/kmsGrantLeastPrivilege.js index 5712788c40..c2faebb5ea 100644 --- a/plugins/aws/kms/kmsGrantLeastPrivilege.js +++ b/plugins/aws/kms/kmsGrantLeastPrivilege.js @@ -9,7 +9,7 @@ module.exports = { recommended_action: 'Create KMS grants with minimum permission required', link: 'https://docs.aws.amazon.com/kms/latest/developerguide/grants.html', apis: ['KMS:listKeys', 'KMS:listGrants', 'KMS:describeKey'], - realtime_triggers: ['KMS:createKey,KMS:createGrant'], + realtime_triggers: ['KMS:CreateKey,KMS:CreateGrant'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsKeyPolicy.js b/plugins/aws/kms/kmsKeyPolicy.js index f97d38e14e..82d3f9e2cf 100644 --- a/plugins/aws/kms/kmsKeyPolicy.js +++ b/plugins/aws/kms/kmsKeyPolicy.js @@ -57,7 +57,7 @@ module.exports = { default: 'false' }, }, - realtime_triggers: ['KMS:createKey,KMS:putKeyPolicy'], + realtime_triggers: ['KMS:CreateKey,KMS:PutKeyPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/kms/kmsKeyRotation.js b/plugins/aws/kms/kmsKeyRotation.js index ab2c69dff1..700c97a9f4 100644 --- a/plugins/aws/kms/kmsKeyRotation.js +++ b/plugins/aws/kms/kmsKeyRotation.js @@ -25,7 +25,7 @@ module.exports = { default: 'aqua-cspm' } }, - realtime_triggers: ['KMS:createKey,KMS:enableKeyRotation'], + realtime_triggers: ['KMS:CreateKey,KMS:EnableKeyRotation'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsScheduledDeletion.js b/plugins/aws/kms/kmsScheduledDeletion.js index a0bfe72237..4668d113c0 100644 --- a/plugins/aws/kms/kmsScheduledDeletion.js +++ b/plugins/aws/kms/kmsScheduledDeletion.js @@ -22,7 +22,7 @@ module.exports = { } ] }, - realtime_triggers: ['KMS:scheduleKeyDeletion,KMS:cancelKeyDeletion'], + realtime_triggers: ['KMS:ScheduleKeyDeletion,KMS:CancelKeyDeletion'], run: function(cache, settings, callback) { var results = []; From 8d75b6c7c88cbbf256b3eb6fc1c5961fc09b861e Mon Sep 17 00:00:00 2001 From: --global Date: Thu, 14 Sep 2023 17:29:10 +0500 Subject: [PATCH 010/498] added tiggers for s annd t --- plugins/aws/s3/bucketAllUsersAcl.js | 2 +- plugins/aws/s3/bucketAllUsersPolicy.js | 2 +- plugins/aws/s3/bucketDnsCompliantName.js | 1 + plugins/aws/s3/bucketEncryption.js | 2 +- plugins/aws/s3/bucketEnforceEncryption.js | 1 + plugins/aws/s3/bucketLifecycleConfiguration.js | 1 + plugins/aws/s3/bucketLogging.js | 2 ++ plugins/aws/s3/bucketMFADeleteEnabled.js | 1 + plugins/aws/s3/bucketPolicyCloudFrontOac.js | 1 + plugins/aws/s3/bucketPolicyCloudFrontOai.js | 1 + plugins/aws/s3/bucketPublicAccessBlock.js | 1 + plugins/aws/s3/bucketSecureTransportEnabled.js | 1 + plugins/aws/s3/bucketTransferAcceleration.js | 1 + plugins/aws/s3/bucketWebsiteEnabled.js | 1 + plugins/aws/s3/objectLevelReadEventLogging.js | 1 + plugins/aws/s3/objectLevelWriteEventLogging.js | 1 + plugins/aws/s3/s3BucketHasTags.js | 2 ++ plugins/aws/s3/s3Encryption.js | 1 + plugins/aws/s3/versionedBucketsLC.js | 1 + plugins/aws/s3glacier/vaultPublicAccess.js | 1 + plugins/aws/sagemaker/notebookDataEncrypted.js | 1 + plugins/aws/sagemaker/notebookDirectInternetAccess.js | 1 + plugins/aws/sagemaker/notebookInstanceInVpc.js | 1 + plugins/aws/secretsmanager/secretHasTags.js | 1 + plugins/aws/secretsmanager/secretRotationEnabled.js | 1 + plugins/aws/secretsmanager/secretsManagerEncrypted.js | 1 + plugins/aws/secretsmanager/secretsManagerInUse.js | 1 + plugins/aws/securityhub/securityHubEnabled.js | 1 + plugins/aws/ses/dkimEnabled.js | 1 + plugins/aws/ses/emailMessagesEncrypted.js | 1 + plugins/aws/shield/shieldAdvancedEnabled.js | 1 + plugins/aws/shield/shieldEmergencyContacts.js | 1 + plugins/aws/shield/shieldProtections.js | 1 + plugins/aws/sns/snsCrossAccount.js | 1 + plugins/aws/sns/snsSubscriptionHTTPSonly.js | 1 + plugins/aws/sns/snsTopicHasTags.js | 1 + plugins/aws/sns/snsTopicNoHttpPolicy.js | 1 + plugins/aws/sns/snsValidSubscribers.js | 1 + plugins/aws/sns/topicCmkEncrypted.js | 1 + plugins/aws/sns/topicPolicies.js | 1 + plugins/aws/sqs/queueUnprocessedMessages.js | 1 + plugins/aws/sqs/sqsCrossAccount.js | 1 + plugins/aws/sqs/sqsDeadLetterQueue.js | 1 + plugins/aws/sqs/sqsEncryptionEnabled.js | 1 + plugins/aws/sqs/sqsPublicAccess.js | 1 + plugins/aws/ssm/ssmActiveOnAllInstances.js | 1 + plugins/aws/ssm/ssmAgentAutoUpdateEnabled.js | 1 + plugins/aws/ssm/ssmAgentLatestVersion.js | 1 + plugins/aws/ssm/ssmDocumentPublicAccess.js | 1 + plugins/aws/ssm/ssmEncryptedParameters.js | 1 + plugins/aws/ssm/ssmManagedInstances.js | 2 ++ plugins/aws/ssm/ssmSessionDuration.js | 1 + plugins/aws/timestreamwrite/timestreamDatabaseEncrypted.js | 1 + plugins/aws/transfer/transferLoggingEnabled.js | 1 + plugins/aws/transfer/transferPrivateLinkInUse.js | 1 + plugins/aws/translate/translateJobOutputEncrypted.js | 1 + 56 files changed, 59 insertions(+), 3 deletions(-) diff --git a/plugins/aws/s3/bucketAllUsersAcl.js b/plugins/aws/s3/bucketAllUsersAcl.js index 5595957b3f..b0a0173007 100644 --- a/plugins/aws/s3/bucketAllUsersAcl.js +++ b/plugins/aws/s3/bucketAllUsersAcl.js @@ -28,7 +28,7 @@ module.exports = { remediate: ['s3:PutBucketAcl'], rollback: ['s3:PutBucketAcl'] }, - realtime_triggers: [], + realtime_triggers: ['s3:PutBucketAcl', 's3:CreateBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketAllUsersPolicy.js b/plugins/aws/s3/bucketAllUsersPolicy.js index 7e8a1c4965..57c7938990 100644 --- a/plugins/aws/s3/bucketAllUsersPolicy.js +++ b/plugins/aws/s3/bucketAllUsersPolicy.js @@ -25,7 +25,7 @@ module.exports = { remediate: ['s3:DeleteBucketPolicy'], rollback: ['s3:PutBucketPolicy'] }, - realtime_triggers: [], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketPolicy', 's3:DeleteBucketPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketDnsCompliantName.js b/plugins/aws/s3/bucketDnsCompliantName.js index 8db1e0ed00..c4475abb71 100644 --- a/plugins/aws/s3/bucketDnsCompliantName.js +++ b/plugins/aws/s3/bucketDnsCompliantName.js @@ -9,6 +9,7 @@ module.exports = { recommended_action: 'Recreate S3 bucket to use "-" instead of "." in S3 bucket names.', link: 'https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html', apis: ['S3:listBuckets', 'S3:getBucketLocation'], + realtime_triggers: ['s3:CreateBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketEncryption.js b/plugins/aws/s3/bucketEncryption.js index b3f64b8dd6..d6de100aa3 100644 --- a/plugins/aws/s3/bucketEncryption.js +++ b/plugins/aws/s3/bucketEncryption.js @@ -30,7 +30,7 @@ module.exports = { required: false } }, - realtime_triggers: ['s3:DeleteBucketEncryption', 's3:CreateBucket'], + realtime_triggers: ['s3:DeleteBucketEncryption', 's3:CreateBucket', 's3:putBucketEncryption'], settings: { s3_encryption_require_cmk: { name: 'S3 Encryption Require CMK', diff --git a/plugins/aws/s3/bucketEnforceEncryption.js b/plugins/aws/s3/bucketEnforceEncryption.js index 026d06c234..3b6f44ac9e 100644 --- a/plugins/aws/s3/bucketEnforceEncryption.js +++ b/plugins/aws/s3/bucketEnforceEncryption.js @@ -23,6 +23,7 @@ module.exports = { default: '' } }, + realtime_triggers: ['s3:CreateBucket' , 's3:PutBucketPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/s3/bucketLifecycleConfiguration.js b/plugins/aws/s3/bucketLifecycleConfiguration.js index 64bbd62c38..b38fe70eda 100644 --- a/plugins/aws/s3/bucketLifecycleConfiguration.js +++ b/plugins/aws/s3/bucketLifecycleConfiguration.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Update S3 bucket and create lifecycle rule configuration', link: 'https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-set-lifecycle-configuration-intro.html', apis: ['S3:listBuckets', 'S3:getBucketLifecycleConfiguration', 'S3:getBucketLocation'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketLifeCycleConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketLogging.js b/plugins/aws/s3/bucketLogging.js index bf6b8fe81f..1fe3aee722 100644 --- a/plugins/aws/s3/bucketLogging.js +++ b/plugins/aws/s3/bucketLogging.js @@ -31,6 +31,8 @@ module.exports = { } ] }, + realtime_triggers: ['s3:CreateBucket','s3:PutBucketLogging'], + run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/s3/bucketMFADeleteEnabled.js b/plugins/aws/s3/bucketMFADeleteEnabled.js index 33b0a9e687..25b78a7b6c 100644 --- a/plugins/aws/s3/bucketMFADeleteEnabled.js +++ b/plugins/aws/s3/bucketMFADeleteEnabled.js @@ -22,6 +22,7 @@ module.exports = { default: '', } }, + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketVersionning'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketPolicyCloudFrontOac.js b/plugins/aws/s3/bucketPolicyCloudFrontOac.js index 4818ad1d49..a8678c9921 100644 --- a/plugins/aws/s3/bucketPolicyCloudFrontOac.js +++ b/plugins/aws/s3/bucketPolicyCloudFrontOac.js @@ -16,6 +16,7 @@ module.exports = { 'If an S3 bucket backing a CloudFront distribution does not require the end ' + 'user to access the contents through CloudFront, this policy may be violated.' }, + realtime_triggers: ['s3:CreateBucket', 'cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution', 's3:PutBucketPolicy', 's3:DeleteBucketPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketPolicyCloudFrontOai.js b/plugins/aws/s3/bucketPolicyCloudFrontOai.js index b9657453bc..6c3e620ff6 100644 --- a/plugins/aws/s3/bucketPolicyCloudFrontOai.js +++ b/plugins/aws/s3/bucketPolicyCloudFrontOai.js @@ -16,6 +16,7 @@ module.exports = { 'If an S3 bucket backing a CloudFront distribution does not require the end ' + 'user to access the contents through CloudFront, this policy may be violated.' }, + realtime_triggers: ['s3:CreateBucket', 'cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution', 's3:PutBucketPolicy', 's3:DeleteBucketPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketPublicAccessBlock.js b/plugins/aws/s3/bucketPublicAccessBlock.js index e4088bfeb4..a166fe65f0 100644 --- a/plugins/aws/s3/bucketPublicAccessBlock.js +++ b/plugins/aws/s3/bucketPublicAccessBlock.js @@ -23,6 +23,7 @@ module.exports = { default: 'false' } }, + realtime_triggers: ['s3:CreateBucket', 's3:PutPublicAccessBlock'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/s3/bucketSecureTransportEnabled.js b/plugins/aws/s3/bucketSecureTransportEnabled.js index e29674693c..6cc102095c 100644 --- a/plugins/aws/s3/bucketSecureTransportEnabled.js +++ b/plugins/aws/s3/bucketSecureTransportEnabled.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Update S3 bucket policy to enforse SSL to secure data in transit.', link: 'https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/', apis: ['S3:listBuckets', 'S3:getBucketPolicy', 'S3:getBucketLocation'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketTransferAcceleration.js b/plugins/aws/s3/bucketTransferAcceleration.js index 6c3931dc57..d04ee027df 100644 --- a/plugins/aws/s3/bucketTransferAcceleration.js +++ b/plugins/aws/s3/bucketTransferAcceleration.js @@ -9,6 +9,7 @@ module.exports = { recommended_action: 'Modify S3 bucket to enable transfer acceleration.', link: 'https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html', apis: ['S3:listBuckets', 'S3:getBucketAccelerateConfiguration', 'S3:getBucketLocation'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketAccelerateConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketWebsiteEnabled.js b/plugins/aws/s3/bucketWebsiteEnabled.js index 61bdc32fea..cc808137dd 100644 --- a/plugins/aws/s3/bucketWebsiteEnabled.js +++ b/plugins/aws/s3/bucketWebsiteEnabled.js @@ -17,6 +17,7 @@ module.exports = { default: 'false' } }, + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketWebsite', 's3:DeleteBucketWebsite'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/objectLevelReadEventLogging.js b/plugins/aws/s3/objectLevelReadEventLogging.js index cfaca79b4d..07f5903a87 100644 --- a/plugins/aws/s3/objectLevelReadEventLogging.js +++ b/plugins/aws/s3/objectLevelReadEventLogging.js @@ -9,6 +9,7 @@ module.exports = { recommended_action: 'Enable object level logging for read events for each S3 bucket.', link: 'https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html#enable-cloudtrail-events', apis: ['S3:listBuckets', 'CloudTrail:describeTrails', 'CloudTrail:getEventSelectors', 'S3:getBucketLocation'], + realtime_triggers: ['s3:CreateBucket', 'cloudtrail:CreateTrail', 'cloudtrail:PutEventSelectors', 'cloudtrail:PutInsightSelectors'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/objectLevelWriteEventLogging.js b/plugins/aws/s3/objectLevelWriteEventLogging.js index d9b6b6635c..8da32a9a8f 100644 --- a/plugins/aws/s3/objectLevelWriteEventLogging.js +++ b/plugins/aws/s3/objectLevelWriteEventLogging.js @@ -9,6 +9,7 @@ module.exports = { recommended_action: 'Enable object level logging for Write events for each S3 bucket.', link: 'https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html#enable-cloudtrail-events.', apis: ['S3:listBuckets', 'CloudTrail:describeTrails', 'CloudTrail:getEventSelectors', 'S3:getBucketLocation'], + realtime_triggers: ['s3:CreateBucket', 'cloudtrail:CreateTrail', 'cloudtrail:PutEventSelectors', 'cloudtrail:PutInsightSelectors'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/s3BucketHasTags.js b/plugins/aws/s3/s3BucketHasTags.js index 276edd2307..b14f02bbdd 100644 --- a/plugins/aws/s3/s3BucketHasTags.js +++ b/plugins/aws/s3/s3BucketHasTags.js @@ -10,6 +10,8 @@ module.exports = { recommended_action: 'Modify S3 buckets and add tags.', link: 'https://docs.aws.amazon.com/AmazonS3/latest/userguide/CostAllocTagging.html', apis: ['S3:listBuckets', 'ResourceGroupsTaggingAPI:getResources', 'S3:getBucketLocation'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketTagging'], + run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/s3/s3Encryption.js b/plugins/aws/s3/s3Encryption.js index f0bcab3541..98fa92069f 100644 --- a/plugins/aws/s3/s3Encryption.js +++ b/plugins/aws/s3/s3Encryption.js @@ -70,6 +70,7 @@ module.exports = { default: 'false', } }, + realtime_triggers: ['s3:CreateBucket', 's3:putBucketEncryption'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/versionedBucketsLC.js b/plugins/aws/s3/versionedBucketsLC.js index 98b14a7916..4d07a113cd 100644 --- a/plugins/aws/s3/versionedBucketsLC.js +++ b/plugins/aws/s3/versionedBucketsLC.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Configure lifecycle rules for buckets which have versioning enabled', link: 'https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-set-lifecycle-configuration-intro.html', apis: ['S3:listBuckets', 'S3:getBucketVersioning', 'S3:getBucketLocation', 'S3:getBucketLifecycleConfiguration'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketVersioninng', 's3:putBucketLifecycleConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3glacier/vaultPublicAccess.js b/plugins/aws/s3glacier/vaultPublicAccess.js index 32f7ebcc33..6f3ca4dd6f 100644 --- a/plugins/aws/s3glacier/vaultPublicAccess.js +++ b/plugins/aws/s3glacier/vaultPublicAccess.js @@ -17,6 +17,7 @@ module.exports = { default: 'aws:PrincipalArn,aws:PrincipalAccount,aws:PrincipalOrgID,aws:SourceOwner,aws:SourceArn,aws:SourceAccount' } }, + realtime_triggers: ['glacier:CreateVault', 'glacier:SetVaultAccessPolicy'], run: function(cache, settings, callback) { const results = []; diff --git a/plugins/aws/sagemaker/notebookDataEncrypted.js b/plugins/aws/sagemaker/notebookDataEncrypted.js index 69c69ad143..2340188773 100644 --- a/plugins/aws/sagemaker/notebookDataEncrypted.js +++ b/plugins/aws/sagemaker/notebookDataEncrypted.js @@ -15,6 +15,7 @@ module.exports = { 'data at rest. SageMaker encryption ensures Notebook data is ' + 'encrypted at rest.' }, + realtime_triggers: ['sagemaker:CreateNotebookInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sagemaker/notebookDirectInternetAccess.js b/plugins/aws/sagemaker/notebookDirectInternetAccess.js index 3322537a1d..3cdcdbc177 100644 --- a/plugins/aws/sagemaker/notebookDirectInternetAccess.js +++ b/plugins/aws/sagemaker/notebookDirectInternetAccess.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Disable DirectInternetAccess for each SageMaker notebook.', link: 'https://docs.aws.amazon.com/sagemaker/latest/dg/appendix-additional-considerations.html#appendix-notebook-and-internet-access', apis: ['SageMaker:listNotebookInstances'], + realtime_triggers: ['sagemaker:CreateNotebookInstance', 'sagemaker:UpdateNootbookInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sagemaker/notebookInstanceInVpc.js b/plugins/aws/sagemaker/notebookInstanceInVpc.js index 6771608569..971ff854f5 100644 --- a/plugins/aws/sagemaker/notebookInstanceInVpc.js +++ b/plugins/aws/sagemaker/notebookInstanceInVpc.js @@ -18,6 +18,7 @@ module.exports = { 'segmentation criteria for PCI. Ensure all instances are launched ' + 'within a VPC to comply with isolation requirements.' }, + realtime_triggers: ['sagemaker:CreateNotebookInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/secretsmanager/secretHasTags.js b/plugins/aws/secretsmanager/secretHasTags.js index 5044009c58..ff914f1bdf 100644 --- a/plugins/aws/secretsmanager/secretHasTags.js +++ b/plugins/aws/secretsmanager/secretHasTags.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Update Secrets and add tags.', apis: ['SecretsManager:listSecrets'], link: 'https://docs.aws.amazon.com/secretsmanager/latest/userguide/managing-secrets_tagging.html', + realtime_triggers: ['secretesmanager:CreateSecret', 'secretesmanager:TagResource', 'secretesmanager:UntagResource'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/secretsmanager/secretRotationEnabled.js b/plugins/aws/secretsmanager/secretRotationEnabled.js index c8a5a64f63..828e97115a 100644 --- a/plugins/aws/secretsmanager/secretRotationEnabled.js +++ b/plugins/aws/secretsmanager/secretRotationEnabled.js @@ -18,6 +18,7 @@ module.exports = { default: '40', } }, + realtime_triggers: ['secretesmanager:CreateSecret', 'secretesmanager:RotateSecret', 'secretsmanager:CancelRotateSecret'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/secretsmanager/secretsManagerEncrypted.js b/plugins/aws/secretsmanager/secretsManagerEncrypted.js index 2e9d10ec23..eef7a25112 100644 --- a/plugins/aws/secretsmanager/secretsManagerEncrypted.js +++ b/plugins/aws/secretsmanager/secretsManagerEncrypted.js @@ -28,6 +28,7 @@ module.exports = { default: 'awskms', } }, + realtime_triggers: ['secretesmanager:CreateSecret', 'secretesmanager:UpdateSecret'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/secretsmanager/secretsManagerInUse.js b/plugins/aws/secretsmanager/secretsManagerInUse.js index 631741f5c0..b7795c54b4 100644 --- a/plugins/aws/secretsmanager/secretsManagerInUse.js +++ b/plugins/aws/secretsmanager/secretsManagerInUse.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Use Secrets Manager service to store sensitive information in your AWS account.', apis: ['SecretsManager:listSecrets'], link: 'https://docs.aws.amazon.com/secretsmanager/latest/userguide/asm_access.html', + realtime_triggers: ['secretesmanager:CreateSecret', 'secretesmanager:DeleteSecret'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/securityhub/securityHubEnabled.js b/plugins/aws/securityhub/securityHubEnabled.js index 783fa6167d..1d5c7ebf33 100644 --- a/plugins/aws/securityhub/securityHubEnabled.js +++ b/plugins/aws/securityhub/securityHubEnabled.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/security-hub/', recommended_action: 'Enable AWS Security Hub for enhanced security monitoring and compliance.', apis: ['SecurityHub:describeHub'], + realtime_triggers: ['securityhub:EnableSecurityHub', 'securityhub:DisableSecurityHub'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ses/dkimEnabled.js b/plugins/aws/ses/dkimEnabled.js index 37cd717c3d..2cc2b0aaf9 100644 --- a/plugins/aws/ses/dkimEnabled.js +++ b/plugins/aws/ses/dkimEnabled.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Enable DKIM for all domains and addresses in all regions used to send email through SES.', link: 'http://docs.aws.amazon.com/ses/latest/DeveloperGuide/easy-dkim.html', apis: ['SES:listIdentities', 'SES:getIdentityDkimAttributes', 'STS:getCallerIdentity'], + realtime_triggers: ['ses:CreateEmailIdentity','ses:SetIdentityDkimEnabled', 'ses:PutEmailIdentityDkimAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ses/emailMessagesEncrypted.js b/plugins/aws/ses/emailMessagesEncrypted.js index 54b4f3cd4e..3bf029a21c 100644 --- a/plugins/aws/ses/emailMessagesEncrypted.js +++ b/plugins/aws/ses/emailMessagesEncrypted.js @@ -18,6 +18,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['ses:CreateEmailIdentity','ses:SetActiveReceiptRuleSet'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/shield/shieldAdvancedEnabled.js b/plugins/aws/shield/shieldAdvancedEnabled.js index d865063e5c..da607a6607 100644 --- a/plugins/aws/shield/shieldAdvancedEnabled.js +++ b/plugins/aws/shield/shieldAdvancedEnabled.js @@ -9,6 +9,7 @@ module.exports = { recommended_action: 'Enable AWS Shield Advanced for the account.', link: 'https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html#ddos-advanced', apis: ['Shield:describeSubscription'], + realtime_triggers: ['shield:CreateSubscription', 'sheild:UpdateSubscription'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/shield/shieldEmergencyContacts.js b/plugins/aws/shield/shieldEmergencyContacts.js index afd5f3b3d1..216bb66b7b 100644 --- a/plugins/aws/shield/shieldEmergencyContacts.js +++ b/plugins/aws/shield/shieldEmergencyContacts.js @@ -9,6 +9,7 @@ module.exports = { recommended_action: 'Configure emergency contacts within AWS Shield for the account.', link: 'https://docs.aws.amazon.com/waf/latest/developerguide/ddos-edit-drt.html', apis: ['Shield:describeEmergencyContactSettings'], + realtime_triggers: ['shield:CreateSubscription','shield:UpdateEmergencyContactSettings'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/shield/shieldProtections.js b/plugins/aws/shield/shieldProtections.js index 543af0d217..5b6108bb87 100644 --- a/plugins/aws/shield/shieldProtections.js +++ b/plugins/aws/shield/shieldProtections.js @@ -9,6 +9,7 @@ module.exports = { recommended_action: 'Enable AWS Shield Advanced on resources within the account.', link: 'https://docs.aws.amazon.com/waf/latest/developerguide/configure-new-protection.html', apis: ['Shield:listProtections'], + realtime_triggers: ['shield:CreateProtection', 'sheild:DeleteProtection'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sns/snsCrossAccount.js b/plugins/aws/sns/snsCrossAccount.js index ec0a2082ee..16d1e9c700 100644 --- a/plugins/aws/sns/snsCrossAccount.js +++ b/plugins/aws/sns/snsCrossAccount.js @@ -30,6 +30,7 @@ module.exports = { default: 'aws:PrincipalArn,aws:PrincipalAccount,aws:PrincipalOrgID,aws:SourceAccount,aws:SourceArn,aws:SourceOwner,sns:Endpoint' }, }, + realtime_triggers: ['sns:CreateTopic', 'sns:SetTopicAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sns/snsSubscriptionHTTPSonly.js b/plugins/aws/sns/snsSubscriptionHTTPSonly.js index 8dd4950ebd..210c12a8b6 100644 --- a/plugins/aws/sns/snsSubscriptionHTTPSonly.js +++ b/plugins/aws/sns/snsSubscriptionHTTPSonly.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Create a new SNS subscription using HTTPS protocol.', link: 'https://docs.aws.amazon.com/sns/latest/dg/sns-http-https-endpoint-as-subscriber.html', apis: ['SNS:listSubscriptions'], + realtime_triggers: ['sns:Subscribe', 'sns:Unsubscribe'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sns/snsTopicHasTags.js b/plugins/aws/sns/snsTopicHasTags.js index 15dd93813f..7abc1b5850 100644 --- a/plugins/aws/sns/snsTopicHasTags.js +++ b/plugins/aws/sns/snsTopicHasTags.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Modify SNS topic and add tags.', link: 'https://docs.aws.amazon.com/sns/latest/dg/sns-tags.html', apis: ['SNS:listTopics', 'ResourceGroupsTaggingAPI:getResources'], + realtime_triggers: ['sns:CreateTopic', 'sns:TagResource', 'sns:UntagResource'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sns/snsTopicNoHttpPolicy.js b/plugins/aws/sns/snsTopicNoHttpPolicy.js index ed0768a31c..13f9ce1640 100644 --- a/plugins/aws/sns/snsTopicNoHttpPolicy.js +++ b/plugins/aws/sns/snsTopicNoHttpPolicy.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Adjust the topic policy to only allow authorized AWS users in known accounts to send or subscribe via the HTTP protocol.', link: 'http://docs.aws.amazon.com/sns/latest/dg/AccessPolicyLanguage.html', apis: ['SNS:listTopics', 'SNS:getTopicAttributes'], + realtime_triggers: ['sns:CreateTopic', 'sns:SetTopicAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sns/snsValidSubscribers.js b/plugins/aws/sns/snsValidSubscribers.js index 2dab47043c..3e9a2397a7 100644 --- a/plugins/aws/sns/snsValidSubscribers.js +++ b/plugins/aws/sns/snsValidSubscribers.js @@ -18,6 +18,7 @@ module.exports = { default: '', } }, + realtime_triggers: ['sns:Subscribe', 'sns:Unsubscribe'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sns/topicCmkEncrypted.js b/plugins/aws/sns/topicCmkEncrypted.js index b4657b9f9c..8c2f2524e9 100644 --- a/plugins/aws/sns/topicCmkEncrypted.js +++ b/plugins/aws/sns/topicCmkEncrypted.js @@ -11,6 +11,7 @@ module.exports = { recommended_action: 'Update SNS topics to use Customer Master Keys (CMKs) for Server-Side Encryption.', link: 'https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html', apis: ['SNS:listTopics', 'SNS:getTopicAttributes'], + realtime_triggers: ['sns:CreateTopic', 'sns:SetTopicAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sns/topicPolicies.js b/plugins/aws/sns/topicPolicies.js index 43627b9e7d..c3f8c38a66 100644 --- a/plugins/aws/sns/topicPolicies.js +++ b/plugins/aws/sns/topicPolicies.js @@ -22,6 +22,7 @@ module.exports = { default: 'aws:PrincipalArn,aws:PrincipalAccount,aws:PrincipalOrgID,aws:SourceOwner,aws:SourceArn,aws:SourceAccount,sns:Endpoint' } }, + realtime_triggers: ['sns:CreateTopic', 'sns:SetTopicAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sqs/queueUnprocessedMessages.js b/plugins/aws/sqs/queueUnprocessedMessages.js index cf27373314..b6bb2217e8 100644 --- a/plugins/aws/sqs/queueUnprocessedMessages.js +++ b/plugins/aws/sqs/queueUnprocessedMessages.js @@ -18,6 +18,7 @@ module.exports = { default: 1000 } }, + realtime_triggers: ['sqs:CreateQueue', 'sqs:SetQueueAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sqs/sqsCrossAccount.js b/plugins/aws/sqs/sqsCrossAccount.js index e73491d165..2e54d659e3 100644 --- a/plugins/aws/sqs/sqsCrossAccount.js +++ b/plugins/aws/sqs/sqsCrossAccount.js @@ -35,6 +35,7 @@ module.exports = { default: 'aws:PrincipalArn,aws:PrincipalAccount,aws:PrincipalOrgID,aws:SourceAccount,aws:SourceArn,aws:SourceOwner' }, }, + realtime_triggers: ['sqs:CreateQueue', 'sqs:SetQueueAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sqs/sqsDeadLetterQueue.js b/plugins/aws/sqs/sqsDeadLetterQueue.js index c76c929193..5d00815516 100644 --- a/plugins/aws/sqs/sqsDeadLetterQueue.js +++ b/plugins/aws/sqs/sqsDeadLetterQueue.js @@ -10,6 +10,7 @@ module.exports = { recommended_action: 'Update Amazon SQS queue and configure dead letter queue.', link: 'https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-dead-letter-queues.html', apis: ['SQS:listQueues', 'SQS:getQueueAttributes', 'STS:getCallerIdentity'], + realtime_triggers: ['sqs:CreateQueue', 'sqs:SetQueueAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sqs/sqsEncryptionEnabled.js b/plugins/aws/sqs/sqsEncryptionEnabled.js index 1acba59700..b8bab2a499 100644 --- a/plugins/aws/sqs/sqsEncryptionEnabled.js +++ b/plugins/aws/sqs/sqsEncryptionEnabled.js @@ -20,6 +20,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['sqs:CreateQueue', 'sqs:SetQueueAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sqs/sqsPublicAccess.js b/plugins/aws/sqs/sqsPublicAccess.js index b3c15d8810..96667ca304 100644 --- a/plugins/aws/sqs/sqsPublicAccess.js +++ b/plugins/aws/sqs/sqsPublicAccess.js @@ -18,6 +18,7 @@ module.exports = { default: 'aws:PrincipalArn,aws:PrincipalAccount,aws:PrincipalOrgID,aws:SourceAccount,aws:SourceArn,aws:SourceOwner' }, }, + realtime_triggers: ['sqs:CreateQueue', 'sqs:AddPermission', 'sqs:RemovePermission'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ssm/ssmActiveOnAllInstances.js b/plugins/aws/ssm/ssmActiveOnAllInstances.js index 50a9acaaa2..6f5026438b 100644 --- a/plugins/aws/ssm/ssmActiveOnAllInstances.js +++ b/plugins/aws/ssm/ssmActiveOnAllInstances.js @@ -18,6 +18,7 @@ module.exports = { default: 20 } }, + realtime_triggers: ['ec2:RunInstance', 'ssm:CreateAssociation', 'ssm:UpdateAssociation'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ssm/ssmAgentAutoUpdateEnabled.js b/plugins/aws/ssm/ssmAgentAutoUpdateEnabled.js index 2513a89df2..2f8b12dad6 100644 --- a/plugins/aws/ssm/ssmAgentAutoUpdateEnabled.js +++ b/plugins/aws/ssm/ssmAgentAutoUpdateEnabled.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-automatic-updates.html', recommended_action: 'Update the SSM agent configuration for all managed instances to use automatic updates.', apis: ['SSM:describeInstanceInformation', 'SSM:listAssociations', 'STS:getCallerIdentity'], + realtime_triggers: ['ssm:CreateAssoication', 'ssm:UpdateAssociation'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ssm/ssmAgentLatestVersion.js b/plugins/aws/ssm/ssmAgentLatestVersion.js index 0f5ea524d4..93db03b9ab 100644 --- a/plugins/aws/ssm/ssmAgentLatestVersion.js +++ b/plugins/aws/ssm/ssmAgentLatestVersion.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-automatic-updates.html', recommended_action: 'Update the SSM agent on all Linux hosts to the latest version.', apis: ['SSM:describeInstanceInformation', 'STS:getCallerIdentity'], + realtime_triggers: ['ssm:CreateAssociation', 'ssm:UpdateAssociation'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ssm/ssmDocumentPublicAccess.js b/plugins/aws/ssm/ssmDocumentPublicAccess.js index 71699029d5..5ccbb7e483 100644 --- a/plugins/aws/ssm/ssmDocumentPublicAccess.js +++ b/plugins/aws/ssm/ssmDocumentPublicAccess.js @@ -9,6 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-share-block.html', recommended_action: 'Enable block public sharing setting under SSM documents preferences.', apis: ['SSM:getServiceSetting', 'STS:getCallerIdentity'], + realtime_triggers: ['ssm:UpdateServiceSetting'], run: function(cache, settings, callback) { const results = []; diff --git a/plugins/aws/ssm/ssmEncryptedParameters.js b/plugins/aws/ssm/ssmEncryptedParameters.js index 39df78f66a..64b7f75058 100644 --- a/plugins/aws/ssm/ssmEncryptedParameters.js +++ b/plugins/aws/ssm/ssmEncryptedParameters.js @@ -34,6 +34,7 @@ module.exports = { default: 'false' } }, + realtime_triggers: ['ssm:PutParameter'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ssm/ssmManagedInstances.js b/plugins/aws/ssm/ssmManagedInstances.js index ed3cac8bac..e22bdfc2ab 100644 --- a/plugins/aws/ssm/ssmManagedInstances.js +++ b/plugins/aws/ssm/ssmManagedInstances.js @@ -10,6 +10,8 @@ module.exports = { recommended_action: 'Configure AWS EC2 instance as SSM Managed Instances', link: 'https://docs.aws.amazon.com/systems-manager/latest/userguide/managed_instances.html', apis: ['EC2:describeInstances', 'SSM:describeInstanceInformation', 'STS:getCallerIdentity'], + realtime_triggers: ['ssm:CreateAssociation', 'ec2:RunInstance', 'ec2:AssociateIamInstanceProfile'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ssm/ssmSessionDuration.js b/plugins/aws/ssm/ssmSessionDuration.js index 3f6bdc4130..d0da992ae2 100644 --- a/plugins/aws/ssm/ssmSessionDuration.js +++ b/plugins/aws/ssm/ssmSessionDuration.js @@ -19,6 +19,7 @@ module.exports = { default: '5' } }, + realtime_triggers: ['ssm:StartSession', 'ssm:TerminateSession'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/timestreamwrite/timestreamDatabaseEncrypted.js b/plugins/aws/timestreamwrite/timestreamDatabaseEncrypted.js index 339d2b1187..9b94381cd3 100644 --- a/plugins/aws/timestreamwrite/timestreamDatabaseEncrypted.js +++ b/plugins/aws/timestreamwrite/timestreamDatabaseEncrypted.js @@ -20,6 +20,7 @@ module.exports = { default: 'awscmk' } }, + realtime_triggers: ['timestreamwrite:CreateDatabase', 'timestreamwrite:UpdateDatabase'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/transfer/transferLoggingEnabled.js b/plugins/aws/transfer/transferLoggingEnabled.js index 98e31d8724..dd9928f41a 100644 --- a/plugins/aws/transfer/transferLoggingEnabled.js +++ b/plugins/aws/transfer/transferLoggingEnabled.js @@ -14,6 +14,7 @@ module.exports = { hipaa: 'HIPAA requires that all data access is audited via proper logging configurations.', pci: 'PCI requires that all account access activity be logged.' }, + realtime_triggers: ['transfer:CreateServer', 'transfer:UpdateServer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/transfer/transferPrivateLinkInUse.js b/plugins/aws/transfer/transferPrivateLinkInUse.js index 815aaf950a..35410dbc73 100644 --- a/plugins/aws/transfer/transferPrivateLinkInUse.js +++ b/plugins/aws/transfer/transferPrivateLinkInUse.js @@ -10,6 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/transfer/latest/userguide/update-endpoint-type-vpc.html', recommended_action: 'Configure the SFTP server endpoints to use endpoints powered by PrivateLink.', apis: ['Transfer:listServers'], + realtime_triggers: ['transfer:CreateServer', 'trannsfer:UpdateServer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/translate/translateJobOutputEncrypted.js b/plugins/aws/translate/translateJobOutputEncrypted.js index bcb17d646f..0900791e2d 100644 --- a/plugins/aws/translate/translateJobOutputEncrypted.js +++ b/plugins/aws/translate/translateJobOutputEncrypted.js @@ -19,6 +19,7 @@ module.exports = { default: 'awscmk', } }, + realtime_triggers: ['translate:StartTextTranslationJob', 'translate:StopTextTranslationJob'], run: function(cache, settings, callback) { var results = []; From 8017773254fc4f2e1e98bf7d9d86f125488a9420 Mon Sep 17 00:00:00 2001 From: --global Date: Thu, 14 Sep 2023 17:47:43 +0500 Subject: [PATCH 011/498] added tiggers --- plugins/aws/lex/lexAudioLogsEncrypted.js | 2 +- plugins/aws/location/trackerDataEncrypted.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/aws/lex/lexAudioLogsEncrypted.js b/plugins/aws/lex/lexAudioLogsEncrypted.js index 90b5d890a5..146bdd600f 100644 --- a/plugins/aws/lex/lexAudioLogsEncrypted.js +++ b/plugins/aws/lex/lexAudioLogsEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['lexmodelsV2:CreateBot'], + realtime_triggers: ['lexmodelsV2:CreateBot', 'lexmodelsV2:UpdateBot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/location/trackerDataEncrypted.js b/plugins/aws/location/trackerDataEncrypted.js index e08309df68..c5d1087c2e 100644 --- a/plugins/aws/location/trackerDataEncrypted.js +++ b/plugins/aws/location/trackerDataEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['location:CreateTracker'], + realtime_triggers: ['location:CreateTracker', 'location:UpdateTracker'], run: function(cache, settings, callback) { var results = []; From 8ddf40e406991405cac62c1a53f7aaf8de5058d0 Mon Sep 17 00:00:00 2001 From: --global Date: Thu, 14 Sep 2023 18:02:20 +0500 Subject: [PATCH 012/498] added tiggers --- plugins/aws/firehose/deliveryStreamEncrypted.js | 2 +- plugins/aws/firehose/firehoseEncrypted.js | 2 +- plugins/aws/guardduty/guarddutyEnabled.js | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/aws/firehose/deliveryStreamEncrypted.js b/plugins/aws/firehose/deliveryStreamEncrypted.js index c14bc2f6e1..584aabd312 100644 --- a/plugins/aws/firehose/deliveryStreamEncrypted.js +++ b/plugins/aws/firehose/deliveryStreamEncrypted.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['firehose:UpdateDestination'], + realtime_triggers: ['firehose:CreateDeliveryStreams','firehose:UpdateDestination'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/firehose/firehoseEncrypted.js b/plugins/aws/firehose/firehoseEncrypted.js index 1d69545d2a..a05543968e 100644 --- a/plugins/aws/firehose/firehoseEncrypted.js +++ b/plugins/aws/firehose/firehoseEncrypted.js @@ -17,7 +17,7 @@ module.exports = { 'AWS KMS encryption ensures that the Firehose payload meets the ' + 'encryption in transit and at rest requirements of HIPAA.' }, - realtime_triggers: ['firehose:StartDeliveryStreamEncryption', 'kinesis:StartStreamEncryption'], + realtime_triggers: ['firehose:CreateDeliveryStreams','firehose:StartDeliveryStreamEncryption', 'kinesis:StartStreamEncryption'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/guardduty/guarddutyEnabled.js b/plugins/aws/guardduty/guarddutyEnabled.js index ffd4dd65b4..295249e0cf 100644 --- a/plugins/aws/guardduty/guarddutyEnabled.js +++ b/plugins/aws/guardduty/guarddutyEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable GuardDuty for all AWS accounts.', link: 'https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html', apis: ['GuardDuty:listDetectors', 'GuardDuty:getDetector', 'STS:getCallerIdentity'], - realtime_triggers: ['guardduty:CreateDetector'], + realtime_triggers: ['guardduty:CreateDetector', 'guardduty:DeleteDetector'], run: function(cache, settings, callback) { var results = []; From d849ab6b66eb0e9c8f7dd8acfeb91890d6cb0b0f Mon Sep 17 00:00:00 2001 From: --global Date: Thu, 14 Sep 2023 19:13:02 +0500 Subject: [PATCH 013/498] added tiggers --- plugins/aws/ec2/appTierInstanceIamRole.js | 2 +- plugins/aws/ec2/defaultVpcInUse.js | 2 +- plugins/aws/ec2/ebsSnapshotLifecycle.js | 2 +- plugins/aws/ec2/flowLogsEnabled.js | 2 +- plugins/aws/ec2/instanceIamRole.js | 2 +- plugins/aws/ec2/launchWizardSecurityGroups.js | 2 +- plugins/aws/ec2/networkAclInboundTraffic.js | 1 + plugins/aws/ec2/openAllPortsProtocols.js | 2 +- plugins/aws/ec2/openAllPortsProtocolsEgress.js | 2 +- plugins/aws/ec2/openHTTP.js | 2 +- plugins/aws/ec2/openHTTPS.js | 2 +- plugins/aws/ec2/unassociatedElasticIp.js | 2 +- plugins/aws/ec2/unusedAmi.js | 2 +- plugins/aws/ec2/unusedEni.js | 2 +- plugins/aws/ec2/unusedSecurityGroups.js | 2 +- plugins/aws/ec2/vpcEndpointAcceptance.js | 2 +- plugins/aws/ec2/webTierInstanceIamRole.js | 2 +- 17 files changed, 17 insertions(+), 16 deletions(-) diff --git a/plugins/aws/ec2/appTierInstanceIamRole.js b/plugins/aws/ec2/appTierInstanceIamRole.js index 9199acf07c..ddc9783c74 100644 --- a/plugins/aws/ec2/appTierInstanceIamRole.js +++ b/plugins/aws/ec2/appTierInstanceIamRole.js @@ -19,7 +19,7 @@ module.exports = { default: '' }, }, - realtime_triggers: ['ec2:RunInstance'], + realtime_triggers: ['ec2:RunInstance', 'ec2:AssociateIamInstanceProfile', 'ec2:DisassociateIamInstanceProfile'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/defaultVpcInUse.js b/plugins/aws/ec2/defaultVpcInUse.js index eb5ff9ad26..e1d9f2d5a5 100644 --- a/plugins/aws/ec2/defaultVpcInUse.js +++ b/plugins/aws/ec2/defaultVpcInUse.js @@ -10,7 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.html', recommended_action: 'Move resources from the default VPC to a new VPC created for that application or resource group.', apis: ['EC2:describeVpcs', 'EC2:describeInstances', 'ELB:describeLoadBalancers', 'Lambda:listFunctions', 'RDS:describeDBInstances', 'Redshift:describeClusters'], - realtime_triggers: ['ec2:CreateVpc', 'ec2:ModifyVpcAttribute', 'ec2:RunInstance','elasticloadbalancing:CreateLoadBalancer', 'lambda:CreateFunction','', 'rds:CreateDBInstance','redshift:CreateCluster'], + realtime_triggers: ['ec2:CreateVpc', 'ec2:ModifyVpcAttribute', 'ec2:RunInstance','elasticloadbalancing:CreateLoadBalancer', 'lambda:CreateFunction', 'rds:CreateDBInstance','redshift:CreateCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ebsSnapshotLifecycle.js b/plugins/aws/ec2/ebsSnapshotLifecycle.js index ffd6462a5f..70c0b3d237 100644 --- a/plugins/aws/ec2/ebsSnapshotLifecycle.js +++ b/plugins/aws/ec2/ebsSnapshotLifecycle.js @@ -12,7 +12,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html', apis: ['EC2:describeInstances', 'EC2:describeVolumes', 'DLM:getLifecyclePolicies', 'DLM:getLifecyclePolicy', 'STS:getCallerIdentity'], - realtime_triggers: ['dlm:CreateLifecyclePolicy'], + realtime_triggers: ['dlm:CreateLifecyclePolicy', 'dlm:DeleteLifecyclePolicy', 'dlm:UpdateLifecyclePolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/flowLogsEnabled.js b/plugins/aws/ec2/flowLogsEnabled.js index 47610f2fe8..069d9912fa 100644 --- a/plugins/aws/ec2/flowLogsEnabled.js +++ b/plugins/aws/ec2/flowLogsEnabled.js @@ -19,7 +19,7 @@ module.exports = { 'cardholder data. Enable VPC flow logs to log these network requests.', cis2: '2.9 Ensure VPC flow logging is enabled in all VPCs' }, - realtime_triggers: ['ec2:CreateVpc', 'ec2:CreateFlowLogs'], + realtime_triggers: ['ec2:CreateVpc', 'ec2:CreateFlowLogs', 'ec2:DeleteFlowLogs'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/instanceIamRole.js b/plugins/aws/ec2/instanceIamRole.js index a144413d56..fe3d04b022 100644 --- a/plugins/aws/ec2/instanceIamRole.js +++ b/plugins/aws/ec2/instanceIamRole.js @@ -18,7 +18,7 @@ module.exports = { default: 10 } }, - realtime_triggers: ['ec2:RunInstance'], + realtime_triggers: ['ec2:RunInstance','ec2:AssociateIamInstanceProfile', 'ec2:DisassociateIamInstanceProfile'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/launchWizardSecurityGroups.js b/plugins/aws/ec2/launchWizardSecurityGroups.js index 5ae29a9ec2..6f8487026c 100644 --- a/plugins/aws/ec2/launchWizardSecurityGroups.js +++ b/plugins/aws/ec2/launchWizardSecurityGroups.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-sap-security-groups.html', recommended_action: 'Delete the launch wizard security group and replace it with a custom security group.', apis: ['EC2:describeSecurityGroups'], - realtime_triggers: ['ec2:CreateSecurityGroup'], + realtime_triggers: ['ec2:CreateSecurityGroup', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/networkAclInboundTraffic.js b/plugins/aws/ec2/networkAclInboundTraffic.js index 110f0a32ec..3ea2ed9399 100644 --- a/plugins/aws/ec2/networkAclInboundTraffic.js +++ b/plugins/aws/ec2/networkAclInboundTraffic.js @@ -14,6 +14,7 @@ module.exports = { cis1: '5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports', }, realtime_triggers: ['ec2:CreateNetworkAcl', 'ec2:ReplaceNetworkAclEntry'], + run: function(cache, settings, callback) { var results = []; var source = {}; diff --git a/plugins/aws/ec2/openAllPortsProtocols.js b/plugins/aws/ec2/openAllPortsProtocols.js index 11d000f3bc..8a617842a7 100644 --- a/plugins/aws/ec2/openAllPortsProtocols.js +++ b/plugins/aws/ec2/openAllPortsProtocols.js @@ -27,7 +27,7 @@ module.exports = { 'Security groups should be properly secured to prevent access to ' + 'backend services.' }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openAllPortsProtocolsEgress.js b/plugins/aws/ec2/openAllPortsProtocolsEgress.js index 564f9d24ce..f5057acaec 100644 --- a/plugins/aws/ec2/openAllPortsProtocolsEgress.js +++ b/plugins/aws/ec2/openAllPortsProtocolsEgress.js @@ -18,7 +18,7 @@ module.exports = { default: 'false', } }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openHTTP.js b/plugins/aws/ec2/openHTTP.js index 94dcb29ebc..2286a29b77 100644 --- a/plugins/aws/ec2/openHTTP.js +++ b/plugins/aws/ec2/openHTTP.js @@ -10,7 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html', recommended_action: 'Restrict TCP port 80 to known IP addresses', apis: ['EC2:describeSecurityGroups'], - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { diff --git a/plugins/aws/ec2/openHTTPS.js b/plugins/aws/ec2/openHTTPS.js index bf7935712a..827153c8cf 100644 --- a/plugins/aws/ec2/openHTTPS.js +++ b/plugins/aws/ec2/openHTTPS.js @@ -10,7 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html', recommended_action: 'Restrict TCP port 443 to known IP addresses.', apis: ['EC2:describeSecurityGroups'], - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/unassociatedElasticIp.js b/plugins/aws/ec2/unassociatedElasticIp.js index 3cb6a205c9..d880f0b491 100644 --- a/plugins/aws/ec2/unassociatedElasticIp.js +++ b/plugins/aws/ec2/unassociatedElasticIp.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Delete the unassociated Elastic IP', link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html', apis: ['EC2:describeAddresses', 'STS:getCallerIdentity'], - realtime_triggers: ['ec2:ReleaseAddress'], + realtime_triggers: ['ec2:AllocateAddress','ec2:ReleaseAddress'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/unusedAmi.js b/plugins/aws/ec2/unusedAmi.js index 0e5b684400..46da394875 100644 --- a/plugins/aws/ec2/unusedAmi.js +++ b/plugins/aws/ec2/unusedAmi.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Delete the unused/deregistered AMIs', apis: ['EC2:describeImages', 'EC2:describeInstances', 'EC2:describeLaunchTemplates', 'EC2:describeLaunchTemplateVersions', 'AutoScaling:describeLaunchConfigurations', 'STS:getCallerIdentity'], - realtime_triggers: ['ec2:DeregisterImage'], + realtime_triggers: ['ec2:CreateImage','ec2:DeregisterImage'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/unusedEni.js b/plugins/aws/ec2/unusedEni.js index c8b7e2dd6f..8cdd7e2463 100644 --- a/plugins/aws/ec2/unusedEni.js +++ b/plugins/aws/ec2/unusedEni.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Delete the unused AWS Elastic Network Interfaces', link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html', apis: ['EC2:describeNetworkInterfaces', 'STS:getCallerIdentity'], - realtime_triggers: ['ec2:DeleteNetworkInterface'], + realtime_triggers: ['ec2:CreateNetworkInterface','ec2:DeleteNetworkInterface'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/unusedSecurityGroups.js b/plugins/aws/ec2/unusedSecurityGroups.js index d527c55b19..5199d81e8a 100644 --- a/plugins/aws/ec2/unusedSecurityGroups.js +++ b/plugins/aws/ec2/unusedSecurityGroups.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html', recommended_action: 'Remove security groups that are not being used.', apis: ['EC2:describeSecurityGroups', 'EC2:describeNetworkInterfaces', 'Lambda:listFunctions'], - realtime_triggers: ['ec2:DeleteSecurityGroup'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/vpcEndpointAcceptance.js b/plugins/aws/ec2/vpcEndpointAcceptance.js index c5c7b894f5..0b92a52b20 100644 --- a/plugins/aws/ec2/vpcEndpointAcceptance.js +++ b/plugins/aws/ec2/vpcEndpointAcceptance.js @@ -18,7 +18,7 @@ module.exports = { default: 'false' }, }, - realtime_triggers: ['ec2:AcceptVpcEndpointConnections'], + realtime_triggers: ['ec2:CreateVpcEndpointServiceConfiguration', 'ec2:ModifyVpcEndpointServicePermissions'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/webTierInstanceIamRole.js b/plugins/aws/ec2/webTierInstanceIamRole.js index 97d75cc3a1..5e26957b3a 100644 --- a/plugins/aws/ec2/webTierInstanceIamRole.js +++ b/plugins/aws/ec2/webTierInstanceIamRole.js @@ -19,7 +19,7 @@ module.exports = { default: '' }, }, - realtime_triggers: ['ec2:RunInstance'], + realtime_triggers: ['ec2:RunInstance','ec2:AssociateIamInstanceProfile', 'ec2:DisassociateIamInstanceProfile'], run: function(cache, settings, callback) { var results = []; From 96125356307f8cd1604a7fdab895e667028eb006 Mon Sep 17 00:00:00 2001 From: muzzamilinovaqo Date: Thu, 14 Sep 2023 19:24:15 +0500 Subject: [PATCH 014/498] fixed typo mistake --- plugins/aws/iam/accessKeysExtra.js | 2 +- plugins/aws/iam/accessKeysRotated.js | 2 +- plugins/aws/iam/certificateExpiry.js | 2 +- plugins/aws/iam/crossAccountMfaExtIdAccess.js | 2 +- plugins/aws/iam/emptyGroups.js | 2 +- plugins/aws/iam/groupInlinePolicies.js | 2 +- plugins/aws/iam/iamPoliciesPresent.js | 2 +- plugins/aws/iam/iamRoleHasTags.js | 2 +- plugins/aws/iam/iamRoleLastUsed.js | 2 +- plugins/aws/iam/iamRolePolicies.js | 2 +- plugins/aws/iam/iamSupportPolicy.js | 2 +- plugins/aws/iam/iamUserAdmins.js | 2 +- plugins/aws/iam/iamUserHasTags.js | 2 +- plugins/aws/iam/iamUserInUse.js | 2 +- plugins/aws/iam/iamUserNameRegex.js | 2 +- plugins/aws/iam/iamUserNotInUse.js | 2 +- plugins/aws/iam/iamUserUnauthorizedToEdit.js | 2 +- plugins/aws/iam/iamUserWithoutPermissions.js | 2 +- plugins/aws/iam/noUserIamPolicies.js | 2 +- plugins/aws/iam/rolePolicyUnusedServices.js | 2 +- plugins/aws/iam/rootAccessKeys.js | 2 +- plugins/aws/iam/rootHardwareMfa.js | 2 +- plugins/aws/iam/rootMfaEnabled.js | 2 +- plugins/aws/iam/trustedCrossAccountRoles.js | 2 +- plugins/aws/iam/usersMfaEnabled.js | 2 +- plugins/aws/iam/usersPasswordAndKeys.js | 2 +- plugins/aws/iam/usersPasswordLastUsed.js | 2 +- plugins/aws/imagebuilder/enhancedMetadataEnabled.js | 2 +- plugins/aws/imagebuilder/infraConfigNotificationEnabled.js | 2 +- plugins/aws/kendra/kendraIndexEncrypted.js | 2 +- plugins/aws/kinesis/kinesisDataStreamsEncrypted.js | 2 +- plugins/aws/kms/kmsAppTierCmk.js | 2 +- plugins/aws/kms/kmsDefaultKeyUsage.js | 2 +- plugins/aws/kms/kmsDuplicateGrants.js | 2 +- plugins/aws/kms/kmsGrantLeastPrivilege.js | 2 +- plugins/aws/kms/kmsKeyPolicy.js | 2 +- plugins/aws/kms/kmsKeyRotation.js | 2 +- plugins/aws/kms/kmsScheduledDeletion.js | 2 +- 38 files changed, 38 insertions(+), 38 deletions(-) diff --git a/plugins/aws/iam/accessKeysExtra.js b/plugins/aws/iam/accessKeysExtra.js index a47e734f36..b59813636a 100644 --- a/plugins/aws/iam/accessKeysExtra.js +++ b/plugins/aws/iam/accessKeysExtra.js @@ -27,7 +27,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:CreateAccessKey,IAM:DeleteAccessKey'], + realtime_triggers: ['IAM:CreateAccessKey','IAM:DeleteAccessKey'], run: function(cache, settings, callback) { diff --git a/plugins/aws/iam/accessKeysRotated.js b/plugins/aws/iam/accessKeysRotated.js index bfca705f77..eb67625b11 100644 --- a/plugins/aws/iam/accessKeysRotated.js +++ b/plugins/aws/iam/accessKeysRotated.js @@ -33,7 +33,7 @@ module.exports = { default: 90 } }, - realtime_triggers: ['IAM:CreateAccessKey,IAM:DeleteAccessKey'], + realtime_triggers: ['IAM:CreateAccessKey','IAM:DeleteAccessKey'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/certificateExpiry.js b/plugins/aws/iam/certificateExpiry.js index 20fd0e3599..c101543708 100644 --- a/plugins/aws/iam/certificateExpiry.js +++ b/plugins/aws/iam/certificateExpiry.js @@ -35,7 +35,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:UploadServerCertificate,ELB:SetLoadBalancerListenerSSLCertificate'], + realtime_triggers: ['IAM:UploadServerCertificate','ELB:SetLoadBalancerListenerSSLCertificate'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/crossAccountMfaExtIdAccess.js b/plugins/aws/iam/crossAccountMfaExtIdAccess.js index b3a1f1912b..8391e09092 100644 --- a/plugins/aws/iam/crossAccountMfaExtIdAccess.js +++ b/plugins/aws/iam/crossAccountMfaExtIdAccess.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/mfa-protection-for-cross-account-access/', recommended_action: 'Update the IAM role to either require MFA or use an external ID.', apis: ['IAM:listRoles', 'STS:getCallerIdentity'], - realtime_triggers: ['IAM:CreateRole,IAM:UpdateAssumeRolePolicy'], + realtime_triggers: ['IAM:CreateRole','IAM:UpdateAssumeRolePolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/emptyGroups.js b/plugins/aws/iam/emptyGroups.js index be624e1911..3db802196a 100644 --- a/plugins/aws/iam/emptyGroups.js +++ b/plugins/aws/iam/emptyGroups.js @@ -22,7 +22,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:CreateGroup,IAM:DeleteGroup'], + realtime_triggers: ['IAM:CreateGroup','IAM:DeleteGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/groupInlinePolicies.js b/plugins/aws/iam/groupInlinePolicies.js index 495c14c400..56151d9235 100644 --- a/plugins/aws/iam/groupInlinePolicies.js +++ b/plugins/aws/iam/groupInlinePolicies.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html', recommended_action: 'Remove inline policies attached to groups', apis: ['IAM:listGroups', 'IAM:listGroupPolicies'], - realtime_triggers: ['IAM:CreatePolicy,IAM:DeleteGroupPolicy'], + realtime_triggers: ['IAM:CreatePolicy','IAM:DeleteGroupPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamPoliciesPresent.js b/plugins/aws/iam/iamPoliciesPresent.js index f9c76082fa..22da3b446a 100644 --- a/plugins/aws/iam/iamPoliciesPresent.js +++ b/plugins/aws/iam/iamPoliciesPresent.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['IAM:CreatePolicy,IAM:CreatePolicyVersion,IAM:PutRolePolicy,IAM:UpdateAssumeRolePolicy'], + realtime_triggers: ['IAM:CreatePolicy','IAM:CreatePolicyVersion','IAM:PutRolePolicy','IAM:UpdateAssumeRolePolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamRoleHasTags.js b/plugins/aws/iam/iamRoleHasTags.js index 586b4cd895..06343616c6 100644 --- a/plugins/aws/iam/iamRoleHasTags.js +++ b/plugins/aws/iam/iamRoleHasTags.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html', recommended_action: 'Modify Roles to add tags.', apis: ['IAM:listRoles', 'IAM:getRole'], - realtime_triggers: ['IAM:CreateRole,IAM:TagRole,IAM:UntagRole'], + realtime_triggers: ['IAM:CreateRole','IAM:TagRole','IAM:UntagRole'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamRoleLastUsed.js b/plugins/aws/iam/iamRoleLastUsed.js index eaf0cc26dc..2b26bc5570 100644 --- a/plugins/aws/iam/iamRoleLastUsed.js +++ b/plugins/aws/iam/iamRoleLastUsed.js @@ -54,7 +54,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:CreateRole,IAM:DeleteRole'], + realtime_triggers: ['IAM:CreateRole','IAM:DeleteRole'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamRolePolicies.js b/plugins/aws/iam/iamRolePolicies.js index 7e738430a9..5c0f9990b9 100644 --- a/plugins/aws/iam/iamRolePolicies.js +++ b/plugins/aws/iam/iamRolePolicies.js @@ -82,7 +82,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['IAM:CreatePolicy,IAM:CreatePolicyVersion,IAM:PutRolePolicy,IAM:UpdateAssumeRolePolicy'], + realtime_triggers: ['IAM:CreatePolicy','IAM:CreatePolicyVersion','IAM:PutRolePolicy','IAM:UpdateAssumeRolePolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamSupportPolicy.js b/plugins/aws/iam/iamSupportPolicy.js index fcbf15407a..cdeae086c6 100644 --- a/plugins/aws/iam/iamSupportPolicy.js +++ b/plugins/aws/iam/iamSupportPolicy.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html', recommended_action: 'Ensure that an IAM role has permission to access support center.', apis: ['IAM:listPolicies'], - realtime_triggers: ['IAM:CreatePolicy,IAM:CreatePolicyVersion'], + realtime_triggers: ['IAM:CreatePolicy','IAM:CreatePolicyVersion'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserAdmins.js b/plugins/aws/iam/iamUserAdmins.js index 04429e25c1..0928283e87 100644 --- a/plugins/aws/iam/iamUserAdmins.js +++ b/plugins/aws/iam/iamUserAdmins.js @@ -33,7 +33,7 @@ module.exports = { default: 2 } }, - realtime_triggers: ['IAM:AddUserToGroup,IAM:RemoveUserFromGroup,IAM:AttachGroupPolicy,IAM:DetachGroupPolicy,IAM:AttachUserPolicy,IAM:DetachUserPolicy,IAM:PutUserPolicy'], + realtime_triggers: ['IAM:AddUserToGroup','IAM:RemoveUserFromGroup','IAM:AttachGroupPolicy','IAM:DetachGroupPolicy','IAM:AttachUserPolicy','IAM:DetachUserPolicy','IAM:PutUserPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamUserHasTags.js b/plugins/aws/iam/iamUserHasTags.js index 394063fac5..2a24b98004 100644 --- a/plugins/aws/iam/iamUserHasTags.js +++ b/plugins/aws/iam/iamUserHasTags.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags_users.html', recommended_action: 'Modify IAM User and add tags', apis: ['IAM:listUsers', 'IAM:getUser'], - realtime_triggers: ['IAM:CreateUser,IAM:TagUser,IAM:UntagUser'], + realtime_triggers: ['IAM:CreateUser','IAM:TagUser','IAM:UntagUser'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserInUse.js b/plugins/aws/iam/iamUserInUse.js index 0d7b4b9298..6c10554aac 100644 --- a/plugins/aws/iam/iamUserInUse.js +++ b/plugins/aws/iam/iamUserInUse.js @@ -17,7 +17,7 @@ module.exports = { default: '15' } }, - realtime_triggers: ['IAM:CreateUser,IAM:DeleteUser'], + realtime_triggers: ['IAM:CreateUser','IAM:DeleteUser'], run: function(cache, settings, callback) { const config = { diff --git a/plugins/aws/iam/iamUserNameRegex.js b/plugins/aws/iam/iamUserNameRegex.js index cbb04e9d50..87acb8ba9e 100644 --- a/plugins/aws/iam/iamUserNameRegex.js +++ b/plugins/aws/iam/iamUserNameRegex.js @@ -30,7 +30,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:CreateUser,IAM:DeleteUser,IAM:UpdateUser'], + realtime_triggers: ['IAM:CreateUser','IAM:DeleteUser','IAM:UpdateUser'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserNotInUse.js b/plugins/aws/iam/iamUserNotInUse.js index d69b56914c..7ed6a0aa7e 100644 --- a/plugins/aws/iam/iamUserNotInUse.js +++ b/plugins/aws/iam/iamUserNotInUse.js @@ -17,7 +17,7 @@ module.exports = { default: '90' } }, - realtime_triggers: ['IAM:CreateUser,IAM:DeleteUser'], + realtime_triggers: ['IAM:CreateUser','IAM:DeleteUser'], run: function(cache, settings, callback) { const config = { diff --git a/plugins/aws/iam/iamUserUnauthorizedToEdit.js b/plugins/aws/iam/iamUserUnauthorizedToEdit.js index b3a36a5d32..ae8e042a0d 100644 --- a/plugins/aws/iam/iamUserUnauthorizedToEdit.js +++ b/plugins/aws/iam/iamUserUnauthorizedToEdit.js @@ -45,7 +45,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['IAM:AddUserToGroup,IAM:RemoveUserFromGroup,IAM:AttachGroupPolicy,IAM:DetachGroupPolicy,IAM:AttachUserPolicy,IAM:DetachUserPolicy,IAM:PutUserPolicy'], + realtime_triggers: ['IAM:AddUserToGroup','IAM:RemoveUserFromGroup','IAM:AttachGroupPolicy','IAM:DetachGroupPolicy','IAM:AttachUserPolicy','IAM:DetachUserPolicy','IAM:PutUserPolicy'], run: function(cache, settings, callback) { var whitelisted_users = settings.iam_authorized_user_arns || this.settings.iam_authorized_user_arns.default; diff --git a/plugins/aws/iam/iamUserWithoutPermissions.js b/plugins/aws/iam/iamUserWithoutPermissions.js index ea1dca91e8..fe7fb0b0dd 100644 --- a/plugins/aws/iam/iamUserWithoutPermissions.js +++ b/plugins/aws/iam/iamUserWithoutPermissions.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Modify IAM user and attach new permissions or delete the user.', apis: ['IAM:listUsers', 'IAM:listUserPolicies', 'IAM:listAttachedUserPolicies', 'IAM:getPolicyVersion' ,'IAM:listGroupsForUser', 'IAM:listGroups', 'IAM:listGroupPolicies', 'IAM:listAttachedGroupPolicies'], - realtime_triggers: ['IAM:AddUserToGroup,IAM:RemoveUserFromGroup,IAM:AttachGroupPolicy,IAM:DetachGroupPolicy,IAM:AttachUserPolicy,IAM:DetachUserPolicy,IAM:PutUserPolicy'], + realtime_triggers: ['IAM:AddUserToGroup','IAM:RemoveUserFromGroup','IAM:AttachGroupPolicy','IAM:DetachGroupPolicy','IAM:AttachUserPolicy','IAM:DetachUserPolicy','IAM:PutUserPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/noUserIamPolicies.js b/plugins/aws/iam/noUserIamPolicies.js index cf944987f7..c247a9e622 100644 --- a/plugins/aws/iam/noUserIamPolicies.js +++ b/plugins/aws/iam/noUserIamPolicies.js @@ -13,7 +13,7 @@ module.exports = { compliance: { cis1: '1.16 Ensure IAM policies are attached only to groups or roles' }, - realtime_triggers: ['IAM:AttachUserPolicy,IAM:DetachUserPolicy'], + realtime_triggers: ['IAM:AttachUserPolicy','IAM:DetachUserPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/rolePolicyUnusedServices.js b/plugins/aws/iam/rolePolicyUnusedServices.js index d9066b098b..dd4e05a87c 100644 --- a/plugins/aws/iam/rolePolicyUnusedServices.js +++ b/plugins/aws/iam/rolePolicyUnusedServices.js @@ -94,7 +94,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['IAM:CreatePolicy,IAM:UpdatePolicy,IAM:PutRolePolicy'], + realtime_triggers: ['IAM:CreatePolicy','IAM:UpdatePolicy','IAM:PutRolePolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/rootAccessKeys.js b/plugins/aws/iam/rootAccessKeys.js index 09cd7842df..d7931044e3 100644 --- a/plugins/aws/iam/rootAccessKeys.js +++ b/plugins/aws/iam/rootAccessKeys.js @@ -16,7 +16,7 @@ module.exports = { 'should not be used.', cis1: '1.12 Ensure no root account access key exists' }, - realtime_triggers: ['IAM:CreateAccessKey,IAM:DeleteAccessKey'], + realtime_triggers: ['IAM:CreateAccessKey','IAM:DeleteAccessKey'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/rootHardwareMfa.js b/plugins/aws/iam/rootHardwareMfa.js index cb758af795..2ce627e47b 100644 --- a/plugins/aws/iam/rootHardwareMfa.js +++ b/plugins/aws/iam/rootHardwareMfa.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html', recommended_action: 'Enable a hardware MFA device for the root account and disable any virtual devices', apis: ['IAM:listVirtualMFADevices', 'IAM:getAccountSummary'], - realtime_triggers: ['IAM:EnableMFADevice,IAM:DeactivateMFADevice'], + realtime_triggers: ['IAM:EnableMFADevice','IAM:DeactivateMFADevice'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/rootMfaEnabled.js b/plugins/aws/iam/rootMfaEnabled.js index 8703c2f8ca..c1e58cbc40 100644 --- a/plugins/aws/iam/rootMfaEnabled.js +++ b/plugins/aws/iam/rootMfaEnabled.js @@ -15,7 +15,7 @@ module.exports = { 'a safe location for use as backup for named IAM users.', cis1: '1.13 Ensure MFA is enabled for the "root" account' }, - realtime_triggers: ['IAM:EnableMFADevice,IAM:DeactivateMFADevice'], + realtime_triggers: ['IAM:EnableMFADevice','IAM:DeactivateMFADevice'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/trustedCrossAccountRoles.js b/plugins/aws/iam/trustedCrossAccountRoles.js index 48808fb72c..227c3fce57 100644 --- a/plugins/aws/iam/trustedCrossAccountRoles.js +++ b/plugins/aws/iam/trustedCrossAccountRoles.js @@ -30,7 +30,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['IAM:CreateRole,IAM:UpdateAssumeRolePolicy,IAM:DeleteRole'], + realtime_triggers: ['IAM:CreateRole','IAM:UpdateAssumeRolePolicy','IAM:DeleteRole'], run: function(cache, settings, callback) { var config= { diff --git a/plugins/aws/iam/usersMfaEnabled.js b/plugins/aws/iam/usersMfaEnabled.js index 9e281ba1df..72535bd620 100644 --- a/plugins/aws/iam/usersMfaEnabled.js +++ b/plugins/aws/iam/usersMfaEnabled.js @@ -31,7 +31,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:EnableMFADevice,IAM:DeactivateMFADevice'], + realtime_triggers: ['IAM:EnableMFADevice','IAM:DeactivateMFADevice'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/usersPasswordAndKeys.js b/plugins/aws/iam/usersPasswordAndKeys.js index f097c97d72..96aa39ab9a 100644 --- a/plugins/aws/iam/usersPasswordAndKeys.js +++ b/plugins/aws/iam/usersPasswordAndKeys.js @@ -18,7 +18,7 @@ module.exports = { default: '^.*$' } }, - realtime_triggers: ['IAM:CreateAccessKey,IAM:DeleteAccessKey'], + realtime_triggers: ['IAM:CreateAccessKey','IAM:DeleteAccessKey'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/usersPasswordLastUsed.js b/plugins/aws/iam/usersPasswordLastUsed.js index 13bbed2af9..7eb927e98a 100644 --- a/plugins/aws/iam/usersPasswordLastUsed.js +++ b/plugins/aws/iam/usersPasswordLastUsed.js @@ -32,7 +32,7 @@ module.exports = { default: 90 } }, - realtime_triggers: ['IAM:CreateUser,IAM:DeleteUser'], + realtime_triggers: ['IAM:CreateUser','IAM:DeleteUser'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/imagebuilder/enhancedMetadataEnabled.js b/plugins/aws/imagebuilder/enhancedMetadataEnabled.js index 749b97c770..6f52e6243d 100644 --- a/plugins/aws/imagebuilder/enhancedMetadataEnabled.js +++ b/plugins/aws/imagebuilder/enhancedMetadataEnabled.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/imagebuilder/latest/userguide/start-build-image-pipeline.html', recommended_action: 'Enable enhanced metadata collection for image pipeline.', apis: ['Imagebuilder:listImagePipelines'], - realtime_triggers: ['Imagebuilder:CreateImagePipeline,Imagebuilder:UpdateImagePipeline'], + realtime_triggers: ['Imagebuilder:CreateImagePipeline','Imagebuilder:UpdateImagePipeline'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js b/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js index 0373cc995e..17d5cd2af8 100644 --- a/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js +++ b/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/imagebuilder/latest/userguide/manage-infra-config.html', recommended_action: 'Enable SNS notification in EC2 Image Builder infrastructure configurations to get notified of any changes in the service.', apis: ['Imagebuilder:listInfrastructureConfigurations', 'Imagebuilder:getInfrastructureConfiguration'], - realtime_triggers: ['Imagebuilder:CreateInfrastructureConfiguration,Imagebuilder:UpdateInfrastructureConfiguration'], + realtime_triggers: ['Imagebuilder:CreateInfrastructureConfiguration','Imagebuilder:UpdateInfrastructureConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kendra/kendraIndexEncrypted.js b/plugins/aws/kendra/kendraIndexEncrypted.js index ecad5d974b..8267f43554 100644 --- a/plugins/aws/kendra/kendraIndexEncrypted.js +++ b/plugins/aws/kendra/kendraIndexEncrypted.js @@ -18,7 +18,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['Kendra:CreateIndex,Kendra:UpdateIndex'], + realtime_triggers: ['Kendra:CreateIndex','Kendra:UpdateIndex'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js b/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js index aaad913ab2..a04e552e35 100644 --- a/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js +++ b/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['Kinesis:CreateStream,Kinesis:StartStreamEncryption'], + realtime_triggers: ['Kinesis:CreateStream','Kinesis:StartStreamEncryption'], run: function(cache, settings, callback) { diff --git a/plugins/aws/kms/kmsAppTierCmk.js b/plugins/aws/kms/kmsAppTierCmk.js index a5d8530a85..dacd781129 100644 --- a/plugins/aws/kms/kmsAppTierCmk.js +++ b/plugins/aws/kms/kmsAppTierCmk.js @@ -18,7 +18,7 @@ module.exports = { default: '' }, }, - realtime_triggers: ['KMS:CreateKey,KMS:TagResource'], + realtime_triggers: ['KMS:CreateKey','KMS:TagResource'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsDefaultKeyUsage.js b/plugins/aws/kms/kmsDefaultKeyUsage.js index 4f505fb396..f47c707cd2 100644 --- a/plugins/aws/kms/kmsDefaultKeyUsage.js +++ b/plugins/aws/kms/kmsDefaultKeyUsage.js @@ -20,7 +20,7 @@ module.exports = { 'passwords, it is still strongly encouraged to use a ' + 'customer-provided CMK rather than the default KMS key.' }, - realtime_triggers: ['CloudTrail:CreateTrail,CloudTrail:UpdateTrail,EC2:CreateVolume,ElasticTranscoder:UpdatePipeline,ElasticTranscoder:CreatePipeline,RDS:CreateDBInstance,RDS:ModifyDBInstance,Redshift:CreateCluster,Redshift:ModifyCluster,S3:CreateBucket,S3:PutBucketEncryption,SES:CreateReceiptRule,SES:UpdateReceiptRule,Workspaces:CreateWorkspaces,Lambda:UpdateFunctionConfiguration,Lambda:CreateFunction,CloudWatchLogs:CreateLogGroup,CloudWatchLogs:AssociateKmsKey,EFS:CreateFileSystem'], + realtime_triggers: ['CloudTrail:CreateTrail','CloudTrail:UpdateTrail','EC2:CreateVolume','ElasticTranscoder:UpdatePipeline','ElasticTranscoder:CreatePipeline','RDS:CreateDBInstance','RDS:ModifyDBInstance','Redshift:CreateCluster','Redshift:ModifyCluster','S3:CreateBucket','S3:PutBucketEncryption','SES:CreateReceiptRule','SES:UpdateReceiptRule','Workspaces:CreateWorkspaces','Lambda:UpdateFunctionConfiguration','Lambda:CreateFunction','CloudWatchLogs:CreateLogGroup','CloudWatchLogs:AssociateKmsKey','EFS:CreateFileSystem'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsDuplicateGrants.js b/plugins/aws/kms/kmsDuplicateGrants.js index 0f592618d8..cb878ede07 100644 --- a/plugins/aws/kms/kmsDuplicateGrants.js +++ b/plugins/aws/kms/kmsDuplicateGrants.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Delete duplicate grants for AWS KMS keys', link: 'https://docs.aws.amazon.com/kms/latest/developerguide/grants.html', apis: ['KMS:listKeys', 'KMS:listGrants', 'KMS:describeKey'], - realtime_triggers: ['KMS:CreateKey,KMS:RevokeGrant'], + realtime_triggers: ['KMS:CreateKey','KMS:RevokeGrant'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsGrantLeastPrivilege.js b/plugins/aws/kms/kmsGrantLeastPrivilege.js index c2faebb5ea..939dd1815f 100644 --- a/plugins/aws/kms/kmsGrantLeastPrivilege.js +++ b/plugins/aws/kms/kmsGrantLeastPrivilege.js @@ -9,7 +9,7 @@ module.exports = { recommended_action: 'Create KMS grants with minimum permission required', link: 'https://docs.aws.amazon.com/kms/latest/developerguide/grants.html', apis: ['KMS:listKeys', 'KMS:listGrants', 'KMS:describeKey'], - realtime_triggers: ['KMS:CreateKey,KMS:CreateGrant'], + realtime_triggers: ['KMS:CreateKey','KMS:CreateGrant'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsKeyPolicy.js b/plugins/aws/kms/kmsKeyPolicy.js index 82d3f9e2cf..9d8faca972 100644 --- a/plugins/aws/kms/kmsKeyPolicy.js +++ b/plugins/aws/kms/kmsKeyPolicy.js @@ -57,7 +57,7 @@ module.exports = { default: 'false' }, }, - realtime_triggers: ['KMS:CreateKey,KMS:PutKeyPolicy'], + realtime_triggers: ['KMS:CreateKey','KMS:PutKeyPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/kms/kmsKeyRotation.js b/plugins/aws/kms/kmsKeyRotation.js index 700c97a9f4..ab60aabd23 100644 --- a/plugins/aws/kms/kmsKeyRotation.js +++ b/plugins/aws/kms/kmsKeyRotation.js @@ -25,7 +25,7 @@ module.exports = { default: 'aqua-cspm' } }, - realtime_triggers: ['KMS:CreateKey,KMS:EnableKeyRotation'], + realtime_triggers: ['KMS:CreateKey','KMS:EnableKeyRotation'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsScheduledDeletion.js b/plugins/aws/kms/kmsScheduledDeletion.js index 4668d113c0..217a67910c 100644 --- a/plugins/aws/kms/kmsScheduledDeletion.js +++ b/plugins/aws/kms/kmsScheduledDeletion.js @@ -22,7 +22,7 @@ module.exports = { } ] }, - realtime_triggers: ['KMS:ScheduleKeyDeletion,KMS:CancelKeyDeletion'], + realtime_triggers: ['KMS:ScheduleKeyDeletion','KMS:CancelKeyDeletion'], run: function(cache, settings, callback) { var results = []; From da33cc866641eafdbb07ce3c859fbfccfc0186bb Mon Sep 17 00:00:00 2001 From: --global Date: Thu, 14 Sep 2023 19:33:46 +0500 Subject: [PATCH 015/498] resolve issues --- plugins/aws/kms/kmsDefaultKeyUsage.js | 2 +- plugins/aws/lambda/lambdaPublicAccess.js | 2 +- plugins/aws/lex/lexAudioLogsEncrypted.js | 2 +- plugins/aws/mq/mqLatestEngineVersion.js | 2 +- plugins/aws/msk/mskClusterPublicAccess.js | 2 +- plugins/aws/msk/mskClusterUnauthAccess.js | 2 +- .../openSearchServerless/opensearchCollectionPublicAccess.js | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/plugins/aws/kms/kmsDefaultKeyUsage.js b/plugins/aws/kms/kmsDefaultKeyUsage.js index dc0ef308db..1798c51f81 100644 --- a/plugins/aws/kms/kmsDefaultKeyUsage.js +++ b/plugins/aws/kms/kmsDefaultKeyUsage.js @@ -20,7 +20,7 @@ module.exports = { 'passwords, it is still strongly encouraged to use a ' + 'customer-provided CMK rather than the default KMS key.' }, - realtime_triggers: ['kms:CreateKey', 'kms:CreateAlias','cloudtrail:CreateTrail', 'ec2:CreateVolume','elastictranscoder:CreatePipline', 'rds:CreateDBInstance', 'redshift:CreateCluster', 's3:CreateBucket','s3:putBucketEncryption','ses:CreateEmailIdentity', 'workspace:CreateWorkSpaces', 'lambda:CreateFunction', 'cloudwatchlogs:CreateLogGroup', 'efs:CreateFileSystem'], + realtime_triggers: ['cloudtrail:CreateTrail', 'ec2:CreateVolume','elastictranscoder:CreatePipline', 'rds:CreateDBInstance', 'redshift:CreateCluster','s3:putBucketEncryption','ses:CreateEmailIdentity', 'workspace:CreateWorkSpaces', 'lambda:CreateFunction', 'cloudwatchlogs:CreateLogGroup', 'efs:CreateFileSystem'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lambda/lambdaPublicAccess.js b/plugins/aws/lambda/lambdaPublicAccess.js index e8544a0dac..7bcdff066a 100644 --- a/plugins/aws/lambda/lambdaPublicAccess.js +++ b/plugins/aws/lambda/lambdaPublicAccess.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html', recommended_action: 'Update the Lambda policy to prevent access from the public.', apis: ['Lambda:listFunctions', 'Lambda:getPolicy'], - realtime_triggers: ['lambda:CreateFunction','lambda:AddPermission', 'lambda:RemovePermission'], + realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration','lambda:AddPermission', 'lambda:RemovePermission'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lex/lexAudioLogsEncrypted.js b/plugins/aws/lex/lexAudioLogsEncrypted.js index 146bdd600f..d61d75ed7b 100644 --- a/plugins/aws/lex/lexAudioLogsEncrypted.js +++ b/plugins/aws/lex/lexAudioLogsEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['lexmodelsV2:CreateBot', 'lexmodelsV2:UpdateBot'], + realtime_triggers: ['lexmodelsV2:CreateBotAlias', 'lexmodelsV2:UpdateBotAlias'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mq/mqLatestEngineVersion.js b/plugins/aws/mq/mqLatestEngineVersion.js index 04cfb51244..b9598c4ad2 100644 --- a/plugins/aws/mq/mqLatestEngineVersion.js +++ b/plugins/aws/mq/mqLatestEngineVersion.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update Amazon MQ brokers to the latest version of Apache ActiveMQ broker engine.', link: 'https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/activemq-version-management.html', apis: ['MQ:listBrokers', 'MQ:describeBroker'], - realtime_triggers: ['mq:CreateBrocker', 'mq:CreateConfiguration','mq:UpdateConfiguration', 'mq:UpdateBrocker'], + realtime_triggers: ['mq:CreateBrocker','mq:UpdateBrocker'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/msk/mskClusterPublicAccess.js b/plugins/aws/msk/mskClusterPublicAccess.js index 7e59131891..b97f5ee88b 100644 --- a/plugins/aws/msk/mskClusterPublicAccess.js +++ b/plugins/aws/msk/mskClusterPublicAccess.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/msk/latest/developerguide/public-access.html', recommended_action: 'Check for public access feature within the cluster for all MSK clusters', apis: ['Kafka:listClusters'], - realtime_triggers: ['kafka:CreateCluster','kafka:UpdateConnectivity'], + realtime_triggers: ['kafka:CreateCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/msk/mskClusterUnauthAccess.js b/plugins/aws/msk/mskClusterUnauthAccess.js index df925bcaa9..2e3406d5fd 100644 --- a/plugins/aws/msk/mskClusterUnauthAccess.js +++ b/plugins/aws/msk/mskClusterUnauthAccess.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html', recommended_action: 'Ensure that MSK clusters does not have unauthenticated access enabled.', apis: ['Kafka:listClusters'], - realtime_triggers: ['kafka:CreateCluster','kafka:UpdateClusterConfiguration'], + realtime_triggers: ['kafka:CreateCluster','kafka:UpdateSecurity'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/openSearchServerless/opensearchCollectionPublicAccess.js b/plugins/aws/openSearchServerless/opensearchCollectionPublicAccess.js index c325275c26..9d3d45c2e4 100644 --- a/plugins/aws/openSearchServerless/opensearchCollectionPublicAccess.js +++ b/plugins/aws/openSearchServerless/opensearchCollectionPublicAccess.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-network.html', recommended_action: 'Update the network policy and remove the public access to the collection.', apis: ['OpenSearchServerless:listNetworkSecurityPolicies', 'OpenSearchServerless:getNetworkSecurityPolicy', 'OpenSearchServerless:listCollections'], - realtime_triggers: ['opensearchserverless:CreateCollection', 'opensearchserverless:CreateSecurityPolicy', 'opensearchserverless:UpdateSecurityPolicy','opensearchserverless:DeleteSecurityPolicy'], + realtime_triggers: ['opensearchserverless:CreateCollection', 'opensearserverless:UpdateCollection'], run: function(cache, settings, callback) { var results = []; From 2d889fe13221fd147f41cefdbef35c9aa23e4de7 Mon Sep 17 00:00:00 2001 From: --global Date: Thu, 14 Sep 2023 19:42:25 +0500 Subject: [PATCH 016/498] empty commit --- plugins/aws/ec2/allowedCustomPorts.js | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/aws/ec2/allowedCustomPorts.js b/plugins/aws/ec2/allowedCustomPorts.js index fa7a88165d..aa4bdf0b0d 100644 --- a/plugins/aws/ec2/allowedCustomPorts.js +++ b/plugins/aws/ec2/allowedCustomPorts.js @@ -145,3 +145,4 @@ module.exports = { }); } }; + From 482b0179dc1e1bcc1ab5417085e4c39b2bbf1af5 Mon Sep 17 00:00:00 2001 From: --global Date: Thu, 14 Sep 2023 19:55:11 +0500 Subject: [PATCH 017/498] resolve issues --- plugins/aws/s3/bucketEnforceEncryption.js | 2 +- plugins/aws/s3/bucketLifecycleConfiguration.js | 2 +- plugins/aws/s3/bucketPolicyCloudFrontOac.js | 2 +- plugins/aws/s3/bucketPolicyCloudFrontOai.js | 2 +- plugins/aws/s3/bucketSecureTransportEnabled.js | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/plugins/aws/s3/bucketEnforceEncryption.js b/plugins/aws/s3/bucketEnforceEncryption.js index 3b6f44ac9e..d69e2db42b 100644 --- a/plugins/aws/s3/bucketEnforceEncryption.js +++ b/plugins/aws/s3/bucketEnforceEncryption.js @@ -23,7 +23,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['s3:CreateBucket' , 's3:PutBucketPolicy'], + realtime_triggers: ['s3:CreateBucket' , 's3:PutBucketPolicy','s3:DeleteBucketPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/s3/bucketLifecycleConfiguration.js b/plugins/aws/s3/bucketLifecycleConfiguration.js index b38fe70eda..2a9a270bee 100644 --- a/plugins/aws/s3/bucketLifecycleConfiguration.js +++ b/plugins/aws/s3/bucketLifecycleConfiguration.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update S3 bucket and create lifecycle rule configuration', link: 'https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-set-lifecycle-configuration-intro.html', apis: ['S3:listBuckets', 'S3:getBucketLifecycleConfiguration', 'S3:getBucketLocation'], - realtime_triggers: ['s3:CreateBucket', 's3:PutBucketLifeCycleConfiguration'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketLifeCycleConfiguration', 's3:DeleteBucketLifeCycle'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketPolicyCloudFrontOac.js b/plugins/aws/s3/bucketPolicyCloudFrontOac.js index a8678c9921..986d242797 100644 --- a/plugins/aws/s3/bucketPolicyCloudFrontOac.js +++ b/plugins/aws/s3/bucketPolicyCloudFrontOac.js @@ -16,7 +16,7 @@ module.exports = { 'If an S3 bucket backing a CloudFront distribution does not require the end ' + 'user to access the contents through CloudFront, this policy may be violated.' }, - realtime_triggers: ['s3:CreateBucket', 'cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution', 's3:PutBucketPolicy', 's3:DeleteBucketPolicy'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketPolicy', 's3:DeleteBucketPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketPolicyCloudFrontOai.js b/plugins/aws/s3/bucketPolicyCloudFrontOai.js index 6c3e620ff6..abe523560e 100644 --- a/plugins/aws/s3/bucketPolicyCloudFrontOai.js +++ b/plugins/aws/s3/bucketPolicyCloudFrontOai.js @@ -16,7 +16,7 @@ module.exports = { 'If an S3 bucket backing a CloudFront distribution does not require the end ' + 'user to access the contents through CloudFront, this policy may be violated.' }, - realtime_triggers: ['s3:CreateBucket', 'cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution', 's3:PutBucketPolicy', 's3:DeleteBucketPolicy'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketPolicy', 's3:DeleteBucketPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketSecureTransportEnabled.js b/plugins/aws/s3/bucketSecureTransportEnabled.js index 6cc102095c..18c83eb619 100644 --- a/plugins/aws/s3/bucketSecureTransportEnabled.js +++ b/plugins/aws/s3/bucketSecureTransportEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update S3 bucket policy to enforse SSL to secure data in transit.', link: 'https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/', apis: ['S3:listBuckets', 'S3:getBucketPolicy', 'S3:getBucketLocation'], - realtime_triggers: ['s3:CreateBucket', 's3:PutBucketPolicy'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketPolicy', 's3:DeleteBucketPolicy'], run: function(cache, settings, callback) { var results = []; From ff68801a9c15cd8fa7a6096e848af48b1a9fc8ed Mon Sep 17 00:00:00 2001 From: --global Date: Thu, 14 Sep 2023 20:16:03 +0500 Subject: [PATCH 018/498] added tigger --- plugins/aws/kms/kmsDefaultKeyUsage.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/kms/kmsDefaultKeyUsage.js b/plugins/aws/kms/kmsDefaultKeyUsage.js index 1798c51f81..dbf478b102 100644 --- a/plugins/aws/kms/kmsDefaultKeyUsage.js +++ b/plugins/aws/kms/kmsDefaultKeyUsage.js @@ -20,7 +20,7 @@ module.exports = { 'passwords, it is still strongly encouraged to use a ' + 'customer-provided CMK rather than the default KMS key.' }, - realtime_triggers: ['cloudtrail:CreateTrail', 'ec2:CreateVolume','elastictranscoder:CreatePipline', 'rds:CreateDBInstance', 'redshift:CreateCluster','s3:putBucketEncryption','ses:CreateEmailIdentity', 'workspace:CreateWorkSpaces', 'lambda:CreateFunction', 'cloudwatchlogs:CreateLogGroup', 'efs:CreateFileSystem'], + realtime_triggers: ['cloudtrail:CreateTrail', 'ec2:CreateVolume','elastictranscoder:CreatePipline', 'rds:CreateDBInstance', 'redshift:CreateCluster','redshift:ModifyCluster','s3:putBucketEncryption','ses:CreateEmailIdentity','ses:CreateEmailIdentity','ses:SetActiveReceiptRuleSet', 'workspace:CreateWorkSpaces', 'lambda:CreateFunction','lambda:UpdateFunctionConfiguration', 'cloudwatchlogs:CreateLogGroup', 'efs:CreateFileSystem'], run: function(cache, settings, callback) { var results = []; From e8353c48023ce0d4809511c31758f18c63559705 Mon Sep 17 00:00:00 2001 From: --global Date: Fri, 15 Sep 2023 13:25:10 +0500 Subject: [PATCH 019/498] added tiggers for security-group plugins --- plugins/aws/ec2/allowedCustomPorts.js | 2 +- plugins/aws/ec2/openAllPortsProtocols.js | 2 +- plugins/aws/ec2/openAllPortsProtocolsEgress.js | 2 +- plugins/aws/ec2/openCIFS.js | 2 +- plugins/aws/ec2/openCassandraClient.js | 2 +- plugins/aws/ec2/openCassandraInternode.js | 2 +- plugins/aws/ec2/openCassandraMonitoring.js | 2 +- plugins/aws/ec2/openCassandraThrift.js | 2 +- plugins/aws/ec2/openCustomPorts.js | 2 +- plugins/aws/ec2/openDNS.js | 2 +- plugins/aws/ec2/openDocker.js | 2 +- plugins/aws/ec2/openElasticsearch.js | 2 +- plugins/aws/ec2/openFTP.js | 2 +- plugins/aws/ec2/openHadoopNameNode.js | 2 +- plugins/aws/ec2/openHadoopNameNodeWebUI.js | 2 +- plugins/aws/ec2/openInternalWeb.js | 2 +- plugins/aws/ec2/openKibana.js | 2 +- plugins/aws/ec2/openLDAP.js | 2 +- plugins/aws/ec2/openLDAPS.js | 2 +- plugins/aws/ec2/openMemcached.js | 2 +- plugins/aws/ec2/openMongoDB.js | 2 +- plugins/aws/ec2/openMySQL.js | 2 +- plugins/aws/ec2/openNetBIOS.js | 2 +- plugins/aws/ec2/openOracle.js | 2 +- plugins/aws/ec2/openOracleAutoDataWarehouse.js | 2 +- plugins/aws/ec2/openPostgreSQL.js | 2 +- plugins/aws/ec2/openRDP.js | 2 +- plugins/aws/ec2/openRPC.js | 2 +- plugins/aws/ec2/openRedis.js | 2 +- plugins/aws/ec2/openSMBoTCP.js | 2 +- plugins/aws/ec2/openSMTP.js | 2 +- plugins/aws/ec2/openSNMP.js | 2 +- plugins/aws/ec2/openSQLServer.js | 2 +- plugins/aws/ec2/openSSH.js | 2 +- plugins/aws/ec2/openSalt.js | 2 +- plugins/aws/ec2/openTelnet.js | 2 +- plugins/aws/ec2/openVNCClient.js | 2 +- plugins/aws/ec2/openVNCServer.js | 2 +- plugins/aws/ec2/overlappingSecurityGroups.js | 2 +- 39 files changed, 39 insertions(+), 39 deletions(-) diff --git a/plugins/aws/ec2/allowedCustomPorts.js b/plugins/aws/ec2/allowedCustomPorts.js index aa4bdf0b0d..ca1ceefe10 100644 --- a/plugins/aws/ec2/allowedCustomPorts.js +++ b/plugins/aws/ec2/allowedCustomPorts.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/openAllPortsProtocols.js b/plugins/aws/ec2/openAllPortsProtocols.js index 8a617842a7..6b5a551e49 100644 --- a/plugins/aws/ec2/openAllPortsProtocols.js +++ b/plugins/aws/ec2/openAllPortsProtocols.js @@ -27,7 +27,7 @@ module.exports = { 'Security groups should be properly secured to prevent access to ' + 'backend services.' }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openAllPortsProtocolsEgress.js b/plugins/aws/ec2/openAllPortsProtocolsEgress.js index f5057acaec..1af9a4f4e2 100644 --- a/plugins/aws/ec2/openAllPortsProtocolsEgress.js +++ b/plugins/aws/ec2/openAllPortsProtocolsEgress.js @@ -18,7 +18,7 @@ module.exports = { default: 'false', } }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openCIFS.js b/plugins/aws/ec2/openCIFS.js index 1035af5155..ef285cc08f 100644 --- a/plugins/aws/ec2/openCIFS.js +++ b/plugins/aws/ec2/openCIFS.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openCassandraClient.js b/plugins/aws/ec2/openCassandraClient.js index 4b530796aa..86da19db1e 100644 --- a/plugins/aws/ec2/openCassandraClient.js +++ b/plugins/aws/ec2/openCassandraClient.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openCassandraInternode.js b/plugins/aws/ec2/openCassandraInternode.js index 59f0d70f07..986271e5ce 100644 --- a/plugins/aws/ec2/openCassandraInternode.js +++ b/plugins/aws/ec2/openCassandraInternode.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openCassandraMonitoring.js b/plugins/aws/ec2/openCassandraMonitoring.js index caad3c13ff..49dd4276cf 100644 --- a/plugins/aws/ec2/openCassandraMonitoring.js +++ b/plugins/aws/ec2/openCassandraMonitoring.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openCassandraThrift.js b/plugins/aws/ec2/openCassandraThrift.js index 7568978ea7..5679561ed5 100644 --- a/plugins/aws/ec2/openCassandraThrift.js +++ b/plugins/aws/ec2/openCassandraThrift.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openCustomPorts.js b/plugins/aws/ec2/openCustomPorts.js index 10c6598d5c..7bbffa3a93 100644 --- a/plugins/aws/ec2/openCustomPorts.js +++ b/plugins/aws/ec2/openCustomPorts.js @@ -24,7 +24,7 @@ module.exports = { default: 'false', } }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openDNS.js b/plugins/aws/ec2/openDNS.js index 287d069c90..4f8c5c4509 100644 --- a/plugins/aws/ec2/openDNS.js +++ b/plugins/aws/ec2/openDNS.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openDocker.js b/plugins/aws/ec2/openDocker.js index 6c04aaac87..77376f3a2c 100644 --- a/plugins/aws/ec2/openDocker.js +++ b/plugins/aws/ec2/openDocker.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:RevokeSecurityGroupIngress'], rollback: ['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openElasticsearch.js b/plugins/aws/ec2/openElasticsearch.js index 6881060aaa..53bf3cab5a 100644 --- a/plugins/aws/ec2/openElasticsearch.js +++ b/plugins/aws/ec2/openElasticsearch.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openFTP.js b/plugins/aws/ec2/openFTP.js index 745eac2fda..8369757b17 100644 --- a/plugins/aws/ec2/openFTP.js +++ b/plugins/aws/ec2/openFTP.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openHadoopNameNode.js b/plugins/aws/ec2/openHadoopNameNode.js index 25ee4e6357..e487c8cf44 100644 --- a/plugins/aws/ec2/openHadoopNameNode.js +++ b/plugins/aws/ec2/openHadoopNameNode.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openHadoopNameNodeWebUI.js b/plugins/aws/ec2/openHadoopNameNodeWebUI.js index 75609a94e2..b718f1e707 100644 --- a/plugins/aws/ec2/openHadoopNameNodeWebUI.js +++ b/plugins/aws/ec2/openHadoopNameNodeWebUI.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openInternalWeb.js b/plugins/aws/ec2/openInternalWeb.js index 9d5cd2a1a6..71f8e774d2 100644 --- a/plugins/aws/ec2/openInternalWeb.js +++ b/plugins/aws/ec2/openInternalWeb.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openKibana.js b/plugins/aws/ec2/openKibana.js index 2120a941dc..c838720ea5 100644 --- a/plugins/aws/ec2/openKibana.js +++ b/plugins/aws/ec2/openKibana.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openLDAP.js b/plugins/aws/ec2/openLDAP.js index 82e57d6626..5299b55323 100644 --- a/plugins/aws/ec2/openLDAP.js +++ b/plugins/aws/ec2/openLDAP.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openLDAPS.js b/plugins/aws/ec2/openLDAPS.js index 62e76da3f0..ba6eeac259 100644 --- a/plugins/aws/ec2/openLDAPS.js +++ b/plugins/aws/ec2/openLDAPS.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openMemcached.js b/plugins/aws/ec2/openMemcached.js index 765a9082b3..82a60c1598 100644 --- a/plugins/aws/ec2/openMemcached.js +++ b/plugins/aws/ec2/openMemcached.js @@ -49,7 +49,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openMongoDB.js b/plugins/aws/ec2/openMongoDB.js index 96e118ed90..caa1c69984 100644 --- a/plugins/aws/ec2/openMongoDB.js +++ b/plugins/aws/ec2/openMongoDB.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openMySQL.js b/plugins/aws/ec2/openMySQL.js index 5d48afbfea..7fdf5c5421 100644 --- a/plugins/aws/ec2/openMySQL.js +++ b/plugins/aws/ec2/openMySQL.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openNetBIOS.js b/plugins/aws/ec2/openNetBIOS.js index 7ba67ef585..7f0f73ea66 100644 --- a/plugins/aws/ec2/openNetBIOS.js +++ b/plugins/aws/ec2/openNetBIOS.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openOracle.js b/plugins/aws/ec2/openOracle.js index bab732254a..b9f82980a9 100644 --- a/plugins/aws/ec2/openOracle.js +++ b/plugins/aws/ec2/openOracle.js @@ -45,7 +45,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openOracleAutoDataWarehouse.js b/plugins/aws/ec2/openOracleAutoDataWarehouse.js index 908bcb7dcf..beb59c5ead 100644 --- a/plugins/aws/ec2/openOracleAutoDataWarehouse.js +++ b/plugins/aws/ec2/openOracleAutoDataWarehouse.js @@ -45,7 +45,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openPostgreSQL.js b/plugins/aws/ec2/openPostgreSQL.js index a9091637c2..41b820a87d 100644 --- a/plugins/aws/ec2/openPostgreSQL.js +++ b/plugins/aws/ec2/openPostgreSQL.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openRDP.js b/plugins/aws/ec2/openRDP.js index ca053d112f..b0bab5708f 100644 --- a/plugins/aws/ec2/openRDP.js +++ b/plugins/aws/ec2/openRDP.js @@ -46,7 +46,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openRPC.js b/plugins/aws/ec2/openRPC.js index 754d878646..27b75a3a3e 100644 --- a/plugins/aws/ec2/openRPC.js +++ b/plugins/aws/ec2/openRPC.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openRedis.js b/plugins/aws/ec2/openRedis.js index ab87f16cdf..ad8ec70c88 100644 --- a/plugins/aws/ec2/openRedis.js +++ b/plugins/aws/ec2/openRedis.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openSMBoTCP.js b/plugins/aws/ec2/openSMBoTCP.js index 0e91775f06..8278832d5a 100644 --- a/plugins/aws/ec2/openSMBoTCP.js +++ b/plugins/aws/ec2/openSMBoTCP.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openSMTP.js b/plugins/aws/ec2/openSMTP.js index 01b3bdb79e..9d4975db31 100644 --- a/plugins/aws/ec2/openSMTP.js +++ b/plugins/aws/ec2/openSMTP.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openSNMP.js b/plugins/aws/ec2/openSNMP.js index 7ae8c61642..c4dc1a706f 100644 --- a/plugins/aws/ec2/openSNMP.js +++ b/plugins/aws/ec2/openSNMP.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openSQLServer.js b/plugins/aws/ec2/openSQLServer.js index 8a97b50398..7c90205ef7 100644 --- a/plugins/aws/ec2/openSQLServer.js +++ b/plugins/aws/ec2/openSQLServer.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openSSH.js b/plugins/aws/ec2/openSSH.js index 782e159143..0f4ae55f82 100644 --- a/plugins/aws/ec2/openSSH.js +++ b/plugins/aws/ec2/openSSH.js @@ -46,7 +46,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openSalt.js b/plugins/aws/ec2/openSalt.js index 53febc3550..b8fd45ee98 100644 --- a/plugins/aws/ec2/openSalt.js +++ b/plugins/aws/ec2/openSalt.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openTelnet.js b/plugins/aws/ec2/openTelnet.js index 7e8ac7ca59..e1a681488d 100644 --- a/plugins/aws/ec2/openTelnet.js +++ b/plugins/aws/ec2/openTelnet.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openVNCClient.js b/plugins/aws/ec2/openVNCClient.js index df8ffbdf63..72b00bf760 100644 --- a/plugins/aws/ec2/openVNCClient.js +++ b/plugins/aws/ec2/openVNCClient.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openVNCServer.js b/plugins/aws/ec2/openVNCServer.js index 51094c354b..e16a0efe9b 100644 --- a/plugins/aws/ec2/openVNCServer.js +++ b/plugins/aws/ec2/openVNCServer.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/overlappingSecurityGroups.js b/plugins/aws/ec2/overlappingSecurityGroups.js index ff1e443aeb..83e241fc92 100644 --- a/plugins/aws/ec2/overlappingSecurityGroups.js +++ b/plugins/aws/ec2/overlappingSecurityGroups.js @@ -13,7 +13,7 @@ module.exports = { recommended_action: 'Structure security groups to provide a single category of access and do not ' + 'duplicate rules across groups used by the same instances.', apis: ['EC2:describeInstances', 'EC2:describeSecurityGroups'], - realtime_triggers: ['ec2:RunInnstance', 'ec2:modify-instance-attribute', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:RunInnstance', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySecurityGroupRules'], run: function(cache, settings, callback) { var results = []; From 784fd6ece7ea7d11324c468007eddabfd0b86076 Mon Sep 17 00:00:00 2001 From: muzzamilinovaqo Date: Fri, 15 Sep 2023 16:55:48 +0500 Subject: [PATCH 020/498] fixed service name for triggers --- plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js | 2 +- plugins/aws/accessanalyzer/accessAnalyzerEnabled.js | 2 +- plugins/aws/acm/acmCertificateExpiry.js | 2 +- plugins/aws/acm/acmCertificateHasTags.js | 2 +- plugins/aws/acm/acmSingleDomainNameCertificate.js | 2 +- plugins/aws/acm/acmValidation.js | 2 +- plugins/aws/apigateway/apiStageLevelCacheEncryption.js | 2 +- plugins/aws/apigateway/apigatewayAuthorization.js | 2 +- plugins/aws/apigateway/apigatewayCertificateRotation.js | 2 +- plugins/aws/apigateway/apigatewayClientCertificate.js | 2 +- plugins/aws/apigateway/apigatewayCloudwatchLogs.js | 2 +- plugins/aws/apigateway/apigatewayContentEncoding.js | 2 +- plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js | 2 +- plugins/aws/apigateway/apigatewayPrivateEndpoints.js | 2 +- plugins/aws/apigateway/apigatewayResponseCaching.js | 2 +- plugins/aws/apigateway/apigatewayTracingEnabled.js | 2 +- plugins/aws/apigateway/apigatewayWafEnabled.js | 2 +- plugins/aws/apigateway/customDomainTlsVersion.js | 2 +- plugins/aws/apigateway/detailedCloudWatchMetrics.js | 2 +- plugins/aws/appflow/flowEncrypted.js | 2 +- plugins/aws/appmesh/appmeshTLSRequired.js | 2 +- plugins/aws/appmesh/appmeshVGAccessLogging.js | 2 +- plugins/aws/appmesh/appmeshVGHealthChecks.js | 2 +- plugins/aws/appmesh/restrictExternalTraffic.js | 2 +- plugins/aws/apprunner/serviceEncrypted.js | 2 +- plugins/aws/auditmanager/auditmanagerDataEncrypted.js | 2 +- plugins/aws/autoscaling/appTierAsgApprovedAmi.js | 2 +- plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js | 2 +- plugins/aws/autoscaling/appTierIamRole.js | 2 +- plugins/aws/autoscaling/asgActiveNotifications.js | 2 +- plugins/aws/autoscaling/asgCooldownPeriod.js | 2 +- plugins/aws/autoscaling/asgMissingELB.js | 2 +- plugins/aws/autoscaling/asgMissingSecurityGroups.js | 2 +- plugins/aws/autoscaling/asgMultiAz.js | 2 +- plugins/aws/autoscaling/asgSuspendedProcesses.js | 2 +- plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js | 2 +- plugins/aws/autoscaling/elbHealthCheckActive.js | 2 +- plugins/aws/autoscaling/emptyASG.js | 2 +- plugins/aws/autoscaling/sameAzElb.js | 2 +- plugins/aws/autoscaling/webTierAsgApprovedAmi.js | 2 +- plugins/aws/autoscaling/webTierAsgAssociatedElb.js | 2 +- plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js | 2 +- plugins/aws/autoscaling/webTierIamRole.js | 2 +- plugins/aws/backup/backupDeletionProtection.js | 2 +- plugins/aws/backup/backupInUseForRDSSnapshots.js | 2 +- plugins/aws/backup/backupNotificationEnabled.js | 2 +- plugins/aws/backup/backupResourceProtection.js | 2 +- plugins/aws/backup/backupVaultEncrypted.js | 2 +- plugins/aws/backup/backupVaultHasTags.js | 2 +- plugins/aws/backup/backupVaultPolicies.js | 2 +- plugins/aws/backup/compliantLifecycleConfigured.js | 2 +- plugins/aws/cloudformation/cloudformationAdminPriviliges.js | 2 +- plugins/aws/cloudformation/cloudformationInUse.js | 2 +- plugins/aws/cloudformation/driftDetection.js | 2 +- plugins/aws/cloudformation/plainTextParameters.js | 2 +- plugins/aws/cloudformation/stackFailedStatus.js | 2 +- plugins/aws/cloudformation/stackNotifications.js | 2 +- plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js | 2 +- plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js | 2 +- plugins/aws/cloudfront/cloudfrontGeoRestriction.js | 2 +- plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js | 2 +- plugins/aws/cloudtrail/cloudtrailBucketDelete.js | 2 +- plugins/aws/cloudtrail/cloudtrailBucketPrivate.js | 2 +- plugins/aws/cloudtrail/cloudtrailDataEvents.js | 2 +- plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js | 2 +- plugins/aws/cloudtrail/cloudtrailEnabled.js | 2 +- plugins/aws/cloudtrail/cloudtrailManagementEvents.js | 2 +- plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js | 2 +- plugins/aws/cloudtrail/cloudtrailObjectLock.js | 2 +- plugins/aws/cloudtrail/cloudtrailS3Bucket.js | 2 +- plugins/aws/cloudtrail/cloudtrailToCloudwatch.js | 2 +- plugins/aws/cloudtrail/globalLoggingDuplicated.js | 2 +- plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js | 2 +- plugins/aws/cloudwatchlogs/logGroupsEncrypted.js | 2 +- plugins/aws/cloudwatchlogs/logRetentionPeriod.js | 2 +- plugins/aws/cloudwatchlogs/monitoringMetrics.js | 2 +- plugins/aws/codeartifact/codeartifactDomainEncrypted.js | 2 +- plugins/aws/codebuild/codebuildValidSourceProviders.js | 2 +- plugins/aws/codebuild/projectArtifactsEncrypted.js | 2 +- plugins/aws/codepipeline/pipelineArtifactsEncrypted.js | 2 +- plugins/aws/codestar/codestarValidRepoProviders.js | 2 +- plugins/aws/cognito/cognitoHasWafEnabled.js | 2 +- plugins/aws/comprehend/outputResultEncryption.js | 2 +- plugins/aws/comprehend/volumeEncryption.js | 2 +- plugins/aws/computeoptimizer/asgOptimized.js | 2 +- plugins/aws/computeoptimizer/ebsVolumesOptimized.js | 2 +- plugins/aws/computeoptimizer/ec2InstancesOptimized.js | 2 +- plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js | 2 +- plugins/aws/computeoptimizer/optimizerRecommendationsEnabled.js | 2 +- plugins/aws/configservice/configComplaintRules.js | 2 +- plugins/aws/configservice/configDeliveryFailing.js | 2 +- plugins/aws/configservice/configServiceEnabled.js | 2 +- plugins/aws/configservice/configServiceMissingBucket.js | 2 +- plugins/aws/configservice/servicesInUse.js | 2 +- plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js | 2 +- plugins/aws/dms/autoMinorVersionUpgrade.js | 2 +- plugins/aws/dms/dmsEncryptionEnabled.js | 2 +- plugins/aws/dms/dmsMultiAZFeatureEnabled.js | 2 +- plugins/aws/dms/dmsPubliclyAccessibleInstances.js | 2 +- plugins/aws/documentDB/docdbClusterBackupRetention.js | 2 +- plugins/aws/documentDB/docdbClusterEncrypted.js | 2 +- plugins/aws/dynamodb/daxClusterEncryption.js | 2 +- plugins/aws/dynamodb/dynamoContinuousBackups.js | 2 +- plugins/aws/dynamodb/dynamoKmsEncryption.js | 2 +- plugins/aws/dynamodb/dynamoTableBackupExists.js | 2 +- plugins/aws/dynamodb/dynamoTableHasTags.js | 2 +- plugins/aws/dynamodb/dynamoUnusedTable.js | 2 +- plugins/aws/iam/accessKeysExtra.js | 2 +- plugins/aws/iam/accessKeysLastUsed.js | 2 +- plugins/aws/iam/accessKeysRotated.js | 2 +- plugins/aws/iam/canaryKeysUsed.js | 2 +- plugins/aws/iam/certificateExpiry.js | 2 +- plugins/aws/iam/crossAccountMfaExtIdAccess.js | 2 +- plugins/aws/iam/emptyGroups.js | 2 +- plugins/aws/iam/groupInlinePolicies.js | 2 +- plugins/aws/iam/iamMasterManagerRoles.js | 2 +- plugins/aws/iam/iamPoliciesPresent.js | 2 +- plugins/aws/iam/iamRoleHasTags.js | 2 +- plugins/aws/iam/iamRoleLastUsed.js | 2 +- plugins/aws/iam/iamRolePolicies.js | 2 +- plugins/aws/iam/iamSupportPolicy.js | 2 +- plugins/aws/iam/iamUserAdmins.js | 2 +- plugins/aws/iam/iamUserHasTags.js | 2 +- plugins/aws/iam/iamUserInUse.js | 2 +- plugins/aws/iam/iamUserNameRegex.js | 2 +- plugins/aws/iam/iamUserNotInUse.js | 2 +- plugins/aws/iam/iamUserPresent.js | 2 +- plugins/aws/iam/iamUserUnauthorizedToEdit.js | 2 +- plugins/aws/iam/iamUserWithoutPermissions.js | 2 +- plugins/aws/iam/maxPasswordAge.js | 2 +- plugins/aws/iam/minPasswordLength.js | 2 +- plugins/aws/iam/noUserIamPolicies.js | 2 +- plugins/aws/iam/passwordExpiration.js | 2 +- plugins/aws/iam/passwordPolicyExists.js | 2 +- plugins/aws/iam/passwordRequiresLowercase.js | 2 +- plugins/aws/iam/passwordRequiresNumbers.js | 2 +- plugins/aws/iam/passwordRequiresSymbols.js | 2 +- plugins/aws/iam/passwordRequiresUppercase.js | 2 +- plugins/aws/iam/passwordReusePrevention.js | 2 +- plugins/aws/iam/policyAllowsToChangePassword.js | 2 +- plugins/aws/iam/rolePolicyUnusedServices.js | 2 +- plugins/aws/iam/rootAccessKeys.js | 2 +- plugins/aws/iam/rootAccountInUse.js | 2 +- plugins/aws/iam/rootHardwareMfa.js | 2 +- plugins/aws/iam/rootMfaEnabled.js | 2 +- plugins/aws/iam/rootSigningCertificate.js | 2 +- plugins/aws/iam/sshKeysRotated.js | 2 +- plugins/aws/iam/trustedCrossAccountRoles.js | 2 +- plugins/aws/iam/usersMfaEnabled.js | 2 +- plugins/aws/iam/usersPasswordAndKeys.js | 2 +- plugins/aws/iam/usersPasswordLastUsed.js | 2 +- plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js | 2 +- plugins/aws/imagebuilder/enhancedMetadataEnabled.js | 2 +- plugins/aws/iotsitewise/iotsitewiseDataEncrypted.js | 2 +- plugins/aws/kendra/kendraIndexEncrypted.js | 2 +- plugins/aws/kinesis/kinesisDataStreamsEncrypted.js | 2 +- plugins/aws/kinesisvideo/videostreamDataEncrypted.js | 2 +- plugins/aws/kms/kmsAppTierCmk.js | 2 +- plugins/aws/kms/kmsDefaultKeyUsage.js | 2 +- plugins/aws/kms/kmsDuplicateGrants.js | 2 +- plugins/aws/kms/kmsGrantLeastPrivilege.js | 2 +- plugins/aws/kms/kmsKeyPolicy.js | 2 +- plugins/aws/kms/kmsKeyRotation.js | 2 +- plugins/aws/kms/kmsScheduledDeletion.js | 2 +- 164 files changed, 164 insertions(+), 164 deletions(-) diff --git a/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js b/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js index 26d6f60714..c570878e3f 100644 --- a/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js +++ b/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-work-with-findings.html', recommended_action: 'Investigate into active findings in your account and do the needful until you have zero active findings.', apis: ['AccessAnalyzer:listAnalyzers', 'AccessAnalyzer:listFindings'], - realtime_triggers: ['AccessAnalyzer:CreateAnalyzer','AccessAnalyzer:CreateArchiveRule','AccessAnalyzer:UpdateArchiveRule'], + realtime_triggers: ['accessanalyzer:CreateAnalyzer','accessanalyzer:CreateArchiveRule','accessanalyzer:UpdateArchiveRule'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/accessanalyzer/accessAnalyzerEnabled.js b/plugins/aws/accessanalyzer/accessAnalyzerEnabled.js index ba28e880ee..f8edc608ae 100644 --- a/plugins/aws/accessanalyzer/accessAnalyzerEnabled.js +++ b/plugins/aws/accessanalyzer/accessAnalyzerEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html', recommended_action: 'Enable Access Analyzer for all regions', apis: ['AccessAnalyzer:listAnalyzers'], - realtime_triggers: ['AccessAnalyzer:CreateAnalyzer'], + realtime_triggers: ['accessanalyzer:CreateAnalyzer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/acm/acmCertificateExpiry.js b/plugins/aws/acm/acmCertificateExpiry.js index 4557293884..29efa2ef12 100644 --- a/plugins/aws/acm/acmCertificateExpiry.js +++ b/plugins/aws/acm/acmCertificateExpiry.js @@ -27,7 +27,7 @@ module.exports = { default: 30 } }, - realtime_triggers: ['ACM:RequestCertificate','ACM:ImportCertificate'], + realtime_triggers: ['acm:RequestCertificate','acm:ImportCertificate'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/acm/acmCertificateHasTags.js b/plugins/aws/acm/acmCertificateHasTags.js index 76fee20768..51bbb92767 100644 --- a/plugins/aws/acm/acmCertificateHasTags.js +++ b/plugins/aws/acm/acmCertificateHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/acm/latest/userguide/tags.html', recommended_action: 'Modify ACM certificate and add tags.', apis: ['ACM:listCertificates', 'ResourceGroupsTaggingAPI:getResources'], - realtime_triggers: ['ACM:RequestCertificate','ACM:ImportCertificate','ACM:AddTagsToCertificate', 'ACM:RemoveTagsFromCertificate'], + realtime_triggers: ['acm:RequestCertificate','acm:ImportCertificate','acm:AddTagsToCertificate', 'acm:RemoveTagsFromCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/acm/acmSingleDomainNameCertificate.js b/plugins/aws/acm/acmSingleDomainNameCertificate.js index 1cb61402e3..a649c1628d 100644 --- a/plugins/aws/acm/acmSingleDomainNameCertificate.js +++ b/plugins/aws/acm/acmSingleDomainNameCertificate.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html', recommended_action: 'Configure ACM managed certificates to use single name domain instead of wildcards.', apis: ['ACM:listCertificates', 'ACM:describeCertificate'], - realtime_triggers: ['ACM:RequestCertificate','ACM:ImportCertificate'], + realtime_triggers: ['acm:RequestCertificate','acm:ImportCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/acm/acmValidation.js b/plugins/aws/acm/acmValidation.js index 43178516d2..a1668e57bf 100644 --- a/plugins/aws/acm/acmValidation.js +++ b/plugins/aws/acm/acmValidation.js @@ -11,7 +11,7 @@ module.exports = { cs_link: 'https://cloudsploit.com/remediations/aws/acm/acm-certificate-validation', recommended_action: 'Configure ACM managed certificates to use DNS validation.', apis: ['ACM:listCertificates', 'ACM:describeCertificate'], - realtime_triggers: ['ACM:RequestCertificate','ACM:ImportCertificate'], + realtime_triggers: ['acm:RequestCertificate','acm:ImportCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apiStageLevelCacheEncryption.js b/plugins/aws/apigateway/apiStageLevelCacheEncryption.js index 3c7986b0da..2c1e85aeed 100644 --- a/plugins/aws/apigateway/apiStageLevelCacheEncryption.js +++ b/plugins/aws/apigateway/apiStageLevelCacheEncryption.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway API stages to enable encryption on cache data', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/data-protection-encryption.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['APIGateway:CreateStage','APIGateway:UpdateStage'], + realtime_triggers: ['apigateway:CreateStage','apigateway:UpdateStage'], run: function(cache, settings, callback) { diff --git a/plugins/aws/apigateway/apigatewayAuthorization.js b/plugins/aws/apigateway/apigatewayAuthorization.js index e3f28d2cae..7bde9401aa 100644 --- a/plugins/aws/apigateway/apigatewayAuthorization.js +++ b/plugins/aws/apigateway/apigatewayAuthorization.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway configuration and ensure that appropriate authorizers are set up for each API.', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html', apis: ['APIGateway:getRestApis', 'APIGateway:getAuthorizers'], - realtime_triggers: ['APIGateway:CreateRestApi','APIGateway:CreateAuthorizer'], + realtime_triggers: ['apigateway:CreateRestApi','apigateway:CreateAuthorizer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayCertificateRotation.js b/plugins/aws/apigateway/apigatewayCertificateRotation.js index 9b95e7a2e0..6aa81501e3 100644 --- a/plugins/aws/apigateway/apigatewayCertificateRotation.js +++ b/plugins/aws/apigateway/apigatewayCertificateRotation.js @@ -18,7 +18,7 @@ module.exports = { default: '30', } }, - realtime_triggers: ['APIGateway:CreateRestApi','APIGateway:GenerateClientCertificate','APIGateway:DeleteClientCertificate'], + realtime_triggers: ['apigateway:CreateRestApi','apigateway:GenerateClientCertificate','apigateway:DeleteClientCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayClientCertificate.js b/plugins/aws/apigateway/apigatewayClientCertificate.js index 22737c314b..9ad86fdc34 100644 --- a/plugins/aws/apigateway/apigatewayClientCertificate.js +++ b/plugins/aws/apigateway/apigatewayClientCertificate.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Attach client certificate to API Gateway API stages', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['APIGateway:CreateStage','APIGateway:UpdateStage'], + realtime_triggers: ['apigateway:CreateStage','apigateway:UpdateStage'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayCloudwatchLogs.js b/plugins/aws/apigateway/apigatewayCloudwatchLogs.js index 4e47592c4c..5d07e7b299 100644 --- a/plugins/aws/apigateway/apigatewayCloudwatchLogs.js +++ b/plugins/aws/apigateway/apigatewayCloudwatchLogs.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway API stages to enable CloudWatch Logs', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['APIGateway:CreateStage','APIGateway:UpdateStage'], + realtime_triggers: ['apigateway:CreateStage','apigateway:UpdateStage'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayContentEncoding.js b/plugins/aws/apigateway/apigatewayContentEncoding.js index b4a15af76a..c054cc4423 100644 --- a/plugins/aws/apigateway/apigatewayContentEncoding.js +++ b/plugins/aws/apigateway/apigatewayContentEncoding.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable content encoding and set minimum compression size of API Gateway API response', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-gzip-compression-decompression.html', apis: ['APIGateway:getRestApis'], - realtime_triggers: ['APIGateway:CreateRestApi','APIGateway:UpdateRestApi'], + realtime_triggers: ['apigateway:CreateRestApi','apigateway:UpdateRestApi'], run: function(cache, settings, callback) { diff --git a/plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js b/plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js index fdde20a4e0..33ac7aa18d 100644 --- a/plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js +++ b/plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway to disable default execute-api endpoint.', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html', apis: ['APIGateway:getRestApis'], - realtime_triggers: ['APIGateway:CreateRestApi','APIGateway:UpdateRestApi'], + realtime_triggers: ['apigateway:CreateRestApi','apigateway:UpdateRestApi'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayPrivateEndpoints.js b/plugins/aws/apigateway/apigatewayPrivateEndpoints.js index 947c958803..25c3dca34b 100644 --- a/plugins/aws/apigateway/apigatewayPrivateEndpoints.js +++ b/plugins/aws/apigateway/apigatewayPrivateEndpoints.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Set API Gateway API endpoint configuration to private', link: 'https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints', apis: ['APIGateway:getRestApis'], - realtime_triggers: ['APIGateway:CreateRestApi','APIGateway:UpdateRestApi'], + realtime_triggers: ['apigateway:CreateRestApi','apigateway:UpdateRestApi'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayResponseCaching.js b/plugins/aws/apigateway/apigatewayResponseCaching.js index d14894204d..a2f6fde8e2 100644 --- a/plugins/aws/apigateway/apigatewayResponseCaching.js +++ b/plugins/aws/apigateway/apigatewayResponseCaching.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Modify API Gateway API stages to enable API cache', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['APIGateway:CreateStage','APIGateway:UpdateStage'], + realtime_triggers: ['apigateway:CreateStage','apigateway:UpdateStage'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayTracingEnabled.js b/plugins/aws/apigateway/apigatewayTracingEnabled.js index ddb679bbbe..64ed04cf0c 100644 --- a/plugins/aws/apigateway/apigatewayTracingEnabled.js +++ b/plugins/aws/apigateway/apigatewayTracingEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable tracing on API Gateway API stages', link: 'https://docs.aws.amazon.com/xray/latest/devguide/xray-services-apigateway.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['APIGateway:CreateStage','APIGateway:UpdateStage'], + realtime_triggers: ['apigateway:CreateStage','apigateway:UpdateStage'], run: function(cache, settings, callback) { diff --git a/plugins/aws/apigateway/apigatewayWafEnabled.js b/plugins/aws/apigateway/apigatewayWafEnabled.js index 537f27a3e9..8d6be873fb 100644 --- a/plugins/aws/apigateway/apigatewayWafEnabled.js +++ b/plugins/aws/apigateway/apigatewayWafEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Associate API Gateway API with Web Application Firewall', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['APIGateway:CreateRestApi','WAFRegional:AssociateWebACL'], + realtime_triggers: ['apigateway:CreateRestApi','wafregional:AssociateWebACL'], run: function(cache, settings, callback) { diff --git a/plugins/aws/apigateway/customDomainTlsVersion.js b/plugins/aws/apigateway/customDomainTlsVersion.js index 00841398c1..e379331885 100644 --- a/plugins/aws/apigateway/customDomainTlsVersion.js +++ b/plugins/aws/apigateway/customDomainTlsVersion.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway custom domain security policy and specify new TLS version.', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html', apis: ['APIGateway:getDomainNames'], - realtime_triggers: ['APIGateway:CreateDomainName','APIGateway:UpdateDomainName'], + realtime_triggers: ['apigateway:CreateDomainName','apigateway:UpdateDomainName'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/detailedCloudWatchMetrics.js b/plugins/aws/apigateway/detailedCloudWatchMetrics.js index 2ca4243788..f84d0a3102 100644 --- a/plugins/aws/apigateway/detailedCloudWatchMetrics.js +++ b/plugins/aws/apigateway/detailedCloudWatchMetrics.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Add CloudWatch role ARN to API settings and enabled detailed metrics for each stage', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-metrics.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['APIGateway:CreateStage','APIGateway:UpdateStage'], + realtime_triggers: ['apigateway:CreateStage','apigateway:UpdateStage'], run: function(cache, settings, callback) { diff --git a/plugins/aws/appflow/flowEncrypted.js b/plugins/aws/appflow/flowEncrypted.js index 3d4fa39b35..62dae9d518 100644 --- a/plugins/aws/appflow/flowEncrypted.js +++ b/plugins/aws/appflow/flowEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['Appflow:CreateFlow','Appflow:UpdateFlow'], + realtime_triggers: ['appflow:CreateFlow','appflow:UpdateFlow'], run: function(cache, settings, callback) { diff --git a/plugins/aws/appmesh/appmeshTLSRequired.js b/plugins/aws/appmesh/appmeshTLSRequired.js index 429c336d23..5e0c0ee467 100644 --- a/plugins/aws/appmesh/appmeshTLSRequired.js +++ b/plugins/aws/appmesh/appmeshTLSRequired.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/app-mesh/latest/APIReference/API_ListenerTls.html', recommended_action: 'Restrict AWS App Mesh virtual gateway listeners to accept only TLS enabled connections.', apis: ['AppMesh:listMeshes', 'AppMesh:listVirtualGateways', 'AppMesh:describeVirtualGateway'], - realtime_triggers: ['AppMesh:CreateVirtualGateway','AppMesh:UpdateVirtualGateway'], + realtime_triggers: ['appmesh:CreateVirtualGateway','appmesh:UpdateVirtualGateway'], run: function(cache, settings, callback) { diff --git a/plugins/aws/appmesh/appmeshVGAccessLogging.js b/plugins/aws/appmesh/appmeshVGAccessLogging.js index 994e6d312f..f9ac531ec4 100644 --- a/plugins/aws/appmesh/appmeshVGAccessLogging.js +++ b/plugins/aws/appmesh/appmeshVGAccessLogging.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/app-mesh/latest/userguide/envoy-logs.html', recommended_action: 'To enable access logging, modify virtual gateway configuration settings and configure the file path to write access logs to.', apis: ['AppMesh:listMeshes', 'AppMesh:listVirtualGateways', 'AppMesh:describeVirtualGateway'], - realtime_triggers: ['AppMesh:CreateVirtualGateway','AppMesh:UpdateVirtualGateway'], + realtime_triggers: ['appmesh:CreateVirtualGateway','appmesh:UpdateVirtualGateway'], run: function(cache, settings, callback) { diff --git a/plugins/aws/appmesh/appmeshVGHealthChecks.js b/plugins/aws/appmesh/appmeshVGHealthChecks.js index 494bc7b924..281a9121bf 100644 --- a/plugins/aws/appmesh/appmeshVGHealthChecks.js +++ b/plugins/aws/appmesh/appmeshVGHealthChecks.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_gateway_health_checks.html', recommended_action: 'Configure health check policies for the virtual gateway listeners in your App Mesh, specifying values for healthy threshold, health check interval, health check protocol, timeout period, and unhealthy threshold.', apis: ['AppMesh:listMeshes', 'AppMesh:listVirtualGateways', 'AppMesh:describeVirtualGateway'], - realtime_triggers: ['AppMesh:CreateVirtualGateway','AppMesh:UpdateVirtualGateway'], + realtime_triggers: ['appmesh:CreateVirtualGateway','appmesh:UpdateVirtualGateway'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/appmesh/restrictExternalTraffic.js b/plugins/aws/appmesh/restrictExternalTraffic.js index aaa77d85ca..e72c3edeac 100644 --- a/plugins/aws/appmesh/restrictExternalTraffic.js +++ b/plugins/aws/appmesh/restrictExternalTraffic.js @@ -12,7 +12,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/app-mesh/latest/userguide/security.html', recommended_action: 'Deny all traffic to the external services', apis: ['AppMesh:listMeshes', 'AppMesh:describeMesh'], - realtime_triggers: ['AppMesh:CreateMesh','AppMesh:UpdateMesh'], + realtime_triggers: ['appmesh:CreateMesh','appmesh:UpdateMesh'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apprunner/serviceEncrypted.js b/plugins/aws/apprunner/serviceEncrypted.js index f42658719f..ef5ac901c9 100644 --- a/plugins/aws/apprunner/serviceEncrypted.js +++ b/plugins/aws/apprunner/serviceEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['AppRunner:CreateService','AppRunner:UpdateService'], + realtime_triggers: ['apprunner:CreateService','apprunner:UpdateService'], run: function(cache, settings, callback) { diff --git a/plugins/aws/auditmanager/auditmanagerDataEncrypted.js b/plugins/aws/auditmanager/auditmanagerDataEncrypted.js index 0e076f670c..0d2f2086f1 100644 --- a/plugins/aws/auditmanager/auditmanagerDataEncrypted.js +++ b/plugins/aws/auditmanager/auditmanagerDataEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['AuditManager:UpdateSettings'], + realtime_triggers: ['auditmanager:UpdateSettings'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/appTierAsgApprovedAmi.js b/plugins/aws/autoscaling/appTierAsgApprovedAmi.js index 881ce7d57b..27e607d5d1 100644 --- a/plugins/aws/autoscaling/appTierAsgApprovedAmi.js +++ b/plugins/aws/autoscaling/appTierAsgApprovedAmi.js @@ -24,7 +24,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js b/plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js index 38baa7a031..5c5e3e2333 100644 --- a/plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js +++ b/plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js @@ -32,7 +32,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/appTierIamRole.js b/plugins/aws/autoscaling/appTierIamRole.js index 4e46863b9b..1e36a6a5ee 100644 --- a/plugins/aws/autoscaling/appTierIamRole.js +++ b/plugins/aws/autoscaling/appTierIamRole.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgActiveNotifications.js b/plugins/aws/autoscaling/asgActiveNotifications.js index d0c5cee0cf..b9ea40e9ac 100644 --- a/plugins/aws/autoscaling/asgActiveNotifications.js +++ b/plugins/aws/autoscaling/asgActiveNotifications.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/ASGettingNotifications.html', recommended_action: 'Add a notification endpoint to the auto scaling group.', apis: ['AutoScaling:describeAutoScalingGroups', 'AutoScaling:describeNotificationConfigurations'], - realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:PutNotificationConfiguration'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:PutNotificationConfiguration'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/asgCooldownPeriod.js b/plugins/aws/autoscaling/asgCooldownPeriod.js index 1cc3adfee6..fa44a1381b 100644 --- a/plugins/aws/autoscaling/asgCooldownPeriod.js +++ b/plugins/aws/autoscaling/asgCooldownPeriod.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/Cooldown.html', recommended_action: 'Implement proper cool down period for Auto Scaling groups to temporarily suspend any scaling actions.', apis: ['AutoScaling:describeAutoScalingGroups'], - realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgMissingELB.js b/plugins/aws/autoscaling/asgMissingELB.js index 05f5208fc0..44973d905f 100644 --- a/plugins/aws/autoscaling/asgMissingELB.js +++ b/plugins/aws/autoscaling/asgMissingELB.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/attach-load-balancer-asg.html', recommended_action: 'Ensure that the Auto Scaling group load balancer has not been deleted. If so, remove it from the ASG.', apis: ['AutoScaling:describeAutoScalingGroups', 'ELB:describeLoadBalancers', 'ELBv2:describeLoadBalancers'], - realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:AttachLoadBalancers'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:AttachLoadBalancers'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgMissingSecurityGroups.js b/plugins/aws/autoscaling/asgMissingSecurityGroups.js index 81057348a3..3b8b5da7e7 100644 --- a/plugins/aws/autoscaling/asgMissingSecurityGroups.js +++ b/plugins/aws/autoscaling/asgMissingSecurityGroups.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/GettingStartedTutorial.html', recommended_action: 'Ensure that the launch configuration security group has not been deleted. If so, remove it from launch configurations', apis: ['AutoScaling:describeLaunchConfigurations', 'EC2:describeSecurityGroups'], - realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgMultiAz.js b/plugins/aws/autoscaling/asgMultiAz.js index ef9e63b127..6a6fd6edb6 100644 --- a/plugins/aws/autoscaling/asgMultiAz.js +++ b/plugins/aws/autoscaling/asgMultiAz.js @@ -10,7 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/autoscaling/latest/userguide/AutoScalingGroup.html', recommended_action: 'Modify the autoscaling instance to enable scaling across multiple availability zones.', apis: ['AutoScaling:describeAutoScalingGroups'], - realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/asgSuspendedProcesses.js b/plugins/aws/autoscaling/asgSuspendedProcesses.js index 01e5a9a89b..179d78f489 100644 --- a/plugins/aws/autoscaling/asgSuspendedProcesses.js +++ b/plugins/aws/autoscaling/asgSuspendedProcesses.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-suspend-resume-processes.html', recommended_action: 'Update the AutoScaling group to resume the suspended processes.', apis: ['AutoScaling:describeAutoScalingGroups'], - realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:ResumeProcesses'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:ResumeProcesses'], diff --git a/plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js b/plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js index 6351020166..e05d058655 100644 --- a/plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js +++ b/plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/LaunchConfiguration.html', recommended_action: 'Identify and remove any Auto Scaling Launch Configuration templates that are not associated anymore with ASGs available in the selected AWS region.', apis: ['AutoScaling:describeAutoScalingGroups', 'AutoScaling:describeLaunchConfigurations'], - realtime_triggers: ['AutoScaling:CreateLaunchConfiguration','AutoScaling:DeleteLaunchConfiguration'], + realtime_triggers: ['autoscaling:CreateLaunchConfiguration','autoscaling:DeleteLaunchConfiguration'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/elbHealthCheckActive.js b/plugins/aws/autoscaling/elbHealthCheckActive.js index b9add4b697..3e2e5401a4 100644 --- a/plugins/aws/autoscaling/elbHealthCheckActive.js +++ b/plugins/aws/autoscaling/elbHealthCheckActive.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-elb-healthcheck.html', recommended_action: 'Enable ELB health check for the Auto Scaling groups.', apis: ['AutoScaling:describeAutoScalingGroups'], - realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/emptyASG.js b/plugins/aws/autoscaling/emptyASG.js index 94599c1bb8..8e27eb4591 100644 --- a/plugins/aws/autoscaling/emptyASG.js +++ b/plugins/aws/autoscaling/emptyASG.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroup.html', recommended_action: 'Delete the unused AutoScaling group.', apis: ['AutoScaling:describeAutoScalingGroups'], - realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:DeleteAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/sameAzElb.js b/plugins/aws/autoscaling/sameAzElb.js index 41831d26c9..0389398a3b 100644 --- a/plugins/aws/autoscaling/sameAzElb.js +++ b/plugins/aws/autoscaling/sameAzElb.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-availability-zone.html', recommended_action: 'Update the ELB to use the same availability zones as the autoscaling group.', apis: ['AutoScaling:describeAutoScalingGroups', 'ELB:describeLoadBalancers', 'ELBv2:describeLoadBalancers'], - realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], diff --git a/plugins/aws/autoscaling/webTierAsgApprovedAmi.js b/plugins/aws/autoscaling/webTierAsgApprovedAmi.js index b35818902d..88e16c9f62 100644 --- a/plugins/aws/autoscaling/webTierAsgApprovedAmi.js +++ b/plugins/aws/autoscaling/webTierAsgApprovedAmi.js @@ -24,7 +24,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/webTierAsgAssociatedElb.js b/plugins/aws/autoscaling/webTierAsgAssociatedElb.js index ab8946cbb5..bbe29bd1fa 100644 --- a/plugins/aws/autoscaling/webTierAsgAssociatedElb.js +++ b/plugins/aws/autoscaling/webTierAsgAssociatedElb.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:AttachLoadBalancers'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:AttachLoadBalancers'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js b/plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js index 3baab1f218..6bfdecde70 100644 --- a/plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js +++ b/plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js @@ -32,7 +32,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/webTierIamRole.js b/plugins/aws/autoscaling/webTierIamRole.js index 88d9cf745d..ec48122145 100644 --- a/plugins/aws/autoscaling/webTierIamRole.js +++ b/plugins/aws/autoscaling/webTierIamRole.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/backupDeletionProtection.js b/plugins/aws/backup/backupDeletionProtection.js index 4117f3a0b7..d0bcfd5e07 100644 --- a/plugins/aws/backup/backupDeletionProtection.js +++ b/plugins/aws/backup/backupDeletionProtection.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Add a statement in Backup vault access policy which denies global access to action: backup:DeleteRecoveryPoint', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-vault-access-policy.html', apis: ['Backup:listBackupVaults', 'Backup:getBackupVaultAccessPolicy'], - realtime_triggers: ['Backup:CreateBackupVault','Backup:PutBackupVaultAccessPolicy'], + realtime_triggers: ['backup:CreateBackupVault','backup:PutBackupVaultAccessPolicy'], run: function(cache, settings, callback) { diff --git a/plugins/aws/backup/backupInUseForRDSSnapshots.js b/plugins/aws/backup/backupInUseForRDSSnapshots.js index 4e12c2b7d3..c57b0b6314 100644 --- a/plugins/aws/backup/backupInUseForRDSSnapshots.js +++ b/plugins/aws/backup/backupInUseForRDSSnapshots.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Enable RDS database instance snapshots to improve the reliability of your backup strategy.', link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html', apis: ['RDS:describeDBSnapshots'], - realtime_triggers: ['Backup:CreateBackupPlan','Backup:CreateBackupSelection'], + realtime_triggers: ['backup:CreateBackupPlan','backup:CreateBackupSelection'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/backupNotificationEnabled.js b/plugins/aws/backup/backupNotificationEnabled.js index 342c919b4d..75a97316a6 100644 --- a/plugins/aws/backup/backupNotificationEnabled.js +++ b/plugins/aws/backup/backupNotificationEnabled.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Configure Backup vaults to sent notifications alert for failed backup job events.', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/sns-notifications.html', apis: ['Backup:listBackupVaults', 'Backup:getBackupVaultNotifications'], - realtime_triggers: ['Backup:CreateBackupVault','Backup:PutBackupVaultNotifications'], + realtime_triggers: ['backup:CreateBackupVault','backup:PutBackupVaultNotifications'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/backupResourceProtection.js b/plugins/aws/backup/backupResourceProtection.js index bd67870ff3..2d2959c8ca 100644 --- a/plugins/aws/backup/backupResourceProtection.js +++ b/plugins/aws/backup/backupResourceProtection.js @@ -19,7 +19,7 @@ module.exports = { default:'' } }, - realtime_triggers: ['Backup:UpdateRegionSettings'], + realtime_triggers: ['backup:UpdateRegionSettings'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/backup/backupVaultEncrypted.js b/plugins/aws/backup/backupVaultEncrypted.js index f726a36f0b..3550a9ad5b 100644 --- a/plugins/aws/backup/backupVaultEncrypted.js +++ b/plugins/aws/backup/backupVaultEncrypted.js @@ -18,7 +18,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['Backup:CreateBackupVault','Backup:UpdateBackupPlan'], + realtime_triggers: ['backup:CreateBackupVault','backup:UpdateBackupPlan'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/backupVaultHasTags.js b/plugins/aws/backup/backupVaultHasTags.js index b5fc81c0d8..6bc7556f01 100644 --- a/plugins/aws/backup/backupVaultHasTags.js +++ b/plugins/aws/backup/backupVaultHasTags.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify Backup Vault and add tags.', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-vault.html', apis: ['Backup:listBackupVaults', 'ResourceGroupsTaggingAPI:getResources'], - realtime_triggers: ['Backup:CreateBackupVault','Backup:TagResource'], + realtime_triggers: ['backup:CreateBackupVault','backup:TagResource'], run: function(cache, settings, callback) { diff --git a/plugins/aws/backup/backupVaultPolicies.js b/plugins/aws/backup/backupVaultPolicies.js index 168fa8d9b5..106a7534ea 100644 --- a/plugins/aws/backup/backupVaultPolicies.js +++ b/plugins/aws/backup/backupVaultPolicies.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Ensure that all Backup Vault policies are scoped to specific services and API calls.', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-vault-access-policy.html', apis: ['Backup:listBackupVaults', 'Backup:getBackupVaultAccessPolicy', 'STS:getCallerIdentity'], - realtime_triggers: ['Backup:CreateBackupVault','Backup:PutBackupVaultAccessPolicy'], + realtime_triggers: ['backup:CreateBackupVault','backup:PutBackupVaultAccessPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/compliantLifecycleConfigured.js b/plugins/aws/backup/compliantLifecycleConfigured.js index 7083e333f0..ab44848c78 100644 --- a/plugins/aws/backup/compliantLifecycleConfigured.js +++ b/plugins/aws/backup/compliantLifecycleConfigured.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable compliant lifecycle configuration for your Amazon Backup plans', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/API_Lifecycle.html', apis: ['Backup:listBackupPlans', 'Backup:getBackupPlan'], - realtime_triggers: ['Backup:CreateBackupPlan','Backup:UpdateBackupPlan'], + realtime_triggers: ['backup:CreateBackupPlan','backup:UpdateBackupPlan'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/cloudformationAdminPriviliges.js b/plugins/aws/cloudformation/cloudformationAdminPriviliges.js index 775f91c5bd..52bb514f3c 100644 --- a/plugins/aws/cloudformation/cloudformationAdminPriviliges.js +++ b/plugins/aws/cloudformation/cloudformationAdminPriviliges.js @@ -14,7 +14,7 @@ module.exports = { recommended_action: 'Modify IAM role attached with AWS CloudFormation stack to provide the minimal amount of access required to perform its tasks', apis: ['CloudFormation:listStacks', 'CloudFormation:describeStacks', 'IAM:listRoles', 'IAM:listAttachedRolePolicies', 'IAM:listRolePolicies', 'IAM:listPolicies', 'IAM:getPolicy', 'IAM:getPolicyVersion', 'IAM:getRolePolicy'], - realtime_triggers: ['CloudFormation:CreateStack','IAM:CreatePolicyVersion','IAM:PutRolePolicy'], + realtime_triggers: ['cloudformation:CreateStack','IAM:CreatePolicyVersion','IAM:PutRolePolicy'], run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudformation/cloudformationInUse.js b/plugins/aws/cloudformation/cloudformationInUse.js index 2ff8fcc57e..06c8e779ba 100644 --- a/plugins/aws/cloudformation/cloudformationInUse.js +++ b/plugins/aws/cloudformation/cloudformationInUse.js @@ -12,7 +12,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html', recommended_action: 'Check if CloudFormation is in use or not by observing the stacks', apis: ['CloudFormation:describeStacks'], - realtime_triggers: ['CloudFormation:CreateStack'], + realtime_triggers: ['cloudformation:CreateStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/driftDetection.js b/plugins/aws/cloudformation/driftDetection.js index 9345987dad..79fee1fd18 100644 --- a/plugins/aws/cloudformation/driftDetection.js +++ b/plugins/aws/cloudformation/driftDetection.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-resolve-drift.html', recommended_action: 'Resolve CloudFormation stack drift by importing drifted resource back to the stack.', apis: ['CloudFormation:listStacks'], - realtime_triggers: ['CloudFormation:CreateStack','CloudFormation:UpdateStack'], + realtime_triggers: ['cloudformation:CreateStack','cloudformation:UpdateStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/plainTextParameters.js b/plugins/aws/cloudformation/plainTextParameters.js index c5e72bc7f0..426e14e8c9 100644 --- a/plugins/aws/cloudformation/plainTextParameters.js +++ b/plugins/aws/cloudformation/plainTextParameters.js @@ -18,7 +18,7 @@ module.exports = { default: 'secret,password,privatekey' } }, - realtime_triggers: ['CloudFormation:CreateStack','CloudFormation:UpdateStack'], + realtime_triggers: ['cloudformation:CreateStack','cloudformation:UpdateStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/stackFailedStatus.js b/plugins/aws/cloudformation/stackFailedStatus.js index b9f327617f..2bfca7003a 100644 --- a/plugins/aws/cloudformation/stackFailedStatus.js +++ b/plugins/aws/cloudformation/stackFailedStatus.js @@ -18,7 +18,7 @@ module.exports = { default: 0 } }, - realtime_triggers: ['CloudFormation:CreateStack','CloudFormation:DeleteStack'], + realtime_triggers: ['cloudformation:CreateStack','cloudformation:DeleteStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/stackNotifications.js b/plugins/aws/cloudformation/stackNotifications.js index 73c9b5c891..60f5d6a53d 100644 --- a/plugins/aws/cloudformation/stackNotifications.js +++ b/plugins/aws/cloudformation/stackNotifications.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-view-stack-data-resources.html', recommended_action: 'Associate an Amazon SNS topic to all CloudFormation stacks', apis: ['CloudFormation:listStacks', 'CloudFormation:describeStacks'], - realtime_triggers: ['CloudFormation:CreateStack','CloudFormation:UpdateStack'], + realtime_triggers: ['cloudformation:CreateStack','cloudformation:UpdateStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js b/plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js index 1b5cafea25..c8e6585f87 100644 --- a/plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js +++ b/plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html', recommended_action: 'Modify CloudFront distribution and update the Origin Protocol Policy setting to HTTPS Only.', apis: ['CloudFront:listDistributions'], - realtime_triggers: ['CloudFront:CreateDistribution','CloudFront:UpdateDistribution'], + realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution'], run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js b/plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js index 6cf133a302..12d37042a7 100644 --- a/plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js +++ b/plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html', recommended_action: 'Enable field-level encryption for CloudFront distributions.', apis: ['CloudFront:listDistributions'], - realtime_triggers: ['CloudFront:CreateDistribution','CloudFront:UpdateDistribution'], + realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution'], run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudfront/cloudfrontGeoRestriction.js b/plugins/aws/cloudfront/cloudfrontGeoRestriction.js index c49a4cb5eb..b70d872338 100644 --- a/plugins/aws/cloudfront/cloudfrontGeoRestriction.js +++ b/plugins/aws/cloudfront/cloudfrontGeoRestriction.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['CloudFront:CreateDistribution','CloudFront:UpdateDistribution'], + realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js b/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js index d458657d84..b6128bb310 100644 --- a/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js +++ b/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js @@ -26,7 +26,7 @@ module.exports = { default: '', } }, - realtime_triggers: ['CloudTrail:CreateTrail', 'S3:PutBucketLogging'], + realtime_triggers: ['cloudtrail:CreateTrail', 's3:PutBucketLogging'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/cloudtrail/cloudtrailBucketDelete.js b/plugins/aws/cloudtrail/cloudtrailBucketDelete.js index 1981b46d28..9b039d7ae5 100644 --- a/plugins/aws/cloudtrail/cloudtrailBucketDelete.js +++ b/plugins/aws/cloudtrail/cloudtrailBucketDelete.js @@ -24,7 +24,7 @@ module.exports = { default: '', } }, - realtime_triggers: ['CloudTrail:CreateTrail', 'S3:PutBucketVersioning'], + realtime_triggers: ['cloudtrail:CreateTrail', 's3:PutBucketVersioning'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js b/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js index 43be3a9924..7baa7c2888 100644 --- a/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js +++ b/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js @@ -22,7 +22,7 @@ module.exports = { } }, - realtime_triggers: ['CloudTrail:CreateTrail', 'S3:PutBucketAcl'], + realtime_triggers: ['cloudtrail:CreateTrail', 's3:PutBucketAcl'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/cloudtrail/cloudtrailDataEvents.js b/plugins/aws/cloudtrail/cloudtrailDataEvents.js index 776fc10c15..6ae624ba8f 100644 --- a/plugins/aws/cloudtrail/cloudtrailDataEvents.js +++ b/plugins/aws/cloudtrail/cloudtrailDataEvents.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update CloudTrail to enable data events.', link: 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html', apis: ['CloudTrail:describeTrails', 'CloudTrail:getEventSelectors'], - realtime_triggers: ['CloudTrail:CreateTrail', 'CloudTrail:PutEventSelectors'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:PutEventSelectors'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js b/plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js index 90ea38cef4..302e2e36b1 100644 --- a/plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js +++ b/plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['CloudTrail:CreateTrail', 'CloudTrail:UpdateTrail'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailEnabled.js b/plugins/aws/cloudtrail/cloudtrailEnabled.js index 67278dad83..86dd181c54 100644 --- a/plugins/aws/cloudtrail/cloudtrailEnabled.js +++ b/plugins/aws/cloudtrail/cloudtrailEnabled.js @@ -19,7 +19,7 @@ module.exports = { 'within environments containing cardholder data.', cis1: '2.1 Ensure CloudTrail is enabled in all regions' }, - realtime_triggers: ['CloudTrail:CreateTrail', 'CloudTrail:UpdateTrail'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailManagementEvents.js b/plugins/aws/cloudtrail/cloudtrailManagementEvents.js index edcd236056..fd4d819cd2 100644 --- a/plugins/aws/cloudtrail/cloudtrailManagementEvents.js +++ b/plugins/aws/cloudtrail/cloudtrailManagementEvents.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update CloudTrail to enable management events logging', link: 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html', apis: ['CloudTrail:describeTrails', 'CloudTrail:getEventSelectors'], - realtime_triggers: ['CloudTrail:CreateTrail', 'CloudTrail:PutEventSelectors'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:PutEventSelectors'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js b/plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js index 7a934d2e35..4abef4c341 100644 --- a/plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js +++ b/plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Make sure that CloudTrail trails are using active SNS topics and that SNS topics have not been deleted after trail creation.', link: 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html', apis: ['CloudTrail:describeTrails', 'SNS:listTopics', 'SNS:getTopicAttributes'], - realtime_triggers: ['CloudTrail:CreateTrail', 'CloudTrail:UpdateTrail'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailObjectLock.js b/plugins/aws/cloudtrail/cloudtrailObjectLock.js index 5f120a01fe..0358dd2f9a 100644 --- a/plugins/aws/cloudtrail/cloudtrailObjectLock.js +++ b/plugins/aws/cloudtrail/cloudtrailObjectLock.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Edit trail to use a bucket with object locking enabled.', link: 'https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-managing.html', apis: ['CloudTrail:describeTrails', 'S3:getObjectLockConfiguration', 'S3:listBuckets'], - realtime_triggers: ['CloudTrail:CreateTrail', 'CloudTrail:UpdateTrail'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailS3Bucket.js b/plugins/aws/cloudtrail/cloudtrailS3Bucket.js index e7e7859790..242fcf1310 100644 --- a/plugins/aws/cloudtrail/cloudtrailS3Bucket.js +++ b/plugins/aws/cloudtrail/cloudtrailS3Bucket.js @@ -24,7 +24,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['CloudTrail:CreateTrail', 'CloudTrail:UpdateTrail'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailToCloudwatch.js b/plugins/aws/cloudtrail/cloudtrailToCloudwatch.js index c9b975ee73..7b18cd2625 100644 --- a/plugins/aws/cloudtrail/cloudtrailToCloudwatch.js +++ b/plugins/aws/cloudtrail/cloudtrailToCloudwatch.js @@ -13,7 +13,7 @@ module.exports = { compliance: { cis1: '2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs' }, - realtime_triggers: ['CloudTrail:CreateTrail', 'CloudTrail:UpdateTrail'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/globalLoggingDuplicated.js b/plugins/aws/cloudtrail/globalLoggingDuplicated.js index f88068e28a..240006d350 100644 --- a/plugins/aws/cloudtrail/globalLoggingDuplicated.js +++ b/plugins/aws/cloudtrail/globalLoggingDuplicated.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update CloudTrail trails to log global services events enabled for only one trail', link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html', apis: ['CloudTrail:describeTrails'], - realtime_triggers: ['CloudTrail:CreateTrail', 'CloudTrail:UpdateTrail'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js b/plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js index 545a0e4893..6b0bb90b30 100644 --- a/plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js +++ b/plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js @@ -21,7 +21,7 @@ module.exports = { default: 'vpc_flow_logs' } }, - realtime_triggers: ['CloudWatchLogs:PutMetricFilter', 'CloudWatch:PutMetricAlarm'], + realtime_triggers: ['cloudwatchlogs:PutMetricFilter', 'cloudwatch:PutMetricAlarm'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudwatchlogs/logGroupsEncrypted.js b/plugins/aws/cloudwatchlogs/logGroupsEncrypted.js index 967af4dd50..8616cd2dd8 100644 --- a/plugins/aws/cloudwatchlogs/logGroupsEncrypted.js +++ b/plugins/aws/cloudwatchlogs/logGroupsEncrypted.js @@ -26,7 +26,7 @@ module.exports = { default: 'Aqua-CSPM-Token-Rotator-Function,-CreateCSPMKeyFunction-,-TriggerDiscoveryFunction-,-GenerateVolumeScanningEx-,-GenerateCSPMExternalIdFu-' } }, - realtime_triggers: ['CloudWatchLogs:CreateLogGroup', 'CloudWatchLogs:AssociateKmsKey'], + realtime_triggers: ['cloudwatchlogs:CreateLogGroup', 'cloudwatchlogs:AssociateKmsKey'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudwatchlogs/logRetentionPeriod.js b/plugins/aws/cloudwatchlogs/logRetentionPeriod.js index ea950fd6e0..bf70f12e09 100644 --- a/plugins/aws/cloudwatchlogs/logRetentionPeriod.js +++ b/plugins/aws/cloudwatchlogs/logRetentionPeriod.js @@ -18,7 +18,7 @@ module.exports = { default: '90' } }, - realtime_triggers: ['CloudWatchLogs:CreateLogGroup', 'CloudWatchLogs:PutRetentionPolicy'], + realtime_triggers: ['cloudwatchlogs:CreateLogGroup', 'cloudwatchlogs:PutRetentionPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/cloudwatchlogs/monitoringMetrics.js b/plugins/aws/cloudwatchlogs/monitoringMetrics.js index 232bbc3b70..6a0459ca91 100644 --- a/plugins/aws/cloudwatchlogs/monitoringMetrics.js +++ b/plugins/aws/cloudwatchlogs/monitoringMetrics.js @@ -76,7 +76,7 @@ module.exports = { compliance: { cis1: '3.0 Monitoring metrics are enabled' }, - realtime_triggers: ['CloudWatchLogs:CreateLogGroup', 'CloudWatchLogs:PutMetricFilter'], + realtime_triggers: ['cloudwatchlogs:CreateLogGroup', 'cloudwatchlogs:PutMetricFilter'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codeartifact/codeartifactDomainEncrypted.js b/plugins/aws/codeartifact/codeartifactDomainEncrypted.js index 670976468f..8c6d5164db 100644 --- a/plugins/aws/codeartifact/codeartifactDomainEncrypted.js +++ b/plugins/aws/codeartifact/codeartifactDomainEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['CodeArtifact:CreateDomain', 'CodeArtifact:DeleteDomain'], + realtime_triggers: ['codeartifact:CreateDomain', 'codeartifact:DeleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codebuild/codebuildValidSourceProviders.js b/plugins/aws/codebuild/codebuildValidSourceProviders.js index fff7772c9e..bf2adb0207 100644 --- a/plugins/aws/codebuild/codebuildValidSourceProviders.js +++ b/plugins/aws/codebuild/codebuildValidSourceProviders.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['CodeBuild:CreateProject', 'CodeBuild:UpdateProject'], + realtime_triggers: ['codebuild:CreateProject', 'codebuild:UpdateProject'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codebuild/projectArtifactsEncrypted.js b/plugins/aws/codebuild/projectArtifactsEncrypted.js index 906ba6fde6..9bd77f6d3e 100644 --- a/plugins/aws/codebuild/projectArtifactsEncrypted.js +++ b/plugins/aws/codebuild/projectArtifactsEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['CodeBuild:CreateProject', 'CodeBuild:UpdateProject'], + realtime_triggers: ['codebuild:CreateProject', 'codebuild:UpdateProject'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js b/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js index 48845e436d..3f54de255a 100644 --- a/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js +++ b/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['CodePipeline:CreatePipeline', 'CodePipeline:UpdatePipeline'], + realtime_triggers: ['codepipeline:CreatePipeline', 'codepipeline:UpdatePipeline'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codestar/codestarValidRepoProviders.js b/plugins/aws/codestar/codestarValidRepoProviders.js index efedc097d2..2d83c67837 100644 --- a/plugins/aws/codestar/codestarValidRepoProviders.js +++ b/plugins/aws/codestar/codestarValidRepoProviders.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['CodeStar:CreateProject','CodeStar:UpdateProject'], + realtime_triggers: ['codestar:CreateProject','codestar:UpdateProject'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js index dab74fef36..787b92399f 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html', recommended_action: '1. Enter the Cognito service. 2. Enter user pools and enable WAF from properties.', apis: ['CognitoIdentityServiceProvider:listUserPools', 'WAFV2:getWebACLForCognitoUserPool', 'STS:getCallerIdentity'], - realtime_triggers: ['CognitoIdentityServiceProvider:CreateUserPool','CognitoIdentityServiceProvider:UpdateUserPool'], + realtime_triggers: ['cognitoidentityserviceprovider:CreateUserPool','cognitoidentityserviceprovider:UpdateUserPool'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/comprehend/outputResultEncryption.js b/plugins/aws/comprehend/outputResultEncryption.js index 86ab0f46f1..5d4cfc5cf7 100644 --- a/plugins/aws/comprehend/outputResultEncryption.js +++ b/plugins/aws/comprehend/outputResultEncryption.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Enable output result encryption for the Comprehend job', apis: ['Comprehend:listEntitiesDetectionJobs', 'Comprehend:listDominantLanguageDetectionJobs', 'Comprehend:listTopicsDetectionJobs', 'Comprehend:listDocumentClassificationJobs', 'Comprehend:listKeyPhrasesDetectionJobs', 'Comprehend:listSentimentDetectionJobs'], - realtime_triggers: ['Comprehend:StartEntitiesDetectionJob'], + realtime_triggers: ['comprehend:StartEntitiesDetectionJob'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/comprehend/volumeEncryption.js b/plugins/aws/comprehend/volumeEncryption.js index 1c7b1a47c7..af65b6661c 100644 --- a/plugins/aws/comprehend/volumeEncryption.js +++ b/plugins/aws/comprehend/volumeEncryption.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Enable volume encryption for the Comprehend job', apis: ['Comprehend:listEntitiesDetectionJobs', 'Comprehend:listDominantLanguageDetectionJobs', 'Comprehend:listTopicsDetectionJobs', 'Comprehend:listDocumentClassificationJobs', 'Comprehend:listKeyPhrasesDetectionJobs', 'Comprehend:listSentimentDetectionJobs'], - realtime_triggers: ['Comprehend:StartEntitiesDetectionJob'], + realtime_triggers: ['comprehend:StartEntitiesDetectionJob'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/asgOptimized.js b/plugins/aws/computeoptimizer/asgOptimized.js index e047ccc0a0..578c0bc68e 100644 --- a/plugins/aws/computeoptimizer/asgOptimized.js +++ b/plugins/aws/computeoptimizer/asgOptimized.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-asg-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for Auto Scaling groups.', apis: ['ComputeOptimizer:getRecommendationSummaries'], - realtime_triggers: ['AutoScaling:CreateAutoScalingGroup','AutoScaling:UpdateAutoScalingGroup','AutoScaling:StartInstanceRefresh'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','autoscaling:StartInstanceRefresh'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/ebsVolumesOptimized.js b/plugins/aws/computeoptimizer/ebsVolumesOptimized.js index b702d3ef8c..ada1bd5fea 100644 --- a/plugins/aws/computeoptimizer/ebsVolumesOptimized.js +++ b/plugins/aws/computeoptimizer/ebsVolumesOptimized.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-ebs-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for EBS volumes.', apis: ['ComputeOptimizer:getRecommendationSummaries'], - realtime_triggers: ['EC2:CreateVolume','EC2:ModifyVolume'], + realtime_triggers: ['ec2:CreateVolume','ec2:ModifyVolume'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/ec2InstancesOptimized.js b/plugins/aws/computeoptimizer/ec2InstancesOptimized.js index 96ae3e62a7..9149117d64 100644 --- a/plugins/aws/computeoptimizer/ec2InstancesOptimized.js +++ b/plugins/aws/computeoptimizer/ec2InstancesOptimized.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-ec2-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for EC2 instances.', apis: ['ComputeOptimizer:getRecommendationSummaries'], - realtime_triggers: ['EC2:RunInstances','EC2:ModifyInstanceAttribute','EC2:StartInstances'], + realtime_triggers: ['ec2:RunInstances','ec2:ModifyInstanceAttribute','ec2:StartInstances'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js b/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js index 42bda2e194..c4cfcdff02 100644 --- a/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js +++ b/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-lambda-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for Lambda functions.', apis: ['ComputeOptimizer:getRecommendationSummaries'], - realtime_triggers: ['Lambda:CreateFunction','Lambda:UpdateFunctionConfiguration'], + realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/optimizerRecommendationsEnabled.js b/plugins/aws/computeoptimizer/optimizerRecommendationsEnabled.js index c52a979811..3bae2e0857 100644 --- a/plugins/aws/computeoptimizer/optimizerRecommendationsEnabled.js +++ b/plugins/aws/computeoptimizer/optimizerRecommendationsEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/what-is-compute-optimizer.html', recommended_action: 'Enable Compute Optimizer Opt In options for current of all AWS account in your organization.', apis: ['ComputeOptimizer:getRecommendationSummaries'], - realtime_triggers: ['ComputeOptimizer:UpdateEnrollmentStatus'], + realtime_triggers: ['computeoptimizer:UpdateEnrollmentStatus'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/configComplaintRules.js b/plugins/aws/configservice/configComplaintRules.js index d9e6b75dd9..d4e79bf912 100644 --- a/plugins/aws/configservice/configComplaintRules.js +++ b/plugins/aws/configservice/configComplaintRules.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Enable the AWS Config Service rules for compliance checks and close security gaps.', link: 'https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html', apis: ['ConfigService:describeConfigRules', 'ConfigService:getComplianceDetailsByConfigRule'], - realtime_triggers: ['ConfigService:StartConfigurationRecorder','ConfigService:PutConfigRule'], + realtime_triggers: ['configservice:StartConfigurationRecorder','configservice:PutConfigRule'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/configDeliveryFailing.js b/plugins/aws/configservice/configDeliveryFailing.js index 160dd6e297..a2b3dfdd58 100644 --- a/plugins/aws/configservice/configDeliveryFailing.js +++ b/plugins/aws/configservice/configDeliveryFailing.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Configure AWS Config log files to be delivered without any failures to designated S3 bucket.', link: 'https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html', apis: ['ConfigService:describeConfigurationRecorderStatus'], - realtime_triggers: ['ConfigService:StartConfigurationRecorder','ConfigService:PutDeliveryChannel'], + realtime_triggers: ['configservice:StartConfigurationRecorder','configservice:PutDeliveryChannel'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/configServiceEnabled.js b/plugins/aws/configservice/configServiceEnabled.js index 1c3cdb4384..5d99d92383 100644 --- a/plugins/aws/configservice/configServiceEnabled.js +++ b/plugins/aws/configservice/configServiceEnabled.js @@ -17,7 +17,7 @@ module.exports = { 'could introduce security risks.', cis1: '2.5 Ensure AWS Config is enabled in all regions' }, - realtime_triggers: ['ConfigService:StartConfigurationRecorder','ConfigService:StopConfigurationRecorder'], + realtime_triggers: ['configservice:StartConfigurationRecorder','configservice:StopConfigurationRecorder'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/configServiceMissingBucket.js b/plugins/aws/configservice/configServiceMissingBucket.js index f1ca8942f0..9bcfbf963c 100644 --- a/plugins/aws/configservice/configServiceMissingBucket.js +++ b/plugins/aws/configservice/configServiceMissingBucket.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Ensure that Amazon Config service is referencing an active S3 bucket in order to save configuration information.', link: 'https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html', apis: ['S3:listBuckets', 'ConfigService:describeDeliveryChannels', 'S3:headBucket'], - realtime_triggers: ['ConfigService:StartConfigurationRecorder','ConfigService:PutDeliveryChannel'], + realtime_triggers: ['configservice:StartConfigurationRecorder','configservice:PutDeliveryChannel'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/servicesInUse.js b/plugins/aws/configservice/servicesInUse.js index 4d426f2a80..1875b122c5 100644 --- a/plugins/aws/configservice/servicesInUse.js +++ b/plugins/aws/configservice/servicesInUse.js @@ -25,7 +25,7 @@ module.exports = { default:'' }, }, - realtime_triggers: ['ConfigService:StartConfigurationRecorder','ConfigService:StartConfigRulesEvaluation'], + realtime_triggers: ['configservice:StartConfigurationRecorder','configservice:StartConfigRulesEvaluation'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js b/plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js index 6913387a6e..5662a15fa4 100644 --- a/plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js +++ b/plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Add a notification channel to DevOps Guru', link: 'https://docs.aws.amazon.com/devops-guru/latest/userguide/setting-up.html', apis: ['DevOpsGuru:listNotificationChannels'], - realtime_triggers: ['DevOpsGuru:AddNotificationChannel'], + realtime_triggers: ['devopsguru:AddNotificationChannel'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dms/autoMinorVersionUpgrade.js b/plugins/aws/dms/autoMinorVersionUpgrade.js index 21936447d2..b92a54b943 100644 --- a/plugins/aws/dms/autoMinorVersionUpgrade.js +++ b/plugins/aws/dms/autoMinorVersionUpgrade.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable Auto Minor Version Upgrade feature in order to automatically receive minor engine upgrades for improved performance and security', link: 'https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.Modifying.html', apis: ['DMS:describeReplicationInstances'], - realtime_triggers: ['DMS:CreateReplicationInstance','DMS:ModifyReplicationInstance'], + realtime_triggers: ['dms:CreateReplicationInstance','dms:ModifyReplicationInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dms/dmsEncryptionEnabled.js b/plugins/aws/dms/dmsEncryptionEnabled.js index c6b1780e80..a73ce7d5b8 100644 --- a/plugins/aws/dms/dmsEncryptionEnabled.js +++ b/plugins/aws/dms/dmsEncryptionEnabled.js @@ -29,7 +29,7 @@ module.exports = { default: false } }, - realtime_triggers: ['DMS:CreateReplicationInstance'], + realtime_triggers: ['dms:CreateReplicationInstance'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/dms/dmsMultiAZFeatureEnabled.js b/plugins/aws/dms/dmsMultiAZFeatureEnabled.js index bdfb32b843..96c3b1e77a 100644 --- a/plugins/aws/dms/dmsMultiAZFeatureEnabled.js +++ b/plugins/aws/dms/dmsMultiAZFeatureEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable Multi-AZ deployment feature in order to get high availability and failover support', link: 'https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.html', apis: ['DMS:describeReplicationInstances'], - realtime_triggers: ['DMS:CreateReplicationInstance','DMS:ModifyReplicationInstance'], + realtime_triggers: ['dms:CreateReplicationInstance','dms:ModifyReplicationInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dms/dmsPubliclyAccessibleInstances.js b/plugins/aws/dms/dmsPubliclyAccessibleInstances.js index b484cdc59b..ea2889484d 100644 --- a/plugins/aws/dms/dmsPubliclyAccessibleInstances.js +++ b/plugins/aws/dms/dmsPubliclyAccessibleInstances.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Ensure that DMS replication instances have only private IP address and not public IP address', link: 'https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.PublicPrivate.html', apis: ['DMS:describeReplicationInstances'], - realtime_triggers: ['DMS:CreateReplicationInstance'], + realtime_triggers: ['dms:CreateReplicationInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/documentDB/docdbClusterBackupRetention.js b/plugins/aws/documentDB/docdbClusterBackupRetention.js index 5668b30387..27b8b323cc 100644 --- a/plugins/aws/documentDB/docdbClusterBackupRetention.js +++ b/plugins/aws/documentDB/docdbClusterBackupRetention.js @@ -18,7 +18,7 @@ module.exports = { default: 7 } }, - realtime_triggers: ['DocDB:CreateDBCluster','DocDB:ModifyDBCluster'], + realtime_triggers: ['docdb:CreateDBCluster','docdb:ModifyDBCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/documentDB/docdbClusterEncrypted.js b/plugins/aws/documentDB/docdbClusterEncrypted.js index 7efb61a400..9c7ddada5a 100644 --- a/plugins/aws/documentDB/docdbClusterEncrypted.js +++ b/plugins/aws/documentDB/docdbClusterEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['DocDB:CreateDBCluster','DocDB:CreateDBInstance'], + realtime_triggers: ['docdb:CreateDBCluster','docdb:CreateDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/daxClusterEncryption.js b/plugins/aws/dynamodb/daxClusterEncryption.js index 0eb9ac5970..18e525ce92 100644 --- a/plugins/aws/dynamodb/daxClusterEncryption.js +++ b/plugins/aws/dynamodb/daxClusterEncryption.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionAtRest.html', recommended_action: 'Enable encryption for DAX cluster.', apis: ['DAX:describeClusters'], - realtime_triggers: ['DAX:CreateCluster'], + realtime_triggers: ['dax:CreateCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/dynamoContinuousBackups.js b/plugins/aws/dynamodb/dynamoContinuousBackups.js index ec071ef569..419af7d2ae 100644 --- a/plugins/aws/dynamodb/dynamoContinuousBackups.js +++ b/plugins/aws/dynamodb/dynamoContinuousBackups.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/new-amazon-dynamodb-continuous-backups-and-point-in-time-recovery-pitr/', recommended_action: 'Enable Continuous Backups and Point-In-Time Recovery (PITR) features.', apis: ['DynamoDB:listTables', 'DynamoDB:describeContinuousBackups', 'STS:getCallerIdentity'], - realtime_triggers: ['DynamoDB:CreateTable','DynamoDB:UpdateContinuousBackups'], + realtime_triggers: ['dynamodb:CreateTable','dynamodb:UpdateContinuousBackups'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/dynamoKmsEncryption.js b/plugins/aws/dynamodb/dynamoKmsEncryption.js index 3947044c73..69f4169c9d 100644 --- a/plugins/aws/dynamodb/dynamoKmsEncryption.js +++ b/plugins/aws/dynamodb/dynamoKmsEncryption.js @@ -29,7 +29,7 @@ module.exports = { required: false } }, - realtime_triggers: ['DynamoDB:UpdateTable', 'DynamoDB:CreateTable'], + realtime_triggers: ['dynamodb:UpdateTable', 'dynamodb:CreateTable'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/dynamoTableBackupExists.js b/plugins/aws/dynamodb/dynamoTableBackupExists.js index 2510c1bd70..008178c2fc 100644 --- a/plugins/aws/dynamodb/dynamoTableBackupExists.js +++ b/plugins/aws/dynamodb/dynamoTableBackupExists.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/BackupRestore.html', recommended_action: 'Create on-demand backups for DynamoDB tables.', apis: ['DynamoDB:listTables', 'DynamoDB:listBackups', 'STS:getCallerIdentity'], - realtime_triggers: ['DynamoDB:CreateTable','DynamoDB:CreateBackup'], + realtime_triggers: ['dynamodb:CreateTable','dynamodb:CreateBackup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/dynamoTableHasTags.js b/plugins/aws/dynamodb/dynamoTableHasTags.js index 0139aa23ae..8c80f6721f 100644 --- a/plugins/aws/dynamodb/dynamoTableHasTags.js +++ b/plugins/aws/dynamodb/dynamoTableHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Tagging.html', recommended_action: 'Modify DynamoDB table and add tags.', apis: ['DynamoDB:listTables', 'ResourceGroupsTaggingAPI:getResources', 'STS:getCallerIdentity'], - realtime_triggers: ['DynamoDB:CreateTable','DynamoDB:TagResource','DynamoDB:UntagResource'], + realtime_triggers: ['dynamodb:CreateTable','dynamodb:TagResource','dynamodb:UntagResource'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/dynamoUnusedTable.js b/plugins/aws/dynamodb/dynamoUnusedTable.js index 7d60fa9e85..7f24d08c32 100644 --- a/plugins/aws/dynamodb/dynamoUnusedTable.js +++ b/plugins/aws/dynamodb/dynamoUnusedTable.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithTables.Basics.html', recommended_action: 'Remove unused tables if you no longer need them.', apis: ['DynamoDB:listTables', 'DynamoDB:describeTable', 'STS:getCallerIdentity'], - realtime_triggers: ['DynamoDB:CreateTable','DynamoDB:DeleteTable'], + realtime_triggers: ['dynamodb:CreateTable','dynamodb:DeleteTable'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/accessKeysExtra.js b/plugins/aws/iam/accessKeysExtra.js index b59813636a..1a608f92ca 100644 --- a/plugins/aws/iam/accessKeysExtra.js +++ b/plugins/aws/iam/accessKeysExtra.js @@ -27,7 +27,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:CreateAccessKey','IAM:DeleteAccessKey'], + realtime_triggers: ['iam:CreateAccessKey','iam:DeleteAccessKey'], run: function(cache, settings, callback) { diff --git a/plugins/aws/iam/accessKeysLastUsed.js b/plugins/aws/iam/accessKeysLastUsed.js index 065c717ffc..f6eaae5d59 100644 --- a/plugins/aws/iam/accessKeysLastUsed.js +++ b/plugins/aws/iam/accessKeysLastUsed.js @@ -41,7 +41,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:DeleteAccessKey'], + realtime_triggers: ['iam:DeleteAccessKey'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/accessKeysRotated.js b/plugins/aws/iam/accessKeysRotated.js index eb67625b11..4c1ebc8ce8 100644 --- a/plugins/aws/iam/accessKeysRotated.js +++ b/plugins/aws/iam/accessKeysRotated.js @@ -33,7 +33,7 @@ module.exports = { default: 90 } }, - realtime_triggers: ['IAM:CreateAccessKey','IAM:DeleteAccessKey'], + realtime_triggers: ['iam:CreateAccessKey','iam:DeleteAccessKey'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/canaryKeysUsed.js b/plugins/aws/iam/canaryKeysUsed.js index a6edda8275..2fd695d320 100644 --- a/plugins/aws/iam/canaryKeysUsed.js +++ b/plugins/aws/iam/canaryKeysUsed.js @@ -32,7 +32,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:CreateUser'], + realtime_triggers: ['iam:CreateUser'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/certificateExpiry.js b/plugins/aws/iam/certificateExpiry.js index c101543708..b7600eadc7 100644 --- a/plugins/aws/iam/certificateExpiry.js +++ b/plugins/aws/iam/certificateExpiry.js @@ -35,7 +35,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:UploadServerCertificate','ELB:SetLoadBalancerListenerSSLCertificate'], + realtime_triggers: ['iam:UploadServerCertificate','elb:SetLoadBalancerListenerSSLCertificate'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/crossAccountMfaExtIdAccess.js b/plugins/aws/iam/crossAccountMfaExtIdAccess.js index 8391e09092..8ec7584af9 100644 --- a/plugins/aws/iam/crossAccountMfaExtIdAccess.js +++ b/plugins/aws/iam/crossAccountMfaExtIdAccess.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/mfa-protection-for-cross-account-access/', recommended_action: 'Update the IAM role to either require MFA or use an external ID.', apis: ['IAM:listRoles', 'STS:getCallerIdentity'], - realtime_triggers: ['IAM:CreateRole','IAM:UpdateAssumeRolePolicy'], + realtime_triggers: ['iam:CreateRole','iam:UpdateAssumeRolePolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/emptyGroups.js b/plugins/aws/iam/emptyGroups.js index 3db802196a..81efd27449 100644 --- a/plugins/aws/iam/emptyGroups.js +++ b/plugins/aws/iam/emptyGroups.js @@ -22,7 +22,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:CreateGroup','IAM:DeleteGroup'], + realtime_triggers: ['iam:CreateGroup','iam:DeleteGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/groupInlinePolicies.js b/plugins/aws/iam/groupInlinePolicies.js index 56151d9235..c10c4f1e79 100644 --- a/plugins/aws/iam/groupInlinePolicies.js +++ b/plugins/aws/iam/groupInlinePolicies.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html', recommended_action: 'Remove inline policies attached to groups', apis: ['IAM:listGroups', 'IAM:listGroupPolicies'], - realtime_triggers: ['IAM:CreatePolicy','IAM:DeleteGroupPolicy'], + realtime_triggers: ['iam:CreatePolicy','iam:DeleteGroupPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamMasterManagerRoles.js b/plugins/aws/iam/iamMasterManagerRoles.js index 346ec5582f..ca8a47b786 100644 --- a/plugins/aws/iam/iamMasterManagerRoles.js +++ b/plugins/aws/iam/iamMasterManagerRoles.js @@ -129,7 +129,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['IAM:CreateRole'], + realtime_triggers: ['iam:CreateRole'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamPoliciesPresent.js b/plugins/aws/iam/iamPoliciesPresent.js index 22da3b446a..72c24fe62d 100644 --- a/plugins/aws/iam/iamPoliciesPresent.js +++ b/plugins/aws/iam/iamPoliciesPresent.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['IAM:CreatePolicy','IAM:CreatePolicyVersion','IAM:PutRolePolicy','IAM:UpdateAssumeRolePolicy'], + realtime_triggers: ['iam:CreatePolicy','iam:CreatePolicyVersion','iam:PutRolePolicy','iam:UpdateAssumeRolePolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamRoleHasTags.js b/plugins/aws/iam/iamRoleHasTags.js index 06343616c6..6e94f3b66e 100644 --- a/plugins/aws/iam/iamRoleHasTags.js +++ b/plugins/aws/iam/iamRoleHasTags.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html', recommended_action: 'Modify Roles to add tags.', apis: ['IAM:listRoles', 'IAM:getRole'], - realtime_triggers: ['IAM:CreateRole','IAM:TagRole','IAM:UntagRole'], + realtime_triggers: ['iam:CreateRole','iam:TagRole','iam:UntagRole'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamRoleLastUsed.js b/plugins/aws/iam/iamRoleLastUsed.js index 2b26bc5570..e23fa5bea9 100644 --- a/plugins/aws/iam/iamRoleLastUsed.js +++ b/plugins/aws/iam/iamRoleLastUsed.js @@ -54,7 +54,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:CreateRole','IAM:DeleteRole'], + realtime_triggers: ['iam:CreateRole','iam:DeleteRole'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamRolePolicies.js b/plugins/aws/iam/iamRolePolicies.js index 5c0f9990b9..88a05fe370 100644 --- a/plugins/aws/iam/iamRolePolicies.js +++ b/plugins/aws/iam/iamRolePolicies.js @@ -82,7 +82,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['IAM:CreatePolicy','IAM:CreatePolicyVersion','IAM:PutRolePolicy','IAM:UpdateAssumeRolePolicy'], + realtime_triggers: ['iam:CreatePolicy','iam:CreatePolicyVersion','iam:PutRolePolicy','iam:UpdateAssumeRolePolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamSupportPolicy.js b/plugins/aws/iam/iamSupportPolicy.js index cdeae086c6..19c80d72fc 100644 --- a/plugins/aws/iam/iamSupportPolicy.js +++ b/plugins/aws/iam/iamSupportPolicy.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html', recommended_action: 'Ensure that an IAM role has permission to access support center.', apis: ['IAM:listPolicies'], - realtime_triggers: ['IAM:CreatePolicy','IAM:CreatePolicyVersion'], + realtime_triggers: ['iam:CreatePolicy','iam:CreatePolicyVersion'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserAdmins.js b/plugins/aws/iam/iamUserAdmins.js index 0928283e87..83f4745a5b 100644 --- a/plugins/aws/iam/iamUserAdmins.js +++ b/plugins/aws/iam/iamUserAdmins.js @@ -33,7 +33,7 @@ module.exports = { default: 2 } }, - realtime_triggers: ['IAM:AddUserToGroup','IAM:RemoveUserFromGroup','IAM:AttachGroupPolicy','IAM:DetachGroupPolicy','IAM:AttachUserPolicy','IAM:DetachUserPolicy','IAM:PutUserPolicy'], + realtime_triggers: ['iam:AddUserToGroup','iam:RemoveUserFromGroup','iam:AttachGroupPolicy','iam:DetachGroupPolicy','iam:AttachUserPolicy','iam:DetachUserPolicy','iam:PutUserPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamUserHasTags.js b/plugins/aws/iam/iamUserHasTags.js index 2a24b98004..5cb5c84171 100644 --- a/plugins/aws/iam/iamUserHasTags.js +++ b/plugins/aws/iam/iamUserHasTags.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags_users.html', recommended_action: 'Modify IAM User and add tags', apis: ['IAM:listUsers', 'IAM:getUser'], - realtime_triggers: ['IAM:CreateUser','IAM:TagUser','IAM:UntagUser'], + realtime_triggers: ['iam:CreateUser','iam:TagUser','iam:UntagUser'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserInUse.js b/plugins/aws/iam/iamUserInUse.js index 6c10554aac..9c21436980 100644 --- a/plugins/aws/iam/iamUserInUse.js +++ b/plugins/aws/iam/iamUserInUse.js @@ -17,7 +17,7 @@ module.exports = { default: '15' } }, - realtime_triggers: ['IAM:CreateUser','IAM:DeleteUser'], + realtime_triggers: ['iam:CreateUser','iam:DeleteUser'], run: function(cache, settings, callback) { const config = { diff --git a/plugins/aws/iam/iamUserNameRegex.js b/plugins/aws/iam/iamUserNameRegex.js index 87acb8ba9e..6e4e1296c1 100644 --- a/plugins/aws/iam/iamUserNameRegex.js +++ b/plugins/aws/iam/iamUserNameRegex.js @@ -30,7 +30,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:CreateUser','IAM:DeleteUser','IAM:UpdateUser'], + realtime_triggers: ['iam:CreateUser','iam:DeleteUser','iam:UpdateUser'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserNotInUse.js b/plugins/aws/iam/iamUserNotInUse.js index 7ed6a0aa7e..bd8e84700d 100644 --- a/plugins/aws/iam/iamUserNotInUse.js +++ b/plugins/aws/iam/iamUserNotInUse.js @@ -17,7 +17,7 @@ module.exports = { default: '90' } }, - realtime_triggers: ['IAM:CreateUser','IAM:DeleteUser'], + realtime_triggers: ['iam:CreateUser','iam:DeleteUser'], run: function(cache, settings, callback) { const config = { diff --git a/plugins/aws/iam/iamUserPresent.js b/plugins/aws/iam/iamUserPresent.js index cdc696e429..8b25967d3f 100644 --- a/plugins/aws/iam/iamUserPresent.js +++ b/plugins/aws/iam/iamUserPresent.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html', recommended_action: 'Create IAM user(s) and use them to access AWS services and resources.', apis: ['IAM:listUsers'], - realtime_triggers: ['IAM:CreateUser'], + realtime_triggers: ['iam:CreateUser'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserUnauthorizedToEdit.js b/plugins/aws/iam/iamUserUnauthorizedToEdit.js index ae8e042a0d..27093a62e5 100644 --- a/plugins/aws/iam/iamUserUnauthorizedToEdit.js +++ b/plugins/aws/iam/iamUserUnauthorizedToEdit.js @@ -45,7 +45,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['IAM:AddUserToGroup','IAM:RemoveUserFromGroup','IAM:AttachGroupPolicy','IAM:DetachGroupPolicy','IAM:AttachUserPolicy','IAM:DetachUserPolicy','IAM:PutUserPolicy'], + realtime_triggers: ['iam:AddUserToGroup','iam:RemoveUserFromGroup','iam:AttachGroupPolicy','iam:DetachGroupPolicy','iam:AttachUserPolicy','iam:DetachUserPolicy','iam:PutUserPolicy'], run: function(cache, settings, callback) { var whitelisted_users = settings.iam_authorized_user_arns || this.settings.iam_authorized_user_arns.default; diff --git a/plugins/aws/iam/iamUserWithoutPermissions.js b/plugins/aws/iam/iamUserWithoutPermissions.js index fe7fb0b0dd..8b1c7e87f5 100644 --- a/plugins/aws/iam/iamUserWithoutPermissions.js +++ b/plugins/aws/iam/iamUserWithoutPermissions.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Modify IAM user and attach new permissions or delete the user.', apis: ['IAM:listUsers', 'IAM:listUserPolicies', 'IAM:listAttachedUserPolicies', 'IAM:getPolicyVersion' ,'IAM:listGroupsForUser', 'IAM:listGroups', 'IAM:listGroupPolicies', 'IAM:listAttachedGroupPolicies'], - realtime_triggers: ['IAM:AddUserToGroup','IAM:RemoveUserFromGroup','IAM:AttachGroupPolicy','IAM:DetachGroupPolicy','IAM:AttachUserPolicy','IAM:DetachUserPolicy','IAM:PutUserPolicy'], + realtime_triggers: ['iam:AddUserToGroup','iam:RemoveUserFromGroup','iam:AttachGroupPolicy','iam:DetachGroupPolicy','iam:AttachUserPolicy','iam:DetachUserPolicy','iam:PutUserPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/maxPasswordAge.js b/plugins/aws/iam/maxPasswordAge.js index f7e88aa1ce..74e36a6c70 100644 --- a/plugins/aws/iam/maxPasswordAge.js +++ b/plugins/aws/iam/maxPasswordAge.js @@ -58,7 +58,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/minPasswordLength.js b/plugins/aws/iam/minPasswordLength.js index b6c6553b73..c04143dc79 100644 --- a/plugins/aws/iam/minPasswordLength.js +++ b/plugins/aws/iam/minPasswordLength.js @@ -59,7 +59,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/noUserIamPolicies.js b/plugins/aws/iam/noUserIamPolicies.js index c247a9e622..c1b90e0d13 100644 --- a/plugins/aws/iam/noUserIamPolicies.js +++ b/plugins/aws/iam/noUserIamPolicies.js @@ -13,7 +13,7 @@ module.exports = { compliance: { cis1: '1.16 Ensure IAM policies are attached only to groups or roles' }, - realtime_triggers: ['IAM:AttachUserPolicy','IAM:DetachUserPolicy'], + realtime_triggers: ['iam:AttachUserPolicy','iam:DetachUserPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordExpiration.js b/plugins/aws/iam/passwordExpiration.js index cd5a32334b..c0fe596656 100644 --- a/plugins/aws/iam/passwordExpiration.js +++ b/plugins/aws/iam/passwordExpiration.js @@ -39,7 +39,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordPolicyExists.js b/plugins/aws/iam/passwordPolicyExists.js index a4e89f032f..4b883abc27 100644 --- a/plugins/aws/iam/passwordPolicyExists.js +++ b/plugins/aws/iam/passwordPolicyExists.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html', recommended_action: 'Create a password policy under account settings in IAM', apis: ['IAM:getAccountPasswordPolicy'], - realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordRequiresLowercase.js b/plugins/aws/iam/passwordRequiresLowercase.js index 936bce03ff..ee4a74440a 100644 --- a/plugins/aws/iam/passwordRequiresLowercase.js +++ b/plugins/aws/iam/passwordRequiresLowercase.js @@ -27,7 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.6 Ensure IAM password policy require at least one lowercase letter' }, - realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordRequiresNumbers.js b/plugins/aws/iam/passwordRequiresNumbers.js index 89eef9734a..a846f25dbc 100644 --- a/plugins/aws/iam/passwordRequiresNumbers.js +++ b/plugins/aws/iam/passwordRequiresNumbers.js @@ -27,7 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.8 Ensure IAM password policy require at least one number' }, - realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordRequiresSymbols.js b/plugins/aws/iam/passwordRequiresSymbols.js index dd8ea144f3..0a9953f9a0 100644 --- a/plugins/aws/iam/passwordRequiresSymbols.js +++ b/plugins/aws/iam/passwordRequiresSymbols.js @@ -27,7 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.7 Ensure IAM password policy require at least one symbol' }, - realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordRequiresUppercase.js b/plugins/aws/iam/passwordRequiresUppercase.js index 5727d2bb2a..c1667854d2 100644 --- a/plugins/aws/iam/passwordRequiresUppercase.js +++ b/plugins/aws/iam/passwordRequiresUppercase.js @@ -27,7 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.5 Ensure IAM password policy requires at least one uppercase letter' }, - realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordReusePrevention.js b/plugins/aws/iam/passwordReusePrevention.js index 0dd25b5a1e..d6301d43cc 100644 --- a/plugins/aws/iam/passwordReusePrevention.js +++ b/plugins/aws/iam/passwordReusePrevention.js @@ -47,7 +47,7 @@ module.exports = { default: 24 } }, - realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/policyAllowsToChangePassword.js b/plugins/aws/iam/policyAllowsToChangePassword.js index 184889ef11..b307b9f68b 100644 --- a/plugins/aws/iam/policyAllowsToChangePassword.js +++ b/plugins/aws/iam/policyAllowsToChangePassword.js @@ -27,7 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.6 Ensure IAM password policy allows users to change their passwords' }, - realtime_triggers: ['IAM:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/rolePolicyUnusedServices.js b/plugins/aws/iam/rolePolicyUnusedServices.js index dd4e05a87c..89fc8c8511 100644 --- a/plugins/aws/iam/rolePolicyUnusedServices.js +++ b/plugins/aws/iam/rolePolicyUnusedServices.js @@ -94,7 +94,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['IAM:CreatePolicy','IAM:UpdatePolicy','IAM:PutRolePolicy'], + realtime_triggers: ['iam:CreatePolicy','iam:UpdatePolicy','iam:PutRolePolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/rootAccessKeys.js b/plugins/aws/iam/rootAccessKeys.js index d7931044e3..7e54d0356d 100644 --- a/plugins/aws/iam/rootAccessKeys.js +++ b/plugins/aws/iam/rootAccessKeys.js @@ -16,7 +16,7 @@ module.exports = { 'should not be used.', cis1: '1.12 Ensure no root account access key exists' }, - realtime_triggers: ['IAM:CreateAccessKey','IAM:DeleteAccessKey'], + realtime_triggers: ['iam:CreateAccessKey','iam:DeleteAccessKey'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/rootAccountInUse.js b/plugins/aws/iam/rootAccountInUse.js index 5caef68f3b..15ba607330 100644 --- a/plugins/aws/iam/rootAccountInUse.js +++ b/plugins/aws/iam/rootAccountInUse.js @@ -27,7 +27,7 @@ module.exports = { default: 15 } }, - realtime_triggers: ['IAM:CreateUser'], + realtime_triggers: ['iam:CreateUser'], run: function(cache, settings, callback) { this._run(cache, settings, callback, new Date()); diff --git a/plugins/aws/iam/rootHardwareMfa.js b/plugins/aws/iam/rootHardwareMfa.js index 2ce627e47b..22a9da6ed9 100644 --- a/plugins/aws/iam/rootHardwareMfa.js +++ b/plugins/aws/iam/rootHardwareMfa.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html', recommended_action: 'Enable a hardware MFA device for the root account and disable any virtual devices', apis: ['IAM:listVirtualMFADevices', 'IAM:getAccountSummary'], - realtime_triggers: ['IAM:EnableMFADevice','IAM:DeactivateMFADevice'], + realtime_triggers: ['iam:EnableMFADevice','iam:DeactivateMFADevice'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/rootMfaEnabled.js b/plugins/aws/iam/rootMfaEnabled.js index c1e58cbc40..ce10730b53 100644 --- a/plugins/aws/iam/rootMfaEnabled.js +++ b/plugins/aws/iam/rootMfaEnabled.js @@ -15,7 +15,7 @@ module.exports = { 'a safe location for use as backup for named IAM users.', cis1: '1.13 Ensure MFA is enabled for the "root" account' }, - realtime_triggers: ['IAM:EnableMFADevice','IAM:DeactivateMFADevice'], + realtime_triggers: ['iam:EnableMFADevice','iam:DeactivateMFADevice'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/rootSigningCertificate.js b/plugins/aws/iam/rootSigningCertificate.js index d9d2a7fa7a..7d748d88e9 100644 --- a/plugins/aws/iam/rootSigningCertificate.js +++ b/plugins/aws/iam/rootSigningCertificate.js @@ -15,7 +15,7 @@ module.exports = { 'since it is not tied to a specific user. The root signing keys ' + 'should not be used.' }, - realtime_triggers: ['IAM:DeleteSigningCertificate'], + realtime_triggers: ['iam:DeleteSigningCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/sshKeysRotated.js b/plugins/aws/iam/sshKeysRotated.js index 4e2a979b5a..4c3a2930e8 100644 --- a/plugins/aws/iam/sshKeysRotated.js +++ b/plugins/aws/iam/sshKeysRotated.js @@ -23,7 +23,7 @@ module.exports = { default: 180 } }, - realtime_triggers: ['IAM:UploadSSHPublicKey'], + realtime_triggers: ['iam:UploadSSHPublicKey'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/trustedCrossAccountRoles.js b/plugins/aws/iam/trustedCrossAccountRoles.js index 227c3fce57..22f6455c1b 100644 --- a/plugins/aws/iam/trustedCrossAccountRoles.js +++ b/plugins/aws/iam/trustedCrossAccountRoles.js @@ -30,7 +30,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['IAM:CreateRole','IAM:UpdateAssumeRolePolicy','IAM:DeleteRole'], + realtime_triggers: ['iam:CreateRole','iam:UpdateAssumeRolePolicy','iam:DeleteRole'], run: function(cache, settings, callback) { var config= { diff --git a/plugins/aws/iam/usersMfaEnabled.js b/plugins/aws/iam/usersMfaEnabled.js index 72535bd620..dd7a9edeba 100644 --- a/plugins/aws/iam/usersMfaEnabled.js +++ b/plugins/aws/iam/usersMfaEnabled.js @@ -31,7 +31,7 @@ module.exports = { } ] }, - realtime_triggers: ['IAM:EnableMFADevice','IAM:DeactivateMFADevice'], + realtime_triggers: ['iam:EnableMFADevice','iam:DeactivateMFADevice'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/usersPasswordAndKeys.js b/plugins/aws/iam/usersPasswordAndKeys.js index 96aa39ab9a..a736d1ee4b 100644 --- a/plugins/aws/iam/usersPasswordAndKeys.js +++ b/plugins/aws/iam/usersPasswordAndKeys.js @@ -18,7 +18,7 @@ module.exports = { default: '^.*$' } }, - realtime_triggers: ['IAM:CreateAccessKey','IAM:DeleteAccessKey'], + realtime_triggers: ['iam:CreateAccessKey','iam:DeleteAccessKey'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/usersPasswordLastUsed.js b/plugins/aws/iam/usersPasswordLastUsed.js index 7eb927e98a..d0127c477f 100644 --- a/plugins/aws/iam/usersPasswordLastUsed.js +++ b/plugins/aws/iam/usersPasswordLastUsed.js @@ -32,7 +32,7 @@ module.exports = { default: 90 } }, - realtime_triggers: ['IAM:CreateUser','IAM:DeleteUser'], + realtime_triggers: ['iam:CreateUser','iam:DeleteUser'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js b/plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js index 6fc8ca8676..53ea04c39a 100644 --- a/plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js +++ b/plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['Imagebuilder:CreateContainerRecipe'], + realtime_triggers: ['imagebuilder:CreateContainerRecipe'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/imagebuilder/enhancedMetadataEnabled.js b/plugins/aws/imagebuilder/enhancedMetadataEnabled.js index 6f52e6243d..f29c088a91 100644 --- a/plugins/aws/imagebuilder/enhancedMetadataEnabled.js +++ b/plugins/aws/imagebuilder/enhancedMetadataEnabled.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/imagebuilder/latest/userguide/start-build-image-pipeline.html', recommended_action: 'Enable enhanced metadata collection for image pipeline.', apis: ['Imagebuilder:listImagePipelines'], - realtime_triggers: ['Imagebuilder:CreateImagePipeline','Imagebuilder:UpdateImagePipeline'], + realtime_triggers: ['imagebuilder:CreateImagePipeline','imagebuilder:UpdateImagePipeline'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iotsitewise/iotsitewiseDataEncrypted.js b/plugins/aws/iotsitewise/iotsitewiseDataEncrypted.js index 0c51ec6dc5..6e4eb0feae 100644 --- a/plugins/aws/iotsitewise/iotsitewiseDataEncrypted.js +++ b/plugins/aws/iotsitewise/iotsitewiseDataEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['Imagebuilder:PutDefaultEncryptionConfiguration'], + realtime_triggers: ['imagebuilder:PutDefaultEncryptionConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kendra/kendraIndexEncrypted.js b/plugins/aws/kendra/kendraIndexEncrypted.js index 8267f43554..32b93d2f27 100644 --- a/plugins/aws/kendra/kendraIndexEncrypted.js +++ b/plugins/aws/kendra/kendraIndexEncrypted.js @@ -18,7 +18,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['Kendra:CreateIndex','Kendra:UpdateIndex'], + realtime_triggers: ['kendra:CreateIndex','kendra:UpdateIndex'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js b/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js index a04e552e35..9e7b13bfed 100644 --- a/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js +++ b/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['Kinesis:CreateStream','Kinesis:StartStreamEncryption'], + realtime_triggers: ['kinesis:CreateStream','kinesis:StartStreamEncryption'], run: function(cache, settings, callback) { diff --git a/plugins/aws/kinesisvideo/videostreamDataEncrypted.js b/plugins/aws/kinesisvideo/videostreamDataEncrypted.js index 5da384d1ea..c5b1ca5d90 100644 --- a/plugins/aws/kinesisvideo/videostreamDataEncrypted.js +++ b/plugins/aws/kinesisvideo/videostreamDataEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['KinesisVideo:CreateStream', 'KinesisVideo:UpdateStream'], + realtime_triggers: ['kinesisvideo:CreateStream', 'kinesisvideo:UpdateStream'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsAppTierCmk.js b/plugins/aws/kms/kmsAppTierCmk.js index dacd781129..8836fba5a0 100644 --- a/plugins/aws/kms/kmsAppTierCmk.js +++ b/plugins/aws/kms/kmsAppTierCmk.js @@ -18,7 +18,7 @@ module.exports = { default: '' }, }, - realtime_triggers: ['KMS:CreateKey','KMS:TagResource'], + realtime_triggers: ['kms:CreateKey','kms:TagResource'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsDefaultKeyUsage.js b/plugins/aws/kms/kmsDefaultKeyUsage.js index f47c707cd2..043345f775 100644 --- a/plugins/aws/kms/kmsDefaultKeyUsage.js +++ b/plugins/aws/kms/kmsDefaultKeyUsage.js @@ -20,7 +20,7 @@ module.exports = { 'passwords, it is still strongly encouraged to use a ' + 'customer-provided CMK rather than the default KMS key.' }, - realtime_triggers: ['CloudTrail:CreateTrail','CloudTrail:UpdateTrail','EC2:CreateVolume','ElasticTranscoder:UpdatePipeline','ElasticTranscoder:CreatePipeline','RDS:CreateDBInstance','RDS:ModifyDBInstance','Redshift:CreateCluster','Redshift:ModifyCluster','S3:CreateBucket','S3:PutBucketEncryption','SES:CreateReceiptRule','SES:UpdateReceiptRule','Workspaces:CreateWorkspaces','Lambda:UpdateFunctionConfiguration','Lambda:CreateFunction','CloudWatchLogs:CreateLogGroup','CloudWatchLogs:AssociateKmsKey','EFS:CreateFileSystem'], + realtime_triggers: ['cloudtrail:CreateTrail','cloudtrail:UpdateTrail','ec2:CreateVolume','elastictranscoder:UpdatePipeline','elastictranscoder:CreatePipeline','rds:CreateDBInstance','rds:ModifyDBInstance','redshift:CreateCluster','redshift:ModifyCluster','s3:CreateBucket','s3:PutBucketEncryption','ses:CreateReceiptRule','ses:UpdateReceiptRule','workspaces:CreateWorkspaces','lamda:UpdateFunctionConfiguration','lamda:CreateFunction','cloudwatchlogs:CreateLogGroup','cloudwatchlogs:AssociateKmsKey','efs:CreateFileSystem'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsDuplicateGrants.js b/plugins/aws/kms/kmsDuplicateGrants.js index cb878ede07..034e9ce456 100644 --- a/plugins/aws/kms/kmsDuplicateGrants.js +++ b/plugins/aws/kms/kmsDuplicateGrants.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Delete duplicate grants for AWS KMS keys', link: 'https://docs.aws.amazon.com/kms/latest/developerguide/grants.html', apis: ['KMS:listKeys', 'KMS:listGrants', 'KMS:describeKey'], - realtime_triggers: ['KMS:CreateKey','KMS:RevokeGrant'], + realtime_triggers: ['kms:CreateKey','kms:RevokeGrant'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsGrantLeastPrivilege.js b/plugins/aws/kms/kmsGrantLeastPrivilege.js index 939dd1815f..b73190e98d 100644 --- a/plugins/aws/kms/kmsGrantLeastPrivilege.js +++ b/plugins/aws/kms/kmsGrantLeastPrivilege.js @@ -9,7 +9,7 @@ module.exports = { recommended_action: 'Create KMS grants with minimum permission required', link: 'https://docs.aws.amazon.com/kms/latest/developerguide/grants.html', apis: ['KMS:listKeys', 'KMS:listGrants', 'KMS:describeKey'], - realtime_triggers: ['KMS:CreateKey','KMS:CreateGrant'], + realtime_triggers: ['kms:CreateKey','kms:CreateGrant'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsKeyPolicy.js b/plugins/aws/kms/kmsKeyPolicy.js index 9d8faca972..1b58ba52da 100644 --- a/plugins/aws/kms/kmsKeyPolicy.js +++ b/plugins/aws/kms/kmsKeyPolicy.js @@ -57,7 +57,7 @@ module.exports = { default: 'false' }, }, - realtime_triggers: ['KMS:CreateKey','KMS:PutKeyPolicy'], + realtime_triggers: ['kms:CreateKey','kms:PutKeyPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/kms/kmsKeyRotation.js b/plugins/aws/kms/kmsKeyRotation.js index ab60aabd23..00305796df 100644 --- a/plugins/aws/kms/kmsKeyRotation.js +++ b/plugins/aws/kms/kmsKeyRotation.js @@ -25,7 +25,7 @@ module.exports = { default: 'aqua-cspm' } }, - realtime_triggers: ['KMS:CreateKey','KMS:EnableKeyRotation'], + realtime_triggers: ['kms:CreateKey','kms:EnableKeyRotation'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsScheduledDeletion.js b/plugins/aws/kms/kmsScheduledDeletion.js index 217a67910c..5f6589822d 100644 --- a/plugins/aws/kms/kmsScheduledDeletion.js +++ b/plugins/aws/kms/kmsScheduledDeletion.js @@ -22,7 +22,7 @@ module.exports = { } ] }, - realtime_triggers: ['KMS:ScheduleKeyDeletion','KMS:CancelKeyDeletion'], + realtime_triggers: ['kms:ScheduleKeyDeletion','kms:CancelKeyDeletion'], run: function(cache, settings, callback) { var results = []; From 1e859c400c8c1837431b5b4742286702da885923 Mon Sep 17 00:00:00 2001 From: --global Date: Fri, 15 Sep 2023 21:54:44 +0500 Subject: [PATCH 021/498] resolve issues --- plugins/aws/ec2/defaultVpcInUse.js | 2 +- plugins/aws/ec2/ebsSnapshotLifecycle.js | 2 +- plugins/aws/ec2/managedNatGateway.js | 2 +- plugins/aws/ec2/unusedSecurityGroups.js | 2 +- plugins/aws/ec2/unusedVirtualPrivateGateway.js | 2 +- plugins/aws/ec2/unusedVpcInternetGateways.js | 2 +- plugins/aws/ec2/vpcEndpointAcceptance.js | 2 +- plugins/aws/ec2/vpcSubnetInstancesPresent.js | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/plugins/aws/ec2/defaultVpcInUse.js b/plugins/aws/ec2/defaultVpcInUse.js index e1d9f2d5a5..6bd39ddbbe 100644 --- a/plugins/aws/ec2/defaultVpcInUse.js +++ b/plugins/aws/ec2/defaultVpcInUse.js @@ -10,7 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.html', recommended_action: 'Move resources from the default VPC to a new VPC created for that application or resource group.', apis: ['EC2:describeVpcs', 'EC2:describeInstances', 'ELB:describeLoadBalancers', 'Lambda:listFunctions', 'RDS:describeDBInstances', 'Redshift:describeClusters'], - realtime_triggers: ['ec2:CreateVpc', 'ec2:ModifyVpcAttribute', 'ec2:RunInstance','elasticloadbalancing:CreateLoadBalancer', 'lambda:CreateFunction', 'rds:CreateDBInstance','redshift:CreateCluster'], + realtime_triggers: ['ec2:CreateVpc', 'ec2:ModifyVpcAttribute', 'ec2:RunInstance','elasticloadbalancing:CreateLoadBalancer','elasticloadbalancing:ModifyLoadBalancerAttributes', 'lambda:CreateFunction','lambda:UpdateFunctionConfiguration', 'rds:CreateDBInstance','rds:ModifyDBInstance','redshift:CreateCluster','redshift:ModifyCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ebsSnapshotLifecycle.js b/plugins/aws/ec2/ebsSnapshotLifecycle.js index 70c0b3d237..92f57d28c3 100644 --- a/plugins/aws/ec2/ebsSnapshotLifecycle.js +++ b/plugins/aws/ec2/ebsSnapshotLifecycle.js @@ -12,7 +12,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html', apis: ['EC2:describeInstances', 'EC2:describeVolumes', 'DLM:getLifecyclePolicies', 'DLM:getLifecyclePolicy', 'STS:getCallerIdentity'], - realtime_triggers: ['dlm:CreateLifecyclePolicy', 'dlm:DeleteLifecyclePolicy', 'dlm:UpdateLifecyclePolicy'], + realtime_triggers: ['ec2:CreateVolume','dlm:CreateLifecyclePolicy', 'dlm:DeleteLifecyclePolicy', 'dlm:UpdateLifecyclePolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/managedNatGateway.js b/plugins/aws/ec2/managedNatGateway.js index 255b0f7746..c7cafdfec6 100644 --- a/plugins/aws/ec2/managedNatGateway.js +++ b/plugins/aws/ec2/managedNatGateway.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/new-managed-nat-network-address-translation-gateway-for-aws/', recommended_action: 'Update VPCs to use Managed NAT Gateways instead of NAT instances', apis: ['EC2:describeVpcs', 'EC2:describeNatGateways', 'STS:getCallerIdentity'], - realtime_triggers: ['ec2:CreateNatGateway', 'ec2:ReplaceRoute'], + realtime_triggers: ['ec2:CreateNatGateway', 'ec2:ReplaceRoute','ec2:CreateVpc'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/unusedSecurityGroups.js b/plugins/aws/ec2/unusedSecurityGroups.js index 5199d81e8a..3f3eb63933 100644 --- a/plugins/aws/ec2/unusedSecurityGroups.js +++ b/plugins/aws/ec2/unusedSecurityGroups.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html', recommended_action: 'Remove security groups that are not being used.', apis: ['EC2:describeSecurityGroups', 'EC2:describeNetworkInterfaces', 'Lambda:listFunctions'], - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:DeleteSecurityGroup'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:DeleteSecurityGroup','ec2:RunInstances','ec2:ModifyInstanceAttribute'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/unusedVirtualPrivateGateway.js b/plugins/aws/ec2/unusedVirtualPrivateGateway.js index 40007e2187..4bd8fd94d7 100644 --- a/plugins/aws/ec2/unusedVirtualPrivateGateway.js +++ b/plugins/aws/ec2/unusedVirtualPrivateGateway.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/vpn/latest/s2svpn/delete-vpn.html', recommended_action: 'Remove the unused Virtual Private Gateways (VGWs)', apis: ['EC2:describeVpnGateways', 'STS:getCallerIdentity'], - realtime_triggers: ['ec2:CreateVpnGateway', 'ec2:DeleteVpnGateway'], + realtime_triggers: ['ec2:CreateVpnGateway', 'ec2:DeleteVpnGateway','ec2:AttachVpnGateway','ec2:DetachVpnGateway'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/unusedVpcInternetGateways.js b/plugins/aws/ec2/unusedVpcInternetGateways.js index e54476f1e9..c44c0bdb03 100644 --- a/plugins/aws/ec2/unusedVpcInternetGateways.js +++ b/plugins/aws/ec2/unusedVpcInternetGateways.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html', recommended_action: 'Remove the unused/detached Internet Gateways and Egress-Only Internet Gateways', apis: ['EC2:describeInternetGateways', 'EC2:describeEgressOnlyInternetGateways', 'STS:getCallerIdentity'], - realtime_triggers: ['ec2:CreateInternetGateway', 'ec2:DeleteInternetGateway'], + realtime_triggers: ['ec2:CreateInternetGateway', 'ec2:DeleteInternetGateway','ec2:AttachInternetGateway','ec2:DetachInternetGateway','ec2:CreateEgressOnlyInternetGateway','ec2:DeleteEgressOnlyInternetGateway'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/vpcEndpointAcceptance.js b/plugins/aws/ec2/vpcEndpointAcceptance.js index 0b92a52b20..4d32d66ea4 100644 --- a/plugins/aws/ec2/vpcEndpointAcceptance.js +++ b/plugins/aws/ec2/vpcEndpointAcceptance.js @@ -18,7 +18,7 @@ module.exports = { default: 'false' }, }, - realtime_triggers: ['ec2:CreateVpcEndpointServiceConfiguration', 'ec2:ModifyVpcEndpointServicePermissions'], + realtime_triggers: ['ec2:CreateVpcEndpointServiceConfiguration', 'ec2:ModifyVpcEndpointServiceConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/vpcSubnetInstancesPresent.js b/plugins/aws/ec2/vpcSubnetInstancesPresent.js index 35bf7d695c..375aa27791 100644 --- a/plugins/aws/ec2/vpcSubnetInstancesPresent.js +++ b/plugins/aws/ec2/vpcSubnetInstancesPresent.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update VPC subnets and attach instances to it or remove the unused VPC subnets', link: 'https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html', apis: ['EC2:describeInstances', 'EC2:describeSubnets'], - realtime_triggers: ['ec2:RunInstance', 'ec2:CreateSubnet', 'ec2:TerminateInstance'], + realtime_triggers: ['ec2:RunInstance', 'ec2:CreateSubnet', 'ec2:TerminateInstance','ec2:DeleteSubnet'], run: function(cache, settings, callback) { var results = []; From d6bc888ccb7fc9e49ef4d67f0197e43db07500a8 Mon Sep 17 00:00:00 2001 From: --global Date: Fri, 15 Sep 2023 21:58:34 +0500 Subject: [PATCH 022/498] resolve issues --- plugins/aws/ec2/ebsEncryptedSnapshots.js | 2 +- plugins/aws/ec2/ebsSnapshotLifecycle.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/aws/ec2/ebsEncryptedSnapshots.js b/plugins/aws/ec2/ebsEncryptedSnapshots.js index 886d82dc72..5b689df186 100644 --- a/plugins/aws/ec2/ebsEncryptedSnapshots.js +++ b/plugins/aws/ec2/ebsEncryptedSnapshots.js @@ -16,7 +16,7 @@ module.exports = { 'of EC2 instance data at rest, but volumes must be configured to use ' + 'encryption so their snapshots are also encrypted.' }, - realtime_triggers: ['ec2:CreateSnapshot', 'ec2:CopySnapshot'], + realtime_triggers: ['ec2:CreateSnapshot', 'ec2:CopySnapshot', 'ec2:DeleteSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ebsSnapshotLifecycle.js b/plugins/aws/ec2/ebsSnapshotLifecycle.js index 92f57d28c3..ee613095c5 100644 --- a/plugins/aws/ec2/ebsSnapshotLifecycle.js +++ b/plugins/aws/ec2/ebsSnapshotLifecycle.js @@ -12,7 +12,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html', apis: ['EC2:describeInstances', 'EC2:describeVolumes', 'DLM:getLifecyclePolicies', 'DLM:getLifecyclePolicy', 'STS:getCallerIdentity'], - realtime_triggers: ['ec2:CreateVolume','dlm:CreateLifecyclePolicy', 'dlm:DeleteLifecyclePolicy', 'dlm:UpdateLifecyclePolicy'], + realtime_triggers: ['ec2:CreateVolume','dlm:CreateLifecyclePolicy', 'dlm:DeleteLifecyclePolicy', 'dlm:UpdateLifecyclePolicy'], run: function(cache, settings, callback) { var results = []; From 563a7a8116b3f9a21b783eff87e9ed092469ddb6 Mon Sep 17 00:00:00 2001 From: --global Date: Tue, 19 Sep 2023 13:13:48 +0500 Subject: [PATCH 023/498] added tiggers --- plugins/aws/rds/iamDbAuthenticationEnabled.js | 2 +- plugins/aws/rds/idleRDSInstance.js | 2 +- plugins/aws/rds/mysqlVulnerabilityCheck.js | 2 +- plugins/aws/rds/overutilizedRDSInstance.js | 2 +- plugins/aws/rds/rdsAutomatedBackups.js | 2 +- plugins/aws/rds/rdsCmkEncryptionEnabled.js | 2 +- plugins/aws/rds/rdsDefaultPort.js | 2 +- plugins/aws/rds/rdsDefaultUsername.js | 2 +- plugins/aws/rds/rdsDeletionProtectionEnabled.js | 2 +- plugins/aws/rds/rdsEncryptionEnabled.js | 2 +- plugins/aws/rds/rdsInstanceGeneration.js | 2 +- plugins/aws/rds/rdsInstanceHasTags.js | 2 +- plugins/aws/rds/rdsLoggingEnabled.js | 2 +- plugins/aws/rds/rdsMinorVersionUpgrade.js | 2 +- plugins/aws/rds/rdsMultiAz.js | 2 +- plugins/aws/rds/rdsPublicSubnet.js | 2 +- plugins/aws/rds/rdsPubliclyAccessible.js | 2 +- plugins/aws/rds/rdsRestorable.js | 2 +- plugins/aws/redshift/auditLoggingEnabled.js | 2 +- plugins/aws/redshift/redshiftAllowVersionUpgrade.js | 2 +- plugins/aws/redshift/redshiftClusterCmkEncrypted.js | 2 +- plugins/aws/redshift/redshiftClusterDefaultPort.js | 2 +- plugins/aws/redshift/redshiftClusterInVpc.js | 2 +- plugins/aws/redshift/redshiftClusterMasterUsername.js | 2 +- plugins/aws/redshift/redshiftDesiredNodeType.js | 2 +- plugins/aws/redshift/redshiftEncryptionEnabled.js | 2 +- plugins/aws/redshift/redshiftNodesCount.js | 2 +- plugins/aws/redshift/redshiftPubliclyAccessible.js | 2 +- plugins/aws/redshift/redshiftSSLEnabled.js | 2 +- plugins/aws/redshift/redshiftUnusedReservedNodes.js | 2 +- plugins/aws/redshift/snapshotRetentionPeriod.js | 2 +- plugins/aws/redshift/userActivityLoggingEnabled.js | 2 +- plugins/aws/route53/domainAutoRenew.js | 2 +- plugins/aws/route53/domainTransferLock.js | 2 +- 34 files changed, 34 insertions(+), 34 deletions(-) diff --git a/plugins/aws/rds/iamDbAuthenticationEnabled.js b/plugins/aws/rds/iamDbAuthenticationEnabled.js index 54177a31ea..23b3c8afec 100644 --- a/plugins/aws/rds/iamDbAuthenticationEnabled.js +++ b/plugins/aws/rds/iamDbAuthenticationEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html', recommended_action: 'Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication.', apis: ['RDS:describeDBInstances'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/idleRDSInstance.js b/plugins/aws/rds/idleRDSInstance.js index b098db8692..36500bfa43 100644 --- a/plugins/aws/rds/idleRDSInstance.js +++ b/plugins/aws/rds/idleRDSInstance.js @@ -30,7 +30,7 @@ module.exports = { default: '20' } }, - realtime_triggers: ['rds:CreateDBInstance','rds:DeleteDBInstance'], + realtime_triggers: ['rds:CreateDBInstance','rds:DeleteDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/mysqlVulnerabilityCheck.js b/plugins/aws/rds/mysqlVulnerabilityCheck.js index b8cf347a6c..9c9ef6efb2 100644 --- a/plugins/aws/rds/mysqlVulnerabilityCheck.js +++ b/plugins/aws/rds/mysqlVulnerabilityCheck.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://aws.amazon.com/security/security-bulletins/mysql-5-5-and-5-6-security-advisory/', recommended_action: 'Update the MySQL engine version to a more recent, patched version to mitigate the vulnerabilities.', apis: ['RDS:describeDBInstances'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/overutilizedRDSInstance.js b/plugins/aws/rds/overutilizedRDSInstance.js index 2a71633222..bcac975f68 100644 --- a/plugins/aws/rds/overutilizedRDSInstance.js +++ b/plugins/aws/rds/overutilizedRDSInstance.js @@ -18,7 +18,7 @@ module.exports = { default: '90' } }, - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsAutomatedBackups.js b/plugins/aws/rds/rdsAutomatedBackups.js index a8ec4ff0ab..0a21fd04a1 100644 --- a/plugins/aws/rds/rdsAutomatedBackups.js +++ b/plugins/aws/rds/rdsAutomatedBackups.js @@ -18,7 +18,7 @@ module.exports = { default: 6 } }, - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance','rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/rds/rdsCmkEncryptionEnabled.js b/plugins/aws/rds/rdsCmkEncryptionEnabled.js index e729ea13c9..bfb683c2d1 100644 --- a/plugins/aws/rds/rdsCmkEncryptionEnabled.js +++ b/plugins/aws/rds/rdsCmkEncryptionEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html', recommended_action: 'RDS does not currently allow modifications to encryption after the instance has been launched, so a new instance will need to be created with KMS CMK encryption enabled.', apis: ['RDS:describeDBInstances', 'KMS:listAliases'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsDefaultPort.js b/plugins/aws/rds/rdsDefaultPort.js index 13d3380df3..e049ee4683 100644 --- a/plugins/aws/rds/rdsDefaultPort.js +++ b/plugins/aws/rds/rdsDefaultPort.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.Connect.html', recommended_action: 'Change the default port number of the RDS instance to non-default port.', apis: ['RDS:describeDBInstances'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsDefaultUsername.js b/plugins/aws/rds/rdsDefaultUsername.js index a91148e928..d2a105bdf1 100644 --- a/plugins/aws/rds/rdsDefaultUsername.js +++ b/plugins/aws/rds/rdsDefaultUsername.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateDBInstance.html', recommended_action: 'Create a new RDS instance with the desired username, and migrate the database to the new instance.', apis: ['RDS:describeDBInstances'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsDeletionProtectionEnabled.js b/plugins/aws/rds/rdsDeletionProtectionEnabled.js index d9011b9251..c223c0ed9a 100644 --- a/plugins/aws/rds/rdsDeletionProtectionEnabled.js +++ b/plugins/aws/rds/rdsDeletionProtectionEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/', recommended_action: 'Modify the RDS instances to enable deletion protection.', apis: ['RDS:describeDBInstances'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsEncryptionEnabled.js b/plugins/aws/rds/rdsEncryptionEnabled.js index 09fabc0366..17d4c5e4bc 100644 --- a/plugins/aws/rds/rdsEncryptionEnabled.js +++ b/plugins/aws/rds/rdsEncryptionEnabled.js @@ -33,7 +33,7 @@ module.exports = { 'encryption should be enabled for all instances storing this type ' + 'of data.' }, - realtime_triggers: ['rds:CreateDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/rds/rdsInstanceGeneration.js b/plugins/aws/rds/rdsInstanceGeneration.js index 5fcd4dd72a..c34d269813 100644 --- a/plugins/aws/rds/rdsInstanceGeneration.js +++ b/plugins/aws/rds/rdsInstanceGeneration.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html', recommended_action: 'Upgrade the instance to its latest generation.', apis: ['RDS:describeDBInstances'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsInstanceHasTags.js b/plugins/aws/rds/rdsInstanceHasTags.js index 147015d873..fecc2cad11 100644 --- a/plugins/aws/rds/rdsInstanceHasTags.js +++ b/plugins/aws/rds/rdsInstanceHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html', recommended_action: 'Modify the RDS instance to add tags.', apis: ['RDS:describeDBInstances'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:AddTagsToResource', 'rds:RemoveTagsToResource'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:AddTagsToResource', 'rds:RemoveTagsToResource', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsLoggingEnabled.js b/plugins/aws/rds/rdsLoggingEnabled.js index b68daf0347..6c65d14907 100755 --- a/plugins/aws/rds/rdsLoggingEnabled.js +++ b/plugins/aws/rds/rdsLoggingEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html', recommended_action: 'Modify the RDS instance to enable logging as required.', apis: ['RDS:describeDBInstances', 'RDS:describeDBEngineVersions'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsMinorVersionUpgrade.js b/plugins/aws/rds/rdsMinorVersionUpgrade.js index dae800add9..56ac835d2c 100644 --- a/plugins/aws/rds/rdsMinorVersionUpgrade.js +++ b/plugins/aws/rds/rdsMinorVersionUpgrade.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html#USER_UpgradeDBInstance.Upgrading.AutoMinorVersionUpgrades', recommended_action: 'Enable automatic minor version upgrades on RDS and DocumentDB databases', apis: ['RDS:describeDBInstances'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsMultiAz.js b/plugins/aws/rds/rdsMultiAz.js index 2376c2dc5a..830331b927 100644 --- a/plugins/aws/rds/rdsMultiAz.js +++ b/plugins/aws/rds/rdsMultiAz.js @@ -18,7 +18,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/rds/rdsPublicSubnet.js b/plugins/aws/rds/rdsPublicSubnet.js index 63c3f78b3a..fac8585b54 100644 --- a/plugins/aws/rds/rdsPublicSubnet.js +++ b/plugins/aws/rds/rdsPublicSubnet.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-public-access-check.html', recommended_action: 'Replace the subnet groups of rds instance with the private subnets.', apis: ['RDS:describeDBInstances', 'EC2:describeRouteTables', 'EC2:describeSubnets'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsPubliclyAccessible.js b/plugins/aws/rds/rdsPubliclyAccessible.js index dad001a4c7..8657e99798 100644 --- a/plugins/aws/rds/rdsPubliclyAccessible.js +++ b/plugins/aws/rds/rdsPubliclyAccessible.js @@ -20,7 +20,7 @@ module.exports = { 'Ensure RDS instances are not accessible from the Internet ' + 'and use proper jump box access mechanisms.' }, - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsRestorable.js b/plugins/aws/rds/rdsRestorable.js index 45da51d01c..72393af091 100644 --- a/plugins/aws/rds/rdsRestorable.js +++ b/plugins/aws/rds/rdsRestorable.js @@ -29,7 +29,7 @@ module.exports = { default: 6 } }, - realtime_triggers: ['rds:CreateDBInstance'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/redshift/auditLoggingEnabled.js b/plugins/aws/redshift/auditLoggingEnabled.js index 45f406fd46..f904157a81 100644 --- a/plugins/aws/redshift/auditLoggingEnabled.js +++ b/plugins/aws/redshift/auditLoggingEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing-console.html', recommended_action: 'Modify Redshift clusters to enable audit logging', apis: ['Redshift:describeClusters', 'Redshift:describeLoggingStatus', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster', 'redshift:EditLogging'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:EditLogging', 'redshift:RestoreFromClusterSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftAllowVersionUpgrade.js b/plugins/aws/redshift/redshiftAllowVersionUpgrade.js index dd55b3fea1..6750fc4c43 100644 --- a/plugins/aws/redshift/redshiftAllowVersionUpgrade.js +++ b/plugins/aws/redshift/redshiftAllowVersionUpgrade.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.amazonaws.cn/en_us/redshift/latest/mgmt/redshift-mgmt.pdf', recommended_action: 'Modify Redshift clusters to allow version upgrade', apis: ['Redshift:describeClusters', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftClusterCmkEncrypted.js b/plugins/aws/redshift/redshiftClusterCmkEncrypted.js index 562af0988f..cd708d8ecb 100644 --- a/plugins/aws/redshift/redshiftClusterCmkEncrypted.js +++ b/plugins/aws/redshift/redshiftClusterCmkEncrypted.js @@ -10,7 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html', recommended_action: 'Update Redshift clusters encryption configuration to use KMS CMKs instead of AWS managed-keys.', apis: ['Redshift:describeClusters', 'KMS:listAliases', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftClusterDefaultPort.js b/plugins/aws/redshift/redshiftClusterDefaultPort.js index 55e17d3c5b..67c4e1b05b 100644 --- a/plugins/aws/redshift/redshiftClusterDefaultPort.js +++ b/plugins/aws/redshift/redshiftClusterDefaultPort.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.amazonaws.cn/en_us/redshift/latest/gsg/rs-gsg-launch-sample-cluster.html', recommended_action: 'Update Amazon Redshift cluster endpoint port.', apis: ['Redshift:describeClusters', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftClusterInVpc.js b/plugins/aws/redshift/redshiftClusterInVpc.js index 756f1e7bf4..8ef046ea11 100644 --- a/plugins/aws/redshift/redshiftClusterInVpc.js +++ b/plugins/aws/redshift/redshiftClusterInVpc.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#cluster-platforms', recommended_action: 'Update Amazon Redshift cluster and attach it to VPC', apis: ['Redshift:describeClusters', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftClusterMasterUsername.js b/plugins/aws/redshift/redshiftClusterMasterUsername.js index 787db8e4d6..dc8ee932fc 100644 --- a/plugins/aws/redshift/redshiftClusterMasterUsername.js +++ b/plugins/aws/redshift/redshiftClusterMasterUsername.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.amazonaws.cn/en_us/redshift/latest/gsg/rs-gsg-launch-sample-cluster.html', recommended_action: 'Update Amazon Redshift cluster master username.', apis: ['Redshift:describeClusters', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:RestoreFromClusterSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftDesiredNodeType.js b/plugins/aws/redshift/redshiftDesiredNodeType.js index 56a70634b5..bc3d5671f8 100644 --- a/plugins/aws/redshift/redshiftDesiredNodeType.js +++ b/plugins/aws/redshift/redshiftDesiredNodeType.js @@ -18,7 +18,7 @@ module.exports = { default: '' }, }, - realtime_triggers: ['redshift:CreateCluster'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:RestoreFromClusterSnapshot'], run: function(cache, settings, callback) { var redshift_cluster_node_type = settings.redshift_cluster_node_type || this.settings.redshift_cluster_node_type.default; diff --git a/plugins/aws/redshift/redshiftEncryptionEnabled.js b/plugins/aws/redshift/redshiftEncryptionEnabled.js index d6115beb89..66c99c3b55 100644 --- a/plugins/aws/redshift/redshiftEncryptionEnabled.js +++ b/plugins/aws/redshift/redshiftEncryptionEnabled.js @@ -16,7 +16,7 @@ module.exports = { 'is implemented by providing KMS-backed encryption for all Redshift ' + 'data.' }, - realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftNodesCount.js b/plugins/aws/redshift/redshiftNodesCount.js index 413039c171..ebec99d237 100644 --- a/plugins/aws/redshift/redshiftNodesCount.js +++ b/plugins/aws/redshift/redshiftNodesCount.js @@ -18,7 +18,7 @@ module.exports = { default: '100' }, }, - realtime_triggers: ['redshift:CreateCluster', 'redshift:DeleteCluster'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:DeleteCluster', 'redshift:RestoreFromClusterSnapshot'], run: function(cache, settings, callback) { var redshift_nodes_count = parseInt(settings.redshift_nodes_count || this.settings.redshift_nodes_count.default); diff --git a/plugins/aws/redshift/redshiftPubliclyAccessible.js b/plugins/aws/redshift/redshiftPubliclyAccessible.js index 6c6fc74adc..c4484d2c72 100644 --- a/plugins/aws/redshift/redshiftPubliclyAccessible.js +++ b/plugins/aws/redshift/redshiftPubliclyAccessible.js @@ -20,7 +20,7 @@ module.exports = { 'Ensure Redshift instances are not accessible from the Internet ' + 'and use proper jump box access mechanisms.' }, - realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftSSLEnabled.js b/plugins/aws/redshift/redshiftSSLEnabled.js index 08c9164d4c..7d08ea0fa0 100644 --- a/plugins/aws/redshift/redshiftSSLEnabled.js +++ b/plugins/aws/redshift/redshiftSSLEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/redshift/latest/mgmt/connecting-ssl-support.html', recommended_action: 'Update Redshift parameter groups to have require-ssl parameter set to true.', apis: ['Redshift:describeClusters', 'Redshift:describeClusterParameterGroups', 'Redshift:describeClusterParameters', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyClusterParameterGroup'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyClusterParameterGroup', 'redshift:RestoreFromClusterSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftUnusedReservedNodes.js b/plugins/aws/redshift/redshiftUnusedReservedNodes.js index fd06d18141..56ecfa2067 100644 --- a/plugins/aws/redshift/redshiftUnusedReservedNodes.js +++ b/plugins/aws/redshift/redshiftUnusedReservedNodes.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/redshift/latest/mgmt/purchase-reserved-node-instance.html', recommended_action: 'Provision new Redshift clusters matching the criteria of reserved nodes', apis: ['Redshift:describeClusters', 'Redshift:describeReservedNodes', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:RestoreFromClusterSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/snapshotRetentionPeriod.js b/plugins/aws/redshift/snapshotRetentionPeriod.js index 127418ec62..b95500cf34 100644 --- a/plugins/aws/redshift/snapshotRetentionPeriod.js +++ b/plugins/aws/redshift/snapshotRetentionPeriod.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-snapshots.html', recommended_action: 'Modify Amazon Redshift cluster to set snapshot retention period', apis: ['Redshift:describeClusters', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/userActivityLoggingEnabled.js b/plugins/aws/redshift/userActivityLoggingEnabled.js index e3699d2a07..35df581a2e 100644 --- a/plugins/aws/redshift/userActivityLoggingEnabled.js +++ b/plugins/aws/redshift/userActivityLoggingEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html#db-auditing-enable-logging', recommended_action: 'Update Redshift parameter groups to enable user activity logging', apis: ['Redshift:describeClusters', 'Redshift:describeClusterParameterGroups', 'Redshift:describeClusterParameters', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyClusterParameterGroup'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyClusterParameterGroup', 'redshift:RestoreFromClusterSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/route53/domainAutoRenew.js b/plugins/aws/route53/domainAutoRenew.js index 371d9fa390..9a9431687a 100644 --- a/plugins/aws/route53/domainAutoRenew.js +++ b/plugins/aws/route53/domainAutoRenew.js @@ -9,7 +9,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/Route53/latest/APIReference/api-enable-domain-auto-renew.html', recommended_action: 'Enable auto renew for the domain', apis: ['Route53Domains:listDomains'], - realtime_triggers: ['route53domains:RegisterDomain','route53domains:EnableAutoRenew'], + realtime_triggers: ['route53domains:RegisterDomain','route53domains:EnableAutoRenew', 'route53domians:DisableDomainAutoRenew'], run: function(cache, settings, callback) { diff --git a/plugins/aws/route53/domainTransferLock.js b/plugins/aws/route53/domainTransferLock.js index ff0452ca00..514448ee6c 100644 --- a/plugins/aws/route53/domainTransferLock.js +++ b/plugins/aws/route53/domainTransferLock.js @@ -9,7 +9,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-transfer-from-route-53.html', recommended_action: 'Enable the transfer lock for the domain', apis: ['Route53Domains:listDomains'], - realtime_triggers: ['route53domains:RegisterDomain', 'route53Domain:EnableDomainTransferLock'], + realtime_triggers: ['route53domains:RegisterDomain', 'route53domain:EnableDomainTransferLock', 'route53domain:DisableDomainTransferLock'], run: function(cache, settings, callback) { var results = []; From a225a2d05c66816d2f9faabdb2b88957423c8515 Mon Sep 17 00:00:00 2001 From: --global Date: Tue, 19 Sep 2023 13:31:59 +0500 Subject: [PATCH 024/498] resolve isssues --- plugins/aws/ecs/ecsClusterWithActiveTask.js | 2 +- plugins/aws/elasticache/elasticaheDesiredNodeType.js | 2 +- plugins/aws/elasticache/redisClusterEncryptionInTransit.js | 2 +- plugins/aws/elasticache/reservedNodePaymentFailed.js | 2 +- plugins/aws/elasticache/reservedNodePaymentPending.js | 2 +- plugins/aws/elasticache/unusedElastiCacheReservedNode.js | 2 +- plugins/aws/elb/appTierElbSecurity.js | 2 +- plugins/aws/elb/classicELBInUse.js | 2 +- plugins/aws/elb/connectionDrainingEnabled.js | 2 +- plugins/aws/elb/crosszoneLoadBalancing.js | 2 +- plugins/aws/elb/elbHasTags.js | 2 +- plugins/aws/elb/elbHttpsOnly.js | 2 +- plugins/aws/elb/elbLoggingEnabled.js | 2 +- plugins/aws/elb/elbNoInstances.js | 2 +- plugins/aws/elb/elbUnhealthyInstances.js | 2 +- plugins/aws/elb/insecureCiphers.js | 2 +- plugins/aws/elbv2/elbv2DeletionProtection.js | 2 +- plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js | 2 +- plugins/aws/elbv2/elbv2DeregistrationDelay.js | 2 +- plugins/aws/elbv2/elbv2HasTags.js | 2 +- plugins/aws/elbv2/elbv2HttpsOnly.js | 2 +- plugins/aws/elbv2/elbv2InsecureCiphers.js | 2 +- plugins/aws/elbv2/elbv2LoggingEnabled.js | 2 +- plugins/aws/elbv2/elbv2MinimumTargetInstances.js | 2 +- plugins/aws/elbv2/elbv2NlbListenerSecurity.js | 2 +- plugins/aws/elbv2/elbv2NoInstances.js | 2 +- plugins/aws/elbv2/elbv2SslTermination.js | 2 +- plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js | 2 +- plugins/aws/elbv2/elbv2UnhealthyInstance.js | 2 +- plugins/aws/elbv2/elbv2WafEnabled.js | 2 +- plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js | 2 +- plugins/aws/emr/emrClusterInVPC.js | 2 +- plugins/aws/emr/emrClusterLogging.js | 2 +- plugins/aws/emr/emrEncryptionAtRest.js | 2 +- plugins/aws/emr/emrEncryptionInTransit.js | 2 +- plugins/aws/eventbridge/eventBusCrossAccountAccess.js | 2 +- plugins/aws/eventbridge/eventBusPublicAccess.js | 2 +- 37 files changed, 37 insertions(+), 37 deletions(-) diff --git a/plugins/aws/ecs/ecsClusterWithActiveTask.js b/plugins/aws/ecs/ecsClusterWithActiveTask.js index 473f2e7bfd..0c4fb04fc3 100644 --- a/plugins/aws/ecs/ecsClusterWithActiveTask.js +++ b/plugins/aws/ecs/ecsClusterWithActiveTask.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify Cluster services and add tasks', link: 'https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html', apis: ['ECS:listClusters', 'ECS:describeCluster'], - realtime_triggers: ['ecs:CreateCluster', 'ecs:RunTask'], + realtime_triggers: ['ecs:CreateCluster', 'ecs:RunTask', 'ecs:StopTask'], run: function(cache, settings, callback){ var results = []; diff --git a/plugins/aws/elasticache/elasticaheDesiredNodeType.js b/plugins/aws/elasticache/elasticaheDesiredNodeType.js index 83cbec6f62..e4c71c9336 100644 --- a/plugins/aws/elasticache/elasticaheDesiredNodeType.js +++ b/plugins/aws/elasticache/elasticaheDesiredNodeType.js @@ -18,7 +18,7 @@ module.exports = { default:'cache.t2.micro' } }, - realtime_triggers: ['elasticache:CreateCluster'], + realtime_triggers: ['elasticache:CreateCluster','elasticache:ModifyReplicationGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/redisClusterEncryptionInTransit.js b/plugins/aws/elasticache/redisClusterEncryptionInTransit.js index ffde2f95d6..2872698974 100644 --- a/plugins/aws/elasticache/redisClusterEncryptionInTransit.js +++ b/plugins/aws/elasticache/redisClusterEncryptionInTransit.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html', recommended_action: 'Enable in-transit encryption for ElastiCache clusters', apis: ['ElastiCache:describeCacheClusters'], - realtime_triggers: ['elasticache:CreateCluster', 'elasticache:CreateReplicationGroup'], + realtime_triggers: ['elasticache:CreateCluster', 'elasticache:CreateReplicationGroup','elasticache:ModifyReplicationGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/reservedNodePaymentFailed.js b/plugins/aws/elasticache/reservedNodePaymentFailed.js index 6e89ec4c78..4c689ec6f6 100644 --- a/plugins/aws/elasticache/reservedNodePaymentFailed.js +++ b/plugins/aws/elasticache/reservedNodePaymentFailed.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/elasticache/reserved-cache-nodes/', recommended_action: 'Identify any failed payments for ElastiCache reserved cache nodes', apis: ['ElastiCache:describeReservedCacheNodes'], - realtime_triggers: ['elasticache:CreateCluster'], + realtime_triggers: ['elasticache:CreateCluster', 'elasticache: PurchaseReservedCacheNodesOffering'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/reservedNodePaymentPending.js b/plugins/aws/elasticache/reservedNodePaymentPending.js index 0ac9c8e61c..cc730ad785 100644 --- a/plugins/aws/elasticache/reservedNodePaymentPending.js +++ b/plugins/aws/elasticache/reservedNodePaymentPending.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/elasticache/reserved-cache-nodes/', recommended_action: 'Identify any pending payments for ElastiCache reserved cache nodes', apis: ['ElastiCache:describeReservedCacheNodes'], - realtime_triggers: ['elasticache:CreateCluster'], + realtime_triggers: ['elasticache:CreateCluster','elasticache: PurchaseReservedCacheNodesOffering'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/unusedElastiCacheReservedNode.js b/plugins/aws/elasticache/unusedElastiCacheReservedNode.js index 8362f32f4b..bff3a37417 100644 --- a/plugins/aws/elasticache/unusedElastiCacheReservedNode.js +++ b/plugins/aws/elasticache/unusedElastiCacheReservedNode.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/elasticache/reserved-cache-nodes/', recommended_action: 'Enable prevention of unused reserved nodes for ElastiCache clusters', apis: ['ElastiCache:describeCacheClusters', 'ElastiCache:describeReservedCacheNodes'], - realtime_triggers: ['elasticache:CreateCluster'], + realtime_triggers: ['elasticache:CreateCluster','elasticache: PurchaseReservedCacheNodesOffering'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/appTierElbSecurity.js b/plugins/aws/elb/appTierElbSecurity.js index f7ac739790..86fe318c25 100644 --- a/plugins/aws/elb/appTierElbSecurity.js +++ b/plugins/aws/elb/appTierElbSecurity.js @@ -24,7 +24,7 @@ module.exports = { default: 'ELBSecurityPolicy-2016-08,ELBSecurityPolicy-TLS-1-2-2017-01,ELBSecurityPolicy-TLS-1-1-2017-01' } }, - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancerListeners','elasticloadbalancing:CreateLoadBalancer'], + realtime_triggers: ['elb:CreateLoadBalancerListeners','elb:CreateLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/classicELBInUse.js b/plugins/aws/elb/classicELBInUse.js index 74e17c1353..b571dd3af2 100644 --- a/plugins/aws/elb/classicELBInUse.js +++ b/plugins/aws/elb/classicELBInUse.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/elasticloadbalancing/features/', recommended_action: 'Detach Classic Load balancer from HTTP/HTTPS applications and attach Application Load Balancer to those applications', apis: ['ELB:describeLoadBalancers', 'STS:getCallerIdentity'], - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer'], + realtime_triggers: ['elb:CreateLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/connectionDrainingEnabled.js b/plugins/aws/elb/connectionDrainingEnabled.js index 82f39b2b0f..64b08c3d4e 100644 --- a/plugins/aws/elb/connectionDrainingEnabled.js +++ b/plugins/aws/elb/connectionDrainingEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html', recommended_action: 'Update ELBs to enable connection draining', apis: ['ELB:describeLoadBalancers', 'ELB:describeLoadBalancerAttributes', 'STS:getCallerIdentity'], - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elaticloadbalancing:ModifyLoadBalancerAttributes'], + realtime_triggers: ['elb:CreateLoadBalancer', 'elb:ModifyLoadBalancerAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/crosszoneLoadBalancing.js b/plugins/aws/elb/crosszoneLoadBalancing.js index 9c75590208..e6aa556590 100644 --- a/plugins/aws/elb/crosszoneLoadBalancing.js +++ b/plugins/aws/elb/crosszoneLoadBalancing.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html', recommended_action: 'Update AWS ELB to enable cross zone load balancing', apis: ['ELB:describeLoadBalancers', 'ELB:describeLoadBalancerAttributes', 'STS:getCallerIdentity'], - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elaticloadbalancing:ModifyLoadBalancerAttributes', 'elasticloadbalancing:AttachLoadBalancerToSubnets'], + realtime_triggers: ['elb:CreateLoadBalancer', 'elb:ModifyLoadBalancerAttributes', 'elb:AttachLoadBalancerToSubnets'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/elbHasTags.js b/plugins/aws/elb/elbHasTags.js index 0ce3b6542b..ff67c94381 100644 --- a/plugins/aws/elb/elbHasTags.js +++ b/plugins/aws/elb/elbHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_AddTags.html', recommended_action: 'Modify ELB and add tags.', apis: ['ELB:describeLoadBalancers', 'ResourceGroupsTaggingAPI:getResources', 'STS:getCallerIdentity'], - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:AddTags', 'elasticloadbalancing:RemoveTags'], + realtime_triggers: ['elb:CreateLoadBalancer', 'elb:AddTags', 'elb:RemoveTags'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/elbHttpsOnly.js b/plugins/aws/elb/elbHttpsOnly.js index 8d3420094f..c9d88cad41 100644 --- a/plugins/aws/elb/elbHttpsOnly.js +++ b/plugins/aws/elb/elbHttpsOnly.js @@ -20,7 +20,7 @@ module.exports = { apis_remediate: ['ELB:describeLoadBalancers'], actions: {remediate: ['ELB:deleteLoadBalancerListeners'], rollback: ['ELB:createLoadBalancerListeners']}, permissions: {remediate: ['elasticloadbalancing:DeleteLoadBalancerListeners'], rollback: ['elasticloadbalancing:CreateLoadBalancerListeners']}, - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancerListeners','elasticloadbalancing:CreateLoadBalancer'], + realtime_triggers: ['elb:CreateLoadBalancerListeners','elb:CreateLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/elbLoggingEnabled.js b/plugins/aws/elb/elbLoggingEnabled.js index 1e336b2269..ff60e3dc20 100644 --- a/plugins/aws/elb/elbLoggingEnabled.js +++ b/plugins/aws/elb/elbLoggingEnabled.js @@ -22,7 +22,7 @@ module.exports = { pci: 'PCI requires logging of all network access to environments containing ' + 'cardholder data. Enable ELB logs to log these network requests.' }, - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elaticloadbalancing:ModifyLoadBalancerAttributes'], + realtime_triggers: ['elb:CreateLoadBalancer', 'elb:ModifyLoadBalancerAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/elbNoInstances.js b/plugins/aws/elb/elbNoInstances.js index 1c3135f11b..2ac07c8147 100644 --- a/plugins/aws/elb/elbNoInstances.js +++ b/plugins/aws/elb/elbNoInstances.js @@ -24,7 +24,7 @@ module.exports = { remediate: ['elasticloadbalancing:DeleteLoadBalancer'], rollback: ['elasticloadbalancing:CreateLoadBalancer'] }, - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer'], + realtime_triggers: ['elb:CreateLoadBalancer', 'elb:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/elbUnhealthyInstances.js b/plugins/aws/elb/elbUnhealthyInstances.js index ad5eda0e54..4f73ea9534 100644 --- a/plugins/aws/elb/elbUnhealthyInstances.js +++ b/plugins/aws/elb/elbUnhealthyInstances.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-healthchecks.html#check-instance-health', recommended_action: 'Investigate and resolve the health issues of the instances attached to the ELB.', apis: ['ELB:describeLoadBalancers', 'ELB:describeInstanceHealth', 'STS:getCallerIdentity'], - realtime_triggers: ['elaticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:RegisterInstancesWithLoadBalancer', 'elasticloadbalancing:DeregisterInstancesWithLoadBalancer'], + realtime_triggers: ['elb:CreateLoadBalancer', 'elb:RegisterInstancesWithLoadBalancer', 'elb:DeregisterInstancesWithLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/insecureCiphers.js b/plugins/aws/elb/insecureCiphers.js index 6d12e88a2a..6444266dcb 100644 --- a/plugins/aws/elb/insecureCiphers.js +++ b/plugins/aws/elb/insecureCiphers.js @@ -92,7 +92,7 @@ module.exports = { pci: 'PCI requires secure transfer of cardholder data. It does not permit SSL or TLS ' + 'version 1.0. ELB listeners should be configured for TLS v1.2.' }, - realtime_triggers: ['elaticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyLoadBalancerAttributes'], + realtime_triggers: ['elb:CreateLoadBalancer', 'elb:ModifyLoadBalancerAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2DeletionProtection.js b/plugins/aws/elbv2/elbv2DeletionProtection.js index f7faa2274e..e136a31e04 100644 --- a/plugins/aws/elbv2/elbv2DeletionProtection.js +++ b/plugins/aws/elbv2/elbv2DeletionProtection.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#deletion-protection', recommended_action: 'Update ELBv2 load balancers to use deletion protection to prevent accidental deletion', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeLoadBalancerAttributes'], - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyLoadBalancerAttributes'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyLoadBalancerAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js b/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js index 281db2f978..1248beaa43 100644 --- a/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js +++ b/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html', recommended_action: 'Modify ELBv2 listeners with the latest predefined AWS security policies.', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeListeners'], - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:CreateListener', 'elasticloadbalancing:ModifyListener'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:CreateListener', 'elbv2:ModifyListener'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2DeregistrationDelay.js b/plugins/aws/elbv2/elbv2DeregistrationDelay.js index a5b2b5531f..1e0854282c 100644 --- a/plugins/aws/elbv2/elbv2DeregistrationDelay.js +++ b/plugins/aws/elbv2/elbv2DeregistrationDelay.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#deregistration-delay', recommended_action: 'Update ELBv2 target group attributes and set the deregistration delay value', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeTargetGroups', 'ELBv2:describeTargetGroupAttributes'], - realtime_triggers: ['elasticloadbalancing:CreateTargetGroup', 'elasticloadbalancing:ModifyTargetGroupAttributes'], + realtime_triggers: ['elbv2:CreateTargetGroup', 'elbv2:ModifyTargetGroupAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2HasTags.js b/plugins/aws/elbv2/elbv2HasTags.js index 04efbc32ee..dadcdc8265 100644 --- a/plugins/aws/elbv2/elbv2HasTags.js +++ b/plugins/aws/elbv2/elbv2HasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_AddTags.html', recommended_action: 'Modify ELBv2 and add tags.', apis: ['ELBv2:describeLoadBalancers', 'ResourceGroupsTaggingAPI:getResources'], - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:AddTags', 'elasticloadbalancing:RemoveTags'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:AddTags', 'elbv2:RemoveTags'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2HttpsOnly.js b/plugins/aws/elbv2/elbv2HttpsOnly.js index 2f4895bf50..8192897b43 100644 --- a/plugins/aws/elbv2/elbv2HttpsOnly.js +++ b/plugins/aws/elbv2/elbv2HttpsOnly.js @@ -20,7 +20,7 @@ module.exports = { apis_remediate: ['ELBv2:describeLoadBalancers','ELBv2:describeListeners'], actions: {remediate: ['ELBv2:deleteListener'], rollback: ['ELBv2:createListener']}, permissions: {remediate: ['elasticloadbalancing:DeleteListener'], rollback: ['elasticloadbalancing:CreateListener']}, - realtime_triggers: ['elasticloadbalancing:CreateListener','elasticloadbalancing:CreateLoadBalancer'], + realtime_triggers: ['elbv2:CreateListener','elbv2:CreateLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2InsecureCiphers.js b/plugins/aws/elbv2/elbv2InsecureCiphers.js index 4a2549544c..7727b87ccf 100644 --- a/plugins/aws/elbv2/elbv2InsecureCiphers.js +++ b/plugins/aws/elbv2/elbv2InsecureCiphers.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.htmll', recommended_action: 'Modify ELBv2 listeners with the predefined AWS security policies containing secure ciphers.', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeListeners'], - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:CreateListener', 'elasticloadbalancing:ModifyListener'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:CreateListener', 'elbv2:ModifyListener'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2LoggingEnabled.js b/plugins/aws/elbv2/elbv2LoggingEnabled.js index 4fc6ce538f..6d91577ad1 100644 --- a/plugins/aws/elbv2/elbv2LoggingEnabled.js +++ b/plugins/aws/elbv2/elbv2LoggingEnabled.js @@ -22,7 +22,7 @@ module.exports = { pci: 'PCI requires logging of all network access to environments containing ' + 'cardholder data. Enable ELB logs to log these network requests.' }, - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyLoadBalancerAttributes'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyLoadBalancerAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2MinimumTargetInstances.js b/plugins/aws/elbv2/elbv2MinimumTargetInstances.js index bf9f445037..90d5472560 100644 --- a/plugins/aws/elbv2/elbv2MinimumTargetInstances.js +++ b/plugins/aws/elbv2/elbv2MinimumTargetInstances.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html', recommended_action: 'Associate at least two healthy target instances to AWS ELBv2 load balancer', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeTargetGroups', 'ELBv2:describeTargetHealth'], - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyTargetGroup','elasticloadbalancing:RegisterTarget', 'elasticloadbalancing:DeregisterTargets'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyTargetGroup','elbv2:RegisterTarget', 'elbv2:DeregisterTargets'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2NlbListenerSecurity.js b/plugins/aws/elbv2/elbv2NlbListenerSecurity.js index 34a66521e4..17c93e97ca 100644 --- a/plugins/aws/elbv2/elbv2NlbListenerSecurity.js +++ b/plugins/aws/elbv2/elbv2NlbListenerSecurity.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.amazonaws.cn/en_us/elasticloadbalancing/latest/network/create-tls-listener.html', recommended_action: 'Attach TLS listener to AWS Network Load Balancer', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeListeners'], - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:CreateListener', 'elasticloadbalancing:ModifyListener'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:CreateListener', 'elbv2:ModifyListener','elbv2:DeleteListener'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2NoInstances.js b/plugins/aws/elbv2/elbv2NoInstances.js index e7df806dde..3d6ddc97cd 100644 --- a/plugins/aws/elbv2/elbv2NoInstances.js +++ b/plugins/aws/elbv2/elbv2NoInstances.js @@ -24,7 +24,7 @@ module.exports = { remediate: ['elasticloadbalancing:DeleteLoadBalancer'], rollback: ['elasticloadbalancing:CreateLoadBalancer'] }, - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer'], + realtime_triggers: ['elbv2:CreateLoadBalancer','elbv2:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2SslTermination.js b/plugins/aws/elbv2/elbv2SslTermination.js index 6961be6bd3..954ee9d8a4 100644 --- a/plugins/aws/elbv2/elbv2SslTermination.js +++ b/plugins/aws/elbv2/elbv2SslTermination.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/elastic-load-balancer-support-for-ssl-termination/', recommended_action: 'Attach SSL certificate with the listener to AWS Elastic Load Balancer', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeListeners'], - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:CreateListeners'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:CreateListeners','elbv2:ModifyListener'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js b/plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js index 029ad4f270..697344ab98 100644 --- a/plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js +++ b/plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html', recommended_action: 'Update ELBv2 load balancer traffic configuration to enable TLS version and cipher headers', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeLoadBalancerAttributes'], - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyLoadBalancerAttributes'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyLoadBalancerAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2UnhealthyInstance.js b/plugins/aws/elbv2/elbv2UnhealthyInstance.js index dcaa8c6bb3..a2c7bbd551 100644 --- a/plugins/aws/elbv2/elbv2UnhealthyInstance.js +++ b/plugins/aws/elbv2/elbv2UnhealthyInstance.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html', recommended_action: 'Investigate and resolve the health issues with the instances attached to the ELB.', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeTargetGroups', 'ELBv2:describeTargetHealth'], - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyTargetGroups', 'elasticloadbalancing:RegisterTarget', 'elasticloadbalancing:DeregisterTargets'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyTargetGroups', 'elbv2:RegisterTarget', 'elbv2:DeregisterTargets'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2WafEnabled.js b/plugins/aws/elbv2/elbv2WafEnabled.js index 0ca97f0a97..4a14b7252f 100644 --- a/plugins/aws/elbv2/elbv2WafEnabled.js +++ b/plugins/aws/elbv2/elbv2WafEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/', recommended_action: '1. Enter the WAF service. 2. Enter Web ACLs and filter by the region the Application Load Balancer is in. 3. If no Web ACL is found, Create a new Web ACL in the region the ALB resides and in Resource type to associate with web ACL, select the Load Balancer. ', apis: ['ELBv2:describeLoadBalancers', 'WAFV2:listWebACLs', 'WAFRegional:listWebACLs', 'WAFV2:listResourcesForWebACL', 'WAFRegional:listResourcesForWebACL'], - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'wafv2:CreateWebAcl', 'wafv2:UpdateWebAacl', 'wafregional:CreateWebAcl', 'wafregional:UpdateWebAcl'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'wafv2:CreateWebAcl', 'wafv2:UpdateWebAacl', 'wafregional:CreateWebAcl', 'wafregional:UpdateWebAcl'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js b/plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js index b565f0c3c1..701e457e76 100644 --- a/plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js +++ b/plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html', recommended_action: 'Update AWS ELBv2 load balancers to enable cross zone load balancing.', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeLoadBalancerAttributes'], - realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyLoadBalancerAttributes'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyLoadBalancerAttributes'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/emr/emrClusterInVPC.js b/plugins/aws/emr/emrClusterInVPC.js index 935f505f7d..1d246792f5 100644 --- a/plugins/aws/emr/emrClusterInVPC.js +++ b/plugins/aws/emr/emrClusterInVPC.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-vpc-launching-job-flows.htmll', recommended_action: 'EMR clusters Available in VPC', apis: ['EC2:describeAccountAttributes','EMR:listClusters', 'EMR:describeCluster'], - realtime_triggers: ['emr:CreateCluster'], + realtime_triggers: ['emr:CreateCluster','emr:TerminateJobFlows'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/emr/emrClusterLogging.js b/plugins/aws/emr/emrClusterLogging.js index e10e9f7986..e3d252d1e4 100644 --- a/plugins/aws/emr/emrClusterLogging.js +++ b/plugins/aws/emr/emrClusterLogging.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-debugging.html', recommended_action: 'Modify EMR clusters to enable cluster logging', apis: ['EMR:listClusters', 'EMR:describeCluster'], - realtime_triggers: ['emr:CreateCluster'], + realtime_triggers: ['emr:CreateCluster','emr:TerminateJobFlows'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/emr/emrEncryptionAtRest.js b/plugins/aws/emr/emrEncryptionAtRest.js index b51a45f99e..943fb7b722 100644 --- a/plugins/aws/emr/emrEncryptionAtRest.js +++ b/plugins/aws/emr/emrEncryptionAtRest.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-data-encryption-options.html', recommended_action: 'Update security configuration associated with EMR cluster to enable encryption at rest for local disks.', apis: ['EMR:listClusters', 'EMR:describeCluster', 'EMR:describeSecurityConfiguration'], - realtime_triggers: ['emr:CreateCluster', 'emr:CreateSecurityConfiguration'], + realtime_triggers: ['emr:CreateCluster', 'emr:CreateSecurityConfiguration','emr:DeleteSecurityConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/emr/emrEncryptionInTransit.js b/plugins/aws/emr/emrEncryptionInTransit.js index e64f6b8e34..bf43ee900c 100644 --- a/plugins/aws/emr/emrEncryptionInTransit.js +++ b/plugins/aws/emr/emrEncryptionInTransit.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-data-encryption-options.html', recommended_action: 'Update security configuration associated with EMR cluster to enable encryption in transit.', apis: ['EMR:listClusters', 'EMR:describeCluster', 'EMR:describeSecurityConfiguration'], - realtime_triggers: ['emr:CreateCluster', 'emr:CreateSecurityConfiguration'], + realtime_triggers: ['emr:CreateCluster', 'emr:CreateSecurityConfiguration','emr: DeleteSecurityConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/eventbridge/eventBusCrossAccountAccess.js b/plugins/aws/eventbridge/eventBusCrossAccountAccess.js index 60dcc6d85d..6f7ce03cbf 100644 --- a/plugins/aws/eventbridge/eventBusCrossAccountAccess.js +++ b/plugins/aws/eventbridge/eventBusCrossAccountAccess.js @@ -37,7 +37,7 @@ module.exports = { default: 'aws:PrincipalArn,aws:PrincipalAccount,aws:PrincipalOrgID,aws:SourceAccount,aws:SourceArn,aws:SourceOwner' }, }, - realtime_triggers: ['eventbridge:CreateEventBus'], + realtime_triggers: ['eventbridge:CreateEventBus','eventbridge:PutPermission'], run: function(cache, settings, callback) { var config= { diff --git a/plugins/aws/eventbridge/eventBusPublicAccess.js b/plugins/aws/eventbridge/eventBusPublicAccess.js index 233ede8d51..5b5a4f5f6f 100644 --- a/plugins/aws/eventbridge/eventBusPublicAccess.js +++ b/plugins/aws/eventbridge/eventBusPublicAccess.js @@ -19,7 +19,7 @@ module.exports = { default: 'aws:PrincipalArn,aws:PrincipalAccount,aws:PrincipalOrgID,aws:SourceOwner,aws:SourceArn,aws:SourceAccount' } }, - realtime_triggers: ['eventbridge:CreateEventBus', 'eventbridge:PutRule', 'eventbridge:PutTarget'], + realtime_triggers: ['eventbridge:CreateEventBus', 'eventbridge:PutRule', 'eventbridge:PutTarget','eventbridge:PutPermission'], run: function(cache, settings, callback) { var results = []; From 80d1449f4895a7235f54627f833e44ccf7e8140b Mon Sep 17 00:00:00 2001 From: --global Date: Tue, 19 Sep 2023 14:07:47 +0500 Subject: [PATCH 025/498] fixed --- plugins/aws/elb/insecureCiphers.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/elb/insecureCiphers.js b/plugins/aws/elb/insecureCiphers.js index 6444266dcb..3502d1bdf3 100644 --- a/plugins/aws/elb/insecureCiphers.js +++ b/plugins/aws/elb/insecureCiphers.js @@ -92,7 +92,7 @@ module.exports = { pci: 'PCI requires secure transfer of cardholder data. It does not permit SSL or TLS ' + 'version 1.0. ELB listeners should be configured for TLS v1.2.' }, - realtime_triggers: ['elb:CreateLoadBalancer', 'elb:ModifyLoadBalancerAttributes'], + realtime_triggers: ['elb:CreateLoadBalancer','elb:CreateLoadBalancerPolicy', 'elb:DeleteLoadBalancerPolicy'], run: function(cache, settings, callback) { var results = []; From 89eb8bbed38f6ce206b0f74d795bda3ba3d450b9 Mon Sep 17 00:00:00 2001 From: muzzamilinovaqo Date: Tue, 19 Sep 2023 17:42:40 +0500 Subject: [PATCH 026/498] updated triggers for A and B --- plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js | 2 +- plugins/aws/acm/acmCertificateHasTags.js | 2 +- plugins/aws/acm/acmSingleDomainNameCertificate.js | 2 +- plugins/aws/acm/acmValidation.js | 2 +- plugins/aws/apigateway/apigatewayAuthorization.js | 2 +- plugins/aws/apigateway/apigatewayCertificateRotation.js | 2 +- plugins/aws/apigateway/apigatewayWafEnabled.js | 2 +- plugins/aws/appflow/flowEncrypted.js | 2 +- plugins/aws/apprunner/serviceEncrypted.js | 2 +- plugins/aws/auditmanager/auditmanagerDataEncrypted.js | 2 +- plugins/aws/autoscaling/appTierAsgApprovedAmi.js | 2 +- plugins/aws/autoscaling/appTierIamRole.js | 2 +- plugins/aws/autoscaling/asgMissingELB.js | 2 +- plugins/aws/autoscaling/asgMissingSecurityGroups.js | 2 +- plugins/aws/autoscaling/sameAzElb.js | 2 +- plugins/aws/autoscaling/webTierAsgApprovedAmi.js | 3 +-- plugins/aws/autoscaling/webTierIamRole.js | 2 +- plugins/aws/backup/backupDeletionProtection.js | 2 +- plugins/aws/backup/backupVaultHasTags.js | 2 +- plugins/aws/backup/backupVaultPolicies.js | 2 +- 20 files changed, 20 insertions(+), 21 deletions(-) diff --git a/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js b/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js index c570878e3f..1f4708524e 100644 --- a/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js +++ b/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-work-with-findings.html', recommended_action: 'Investigate into active findings in your account and do the needful until you have zero active findings.', apis: ['AccessAnalyzer:listAnalyzers', 'AccessAnalyzer:listFindings'], - realtime_triggers: ['accessanalyzer:CreateAnalyzer','accessanalyzer:CreateArchiveRule','accessanalyzer:UpdateArchiveRule'], + realtime_triggers: ['accessanalyzer:CreateAnalyzer','accessanalyzer:CreateArchiveRule','accessanalyzer:StartResourceScan'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/acm/acmCertificateHasTags.js b/plugins/aws/acm/acmCertificateHasTags.js index 51bbb92767..397bd057d8 100644 --- a/plugins/aws/acm/acmCertificateHasTags.js +++ b/plugins/aws/acm/acmCertificateHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/acm/latest/userguide/tags.html', recommended_action: 'Modify ACM certificate and add tags.', apis: ['ACM:listCertificates', 'ResourceGroupsTaggingAPI:getResources'], - realtime_triggers: ['acm:RequestCertificate','acm:ImportCertificate','acm:AddTagsToCertificate', 'acm:RemoveTagsFromCertificate'], + realtime_triggers: ['acm:RequestCertificate','acm:AddTagsToCertificate', 'acm:RemoveTagsFromCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/acm/acmSingleDomainNameCertificate.js b/plugins/aws/acm/acmSingleDomainNameCertificate.js index a649c1628d..6e56ea80c5 100644 --- a/plugins/aws/acm/acmSingleDomainNameCertificate.js +++ b/plugins/aws/acm/acmSingleDomainNameCertificate.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html', recommended_action: 'Configure ACM managed certificates to use single name domain instead of wildcards.', apis: ['ACM:listCertificates', 'ACM:describeCertificate'], - realtime_triggers: ['acm:RequestCertificate','acm:ImportCertificate'], + realtime_triggers: ['acm:RequestCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/acm/acmValidation.js b/plugins/aws/acm/acmValidation.js index a1668e57bf..ea246e68ca 100644 --- a/plugins/aws/acm/acmValidation.js +++ b/plugins/aws/acm/acmValidation.js @@ -11,7 +11,7 @@ module.exports = { cs_link: 'https://cloudsploit.com/remediations/aws/acm/acm-certificate-validation', recommended_action: 'Configure ACM managed certificates to use DNS validation.', apis: ['ACM:listCertificates', 'ACM:describeCertificate'], - realtime_triggers: ['acm:RequestCertificate','acm:ImportCertificate'], + realtime_triggers: ['acm:RequestCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayAuthorization.js b/plugins/aws/apigateway/apigatewayAuthorization.js index 7bde9401aa..01aa078557 100644 --- a/plugins/aws/apigateway/apigatewayAuthorization.js +++ b/plugins/aws/apigateway/apigatewayAuthorization.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway configuration and ensure that appropriate authorizers are set up for each API.', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html', apis: ['APIGateway:getRestApis', 'APIGateway:getAuthorizers'], - realtime_triggers: ['apigateway:CreateRestApi','apigateway:CreateAuthorizer'], + realtime_triggers: ['apigateway:CreateRestApi','apigateway:ImportRestApi','apigateway:CreateAuthorizer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayCertificateRotation.js b/plugins/aws/apigateway/apigatewayCertificateRotation.js index 6aa81501e3..edd4ce6c92 100644 --- a/plugins/aws/apigateway/apigatewayCertificateRotation.js +++ b/plugins/aws/apigateway/apigatewayCertificateRotation.js @@ -18,7 +18,7 @@ module.exports = { default: '30', } }, - realtime_triggers: ['apigateway:CreateRestApi','apigateway:GenerateClientCertificate','apigateway:DeleteClientCertificate'], + realtime_triggers: ['apigateway:CreateRestApi','apigateway:GenerateClientCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayWafEnabled.js b/plugins/aws/apigateway/apigatewayWafEnabled.js index 8d6be873fb..8901726250 100644 --- a/plugins/aws/apigateway/apigatewayWafEnabled.js +++ b/plugins/aws/apigateway/apigatewayWafEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Associate API Gateway API with Web Application Firewall', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['apigateway:CreateRestApi','wafregional:AssociateWebACL'], + realtime_triggers: ['apigateway:CreateStage','wafregional:AssociateWebACL'], run: function(cache, settings, callback) { diff --git a/plugins/aws/appflow/flowEncrypted.js b/plugins/aws/appflow/flowEncrypted.js index 62dae9d518..969b4d1fdb 100644 --- a/plugins/aws/appflow/flowEncrypted.js +++ b/plugins/aws/appflow/flowEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['appflow:CreateFlow','appflow:UpdateFlow'], + realtime_triggers: ['appflow:CreateFlow'], run: function(cache, settings, callback) { diff --git a/plugins/aws/apprunner/serviceEncrypted.js b/plugins/aws/apprunner/serviceEncrypted.js index ef5ac901c9..fdf37170cc 100644 --- a/plugins/aws/apprunner/serviceEncrypted.js +++ b/plugins/aws/apprunner/serviceEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['apprunner:CreateService','apprunner:UpdateService'], + realtime_triggers: ['apprunner:CreateService'], run: function(cache, settings, callback) { diff --git a/plugins/aws/auditmanager/auditmanagerDataEncrypted.js b/plugins/aws/auditmanager/auditmanagerDataEncrypted.js index 0d2f2086f1..e579d9caef 100644 --- a/plugins/aws/auditmanager/auditmanagerDataEncrypted.js +++ b/plugins/aws/auditmanager/auditmanagerDataEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['auditmanager:UpdateSettings'], + realtime_triggers: ['auditmanager:registerAccount','auditmanager:UpdateSettings'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/appTierAsgApprovedAmi.js b/plugins/aws/autoscaling/appTierAsgApprovedAmi.js index 27e607d5d1..3e56b1c029 100644 --- a/plugins/aws/autoscaling/appTierAsgApprovedAmi.js +++ b/plugins/aws/autoscaling/appTierAsgApprovedAmi.js @@ -24,7 +24,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:createLaunchConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/appTierIamRole.js b/plugins/aws/autoscaling/appTierIamRole.js index 1e36a6a5ee..c3ba123a49 100644 --- a/plugins/aws/autoscaling/appTierIamRole.js +++ b/plugins/aws/autoscaling/appTierIamRole.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:createLaunchConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgMissingELB.js b/plugins/aws/autoscaling/asgMissingELB.js index 44973d905f..12a3eb1b08 100644 --- a/plugins/aws/autoscaling/asgMissingELB.js +++ b/plugins/aws/autoscaling/asgMissingELB.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/attach-load-balancer-asg.html', recommended_action: 'Ensure that the Auto Scaling group load balancer has not been deleted. If so, remove it from the ASG.', apis: ['AutoScaling:describeAutoScalingGroups', 'ELB:describeLoadBalancers', 'ELBv2:describeLoadBalancers'], - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:AttachLoadBalancers'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:AttachLoadBalancers','autoscaling:DetachLoadBalancers'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgMissingSecurityGroups.js b/plugins/aws/autoscaling/asgMissingSecurityGroups.js index 3b8b5da7e7..269caba0eb 100644 --- a/plugins/aws/autoscaling/asgMissingSecurityGroups.js +++ b/plugins/aws/autoscaling/asgMissingSecurityGroups.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/GettingStartedTutorial.html', recommended_action: 'Ensure that the launch configuration security group has not been deleted. If so, remove it from launch configurations', apis: ['AutoScaling:describeLaunchConfigurations', 'EC2:describeSecurityGroups'], - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateLaunchConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/sameAzElb.js b/plugins/aws/autoscaling/sameAzElb.js index 0389398a3b..6f8112a622 100644 --- a/plugins/aws/autoscaling/sameAzElb.js +++ b/plugins/aws/autoscaling/sameAzElb.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-availability-zone.html', recommended_action: 'Update the ELB to use the same availability zones as the autoscaling group.', apis: ['AutoScaling:describeAutoScalingGroups', 'ELB:describeLoadBalancers', 'ELBv2:describeLoadBalancers'], - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','ec2:CreateNetworkInterface'], diff --git a/plugins/aws/autoscaling/webTierAsgApprovedAmi.js b/plugins/aws/autoscaling/webTierAsgApprovedAmi.js index 88e16c9f62..fef285aa3a 100644 --- a/plugins/aws/autoscaling/webTierAsgApprovedAmi.js +++ b/plugins/aws/autoscaling/webTierAsgApprovedAmi.js @@ -24,8 +24,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], - + realtime_triggers: ['autoscaling:createLaunchConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/webTierIamRole.js b/plugins/aws/autoscaling/webTierIamRole.js index ec48122145..7b786cfe5f 100644 --- a/plugins/aws/autoscaling/webTierIamRole.js +++ b/plugins/aws/autoscaling/webTierIamRole.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:createLaunchConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/backupDeletionProtection.js b/plugins/aws/backup/backupDeletionProtection.js index d0bcfd5e07..6d1bbae594 100644 --- a/plugins/aws/backup/backupDeletionProtection.js +++ b/plugins/aws/backup/backupDeletionProtection.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Add a statement in Backup vault access policy which denies global access to action: backup:DeleteRecoveryPoint', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-vault-access-policy.html', apis: ['Backup:listBackupVaults', 'Backup:getBackupVaultAccessPolicy'], - realtime_triggers: ['backup:CreateBackupVault','backup:PutBackupVaultAccessPolicy'], + realtime_triggers: ['backup:PutBackupVaultAccessPolicy'], run: function(cache, settings, callback) { diff --git a/plugins/aws/backup/backupVaultHasTags.js b/plugins/aws/backup/backupVaultHasTags.js index 6bc7556f01..b17a84ca71 100644 --- a/plugins/aws/backup/backupVaultHasTags.js +++ b/plugins/aws/backup/backupVaultHasTags.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify Backup Vault and add tags.', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-vault.html', apis: ['Backup:listBackupVaults', 'ResourceGroupsTaggingAPI:getResources'], - realtime_triggers: ['backup:CreateBackupVault','backup:TagResource'], + realtime_triggers: ['backup:CreateBackupVault','backup:TagResource','backup:UntagResource'], run: function(cache, settings, callback) { diff --git a/plugins/aws/backup/backupVaultPolicies.js b/plugins/aws/backup/backupVaultPolicies.js index 106a7534ea..32733f75d8 100644 --- a/plugins/aws/backup/backupVaultPolicies.js +++ b/plugins/aws/backup/backupVaultPolicies.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Ensure that all Backup Vault policies are scoped to specific services and API calls.', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-vault-access-policy.html', apis: ['Backup:listBackupVaults', 'Backup:getBackupVaultAccessPolicy', 'STS:getCallerIdentity'], - realtime_triggers: ['backup:CreateBackupVault','backup:PutBackupVaultAccessPolicy'], + realtime_triggers: ['backup:PutBackupVaultAccessPolicy'], run: function(cache, settings, callback) { var results = []; From 594979bae4f3624e180d047e1c706a16f2d5855d Mon Sep 17 00:00:00 2001 From: --global Date: Wed, 20 Sep 2023 22:46:46 +0500 Subject: [PATCH 027/498] added delete tigger --- plugins/aws/connect/customerProfilesDomainEncrypted.js | 2 +- plugins/aws/connect/instanceAttachmentsEncrypted.js | 2 +- plugins/aws/connect/instanceCallRecordingEncrypted.js | 2 +- plugins/aws/connect/instanceMediaStreamsEncrypted.js | 2 +- plugins/aws/connect/instanceReportsEncrypted.js | 2 +- plugins/aws/connect/instanceTranscriptsEncrypted.js | 2 +- plugins/aws/connect/voiceIdDomainEncrypted.js | 2 +- plugins/aws/connect/wisdomDomainEncrypted.js | 2 +- plugins/aws/finspace/finspaceEnvironmentEncrypted.js | 2 +- plugins/aws/firehose/deliveryStreamEncrypted.js | 2 +- plugins/aws/firehose/firehoseEncrypted.js | 2 +- plugins/aws/forecast/datasetExportEncrypted.js | 2 +- plugins/aws/forecast/forecastDatasetEncrypted.js | 2 +- plugins/aws/frauddetector/fraudDetectorDataEncrypted.js | 2 +- plugins/aws/fsx/fsxFileSystemEncrypted.js | 2 +- plugins/aws/glue/bookmarkEncryptionEnabled.js | 2 +- plugins/aws/glue/glueCloudwatchLogsEncrypted.js | 2 +- plugins/aws/glue/glueS3EncryptionEnabled.js | 2 +- plugins/aws/gluedatabrew/databrewJobOutputEncrypted.js | 2 +- plugins/aws/guardduty/exportedFindingsEncrypted.js | 2 +- plugins/aws/guardduty/guarddutyMaster.js | 2 +- plugins/aws/guardduty/noActiveFindings.js | 2 +- plugins/aws/guardduty/s3ProtectionEnabled.js | 2 +- plugins/aws/healthlake/dataStoreEncrypted.js | 2 +- 24 files changed, 24 insertions(+), 24 deletions(-) diff --git a/plugins/aws/connect/customerProfilesDomainEncrypted.js b/plugins/aws/connect/customerProfilesDomainEncrypted.js index fedef11522..2678a2ce1c 100644 --- a/plugins/aws/connect/customerProfilesDomainEncrypted.js +++ b/plugins/aws/connect/customerProfilesDomainEncrypted.js @@ -18,7 +18,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['customerprofiles:CreateDomain', 'customerprofiles:UpdateDomain'], + realtime_triggers: ['customerprofiles:CreateDomain', 'customerprofiles:UpdateDomain', 'customerprofile:DeleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/connect/instanceAttachmentsEncrypted.js b/plugins/aws/connect/instanceAttachmentsEncrypted.js index 2bfbed1ae7..14be6532a3 100644 --- a/plugins/aws/connect/instanceAttachmentsEncrypted.js +++ b/plugins/aws/connect/instanceAttachmentsEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig'], + realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig', 'connect:DeleteInstance', 'connect:DisassociateInstanceStorageConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/connect/instanceCallRecordingEncrypted.js b/plugins/aws/connect/instanceCallRecordingEncrypted.js index 05e49a7fa2..e90bf9778e 100644 --- a/plugins/aws/connect/instanceCallRecordingEncrypted.js +++ b/plugins/aws/connect/instanceCallRecordingEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig'], + realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig','connect:DeleteInstance', 'connect:DisassociateInstanceStorageConfig'], run: function(cache, settings, callback) { diff --git a/plugins/aws/connect/instanceMediaStreamsEncrypted.js b/plugins/aws/connect/instanceMediaStreamsEncrypted.js index 3f8246d899..8c7c4f4b1d 100644 --- a/plugins/aws/connect/instanceMediaStreamsEncrypted.js +++ b/plugins/aws/connect/instanceMediaStreamsEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig'], + realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig','connect:DeleteInstance', 'connect:DisassociateInstanceStorageConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/connect/instanceReportsEncrypted.js b/plugins/aws/connect/instanceReportsEncrypted.js index 1a8ec48222..c25ca703e2 100644 --- a/plugins/aws/connect/instanceReportsEncrypted.js +++ b/plugins/aws/connect/instanceReportsEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig'], + realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig','connect:DeleteInstance', 'connect:DisassociateInstanceStorageConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/connect/instanceTranscriptsEncrypted.js b/plugins/aws/connect/instanceTranscriptsEncrypted.js index fec487e987..1e9cdf1cf4 100644 --- a/plugins/aws/connect/instanceTranscriptsEncrypted.js +++ b/plugins/aws/connect/instanceTranscriptsEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig'], + realtime_triggers: ['connect:CreateInstance', 'connect:AssociateInstanceStorageConfig', 'connect:UpdateInstanceStorageConfig','connect:DeleteInstance', 'connect:DisassociateInstanceStorageConfig'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/connect/voiceIdDomainEncrypted.js b/plugins/aws/connect/voiceIdDomainEncrypted.js index 3d63b606a0..cf9c889357 100644 --- a/plugins/aws/connect/voiceIdDomainEncrypted.js +++ b/plugins/aws/connect/voiceIdDomainEncrypted.js @@ -22,7 +22,7 @@ module.exports = { default: 'awskms' } }, - realtime_triggers: ['voiceid:CreateDomain', 'voiceid:UpdateDomain'], + realtime_triggers: ['voiceid:CreateDomain', 'voiceid:UpdateDomain', 'voiceid:DeleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/connect/wisdomDomainEncrypted.js b/plugins/aws/connect/wisdomDomainEncrypted.js index a7f1e149ee..bf153794bc 100644 --- a/plugins/aws/connect/wisdomDomainEncrypted.js +++ b/plugins/aws/connect/wisdomDomainEncrypted.js @@ -22,7 +22,7 @@ module.exports = { default: 'awskms' } }, - realtime_triggers: ['wisdom:CreateAssistant'], + realtime_triggers: ['wisdom:CreateAssistant', 'wisdom:DeleteAssistant'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/finspace/finspaceEnvironmentEncrypted.js b/plugins/aws/finspace/finspaceEnvironmentEncrypted.js index 0cf83b46f8..1d454cf9f4 100644 --- a/plugins/aws/finspace/finspaceEnvironmentEncrypted.js +++ b/plugins/aws/finspace/finspaceEnvironmentEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['finspace:CreateEnnviromennt'], + realtime_triggers: ['finspace:CreateEnviromennt', 'finspace:DeleteEnviroment'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/firehose/deliveryStreamEncrypted.js b/plugins/aws/firehose/deliveryStreamEncrypted.js index 584aabd312..ca7df2db5f 100644 --- a/plugins/aws/firehose/deliveryStreamEncrypted.js +++ b/plugins/aws/firehose/deliveryStreamEncrypted.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['firehose:CreateDeliveryStreams','firehose:UpdateDestination'], + realtime_triggers: ['firehose:CreateDeliveryStreams','firehose:UpdateDestination', 'firehose:DeleteliveryStreams'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/firehose/firehoseEncrypted.js b/plugins/aws/firehose/firehoseEncrypted.js index a05543968e..d7be7839df 100644 --- a/plugins/aws/firehose/firehoseEncrypted.js +++ b/plugins/aws/firehose/firehoseEncrypted.js @@ -17,7 +17,7 @@ module.exports = { 'AWS KMS encryption ensures that the Firehose payload meets the ' + 'encryption in transit and at rest requirements of HIPAA.' }, - realtime_triggers: ['firehose:CreateDeliveryStreams','firehose:StartDeliveryStreamEncryption', 'kinesis:StartStreamEncryption'], + realtime_triggers: ['firehose:CreateDeliveryStreams','firehose:StartDeliveryStreamEncryption', 'kinesis:StartStreamEncryption', 'firehose:DeleteliveryStreams'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/forecast/datasetExportEncrypted.js b/plugins/aws/forecast/datasetExportEncrypted.js index 4161ae839f..880e55f20c 100644 --- a/plugins/aws/forecast/datasetExportEncrypted.js +++ b/plugins/aws/forecast/datasetExportEncrypted.js @@ -18,7 +18,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['forecast:CreateForecastExportJob'], + realtime_triggers: ['forecast:CreateForecastExportJob', 'forecast:DeleteForecastExportjob'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/forecast/forecastDatasetEncrypted.js b/plugins/aws/forecast/forecastDatasetEncrypted.js index 742d74ba3d..27191963a8 100644 --- a/plugins/aws/forecast/forecastDatasetEncrypted.js +++ b/plugins/aws/forecast/forecastDatasetEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['forecastservice:CreateDataset'], + realtime_triggers: ['forecastservice:CreateDataset', 'forecastservice:DeleteDataset'], run: function(cache, settings, callback) { diff --git a/plugins/aws/frauddetector/fraudDetectorDataEncrypted.js b/plugins/aws/frauddetector/fraudDetectorDataEncrypted.js index ca4de0ea64..78096775d4 100644 --- a/plugins/aws/frauddetector/fraudDetectorDataEncrypted.js +++ b/plugins/aws/frauddetector/fraudDetectorDataEncrypted.js @@ -18,7 +18,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['frauddetector:PutKMSEncryptionKey'], + realtime_triggers: ['frauddetector:PutKMSEncryptionKey', 'frauddetector:DeleteDetector'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/fsx/fsxFileSystemEncrypted.js b/plugins/aws/fsx/fsxFileSystemEncrypted.js index 8741ee2dc5..10817359a6 100644 --- a/plugins/aws/fsx/fsxFileSystemEncrypted.js +++ b/plugins/aws/fsx/fsxFileSystemEncrypted.js @@ -18,7 +18,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['fsx:CreateFileSystem'], + realtime_triggers: ['fsx:CreateFileSystem', 'fsx:DeleteFileSystem'], run: function(cache, settings, callback) { diff --git a/plugins/aws/glue/bookmarkEncryptionEnabled.js b/plugins/aws/glue/bookmarkEncryptionEnabled.js index 01d98e8c5f..9ce185c8e8 100644 --- a/plugins/aws/glue/bookmarkEncryptionEnabled.js +++ b/plugins/aws/glue/bookmarkEncryptionEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Recreate Glue security configurations and enable job bookmark encryption', link: 'https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html', apis: ['Glue:getSecurityConfigurations', 'STS:getCallerIdentity'], - realtime_triggers: ['glue:CreateSecurityConfiguration'], + realtime_triggers: ['glue:CreateSecurityConfiguration', 'glue:DeleteSecurityConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/glue/glueCloudwatchLogsEncrypted.js b/plugins/aws/glue/glueCloudwatchLogsEncrypted.js index 15be118c76..127101b2d4 100644 --- a/plugins/aws/glue/glueCloudwatchLogsEncrypted.js +++ b/plugins/aws/glue/glueCloudwatchLogsEncrypted.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify Glue Security Configurations to enable CloudWatch logs encryption at-rest', link: 'https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html', apis: ['Glue:getSecurityConfigurations', 'STS:getCallerIdentity'], - realtime_triggers: ['glue:CreateSecurityConfiguration'], + realtime_triggers: ['glue:CreateSecurityConfiguration', 'glue:DeleteSecurityConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/glue/glueS3EncryptionEnabled.js b/plugins/aws/glue/glueS3EncryptionEnabled.js index 60a74c9cc0..7391f26fcc 100644 --- a/plugins/aws/glue/glueS3EncryptionEnabled.js +++ b/plugins/aws/glue/glueS3EncryptionEnabled.js @@ -18,7 +18,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['glue:CreateSecurityConfiguration'], + realtime_triggers: ['glue:CreateSecurityConfiguration','glue:DeleteSecurityConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/gluedatabrew/databrewJobOutputEncrypted.js b/plugins/aws/gluedatabrew/databrewJobOutputEncrypted.js index 64b37025d0..eee2ed8665 100644 --- a/plugins/aws/gluedatabrew/databrewJobOutputEncrypted.js +++ b/plugins/aws/gluedatabrew/databrewJobOutputEncrypted.js @@ -18,7 +18,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['databrew:CreateRecipeJob', 'databrew:UpdateRecipeJob'], + realtime_triggers: ['databrew:CreateRecipeJob', 'databrew:UpdateRecipeJob', 'databrew:DeleteJob'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/guardduty/exportedFindingsEncrypted.js b/plugins/aws/guardduty/exportedFindingsEncrypted.js index 3585989616..6a310a2cf6 100644 --- a/plugins/aws/guardduty/exportedFindingsEncrypted.js +++ b/plugins/aws/guardduty/exportedFindingsEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['guardduty:CreateDetector'], + realtime_triggers: ['guardduty:CreateDetector', 'guardduty:DeleteDetector'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/guardduty/guarddutyMaster.js b/plugins/aws/guardduty/guarddutyMaster.js index 7354f3a721..63b4cb3511 100644 --- a/plugins/aws/guardduty/guarddutyMaster.js +++ b/plugins/aws/guardduty/guarddutyMaster.js @@ -18,7 +18,7 @@ module.exports = { default: '', }, }, - realtime_triggers: ['guardduty:CreateDetector', 'guardduty:CreateMembers'], + realtime_triggers: ['guardduty:CreateDetector', 'guardduty:CreateMembers', 'guardduty:DeleteDetector', 'guardduty:DeleteMembers'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/guardduty/noActiveFindings.js b/plugins/aws/guardduty/noActiveFindings.js index 9230ca27a5..c158ecdedc 100644 --- a/plugins/aws/guardduty/noActiveFindings.js +++ b/plugins/aws/guardduty/noActiveFindings.js @@ -20,7 +20,7 @@ module.exports = { default: '48' } }, - realtime_triggers: ['guardduty:CreateDetector', 'guardduty:ArchiveFindings'], + realtime_triggers: ['guardduty:CreateDetector', 'guardduty:ArchiveFindings', 'guardduty:DeleteDetector'], run: function(cache, settings, callback) { const results = []; diff --git a/plugins/aws/guardduty/s3ProtectionEnabled.js b/plugins/aws/guardduty/s3ProtectionEnabled.js index 76cdf1ad85..5c55542a28 100644 --- a/plugins/aws/guardduty/s3ProtectionEnabled.js +++ b/plugins/aws/guardduty/s3ProtectionEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable GuardDuty S3 protection for all AWS accounts.', link: 'https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html', apis: ['GuardDuty:listDetectors', 'GuardDuty:getDetector', 'STS:getCallerIdentity'], - realtime_triggers: ['guardduty:CreateDetector', 'guardduty:UpdateDetector'], + realtime_triggers: ['guardduty:CreateDetector', 'guardduty:UpdateDetector', 'guardduty:DeleteDetector'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/healthlake/dataStoreEncrypted.js b/plugins/aws/healthlake/dataStoreEncrypted.js index 1ac5ac19b7..2a860f83b5 100644 --- a/plugins/aws/healthlake/dataStoreEncrypted.js +++ b/plugins/aws/healthlake/dataStoreEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['healthlake:CreateFHIRDatastore'], + realtime_triggers: ['healthlake:CreateFHIRDatastore', 'healthlake:DeleteFHIRDatastore'], run: function(cache, settings, callback) { var results = []; From e817a2ba08c2151d078fc9d6a759612569b93e4b Mon Sep 17 00:00:00 2001 From: --global Date: Wed, 20 Sep 2023 23:20:16 +0500 Subject: [PATCH 028/498] added delete tiggers --- plugins/aws/lambda/envVarsClientSideEncryption.js | 2 +- plugins/aws/lambda/lambdaAdminPrivileges.js | 2 +- plugins/aws/lambda/lambdaHasTags.js | 2 +- plugins/aws/lambda/lambdaLogGroups.js | 2 +- plugins/aws/lambda/lambdaOldRuntimes.js | 2 +- plugins/aws/lambda/lambdaPublicAccess.js | 2 +- plugins/aws/lambda/lambdaTracingEnabled.js | 2 +- plugins/aws/lambda/lambdaVpcConfig.js | 2 +- plugins/aws/lex/lexAudioLogsEncrypted.js | 2 +- plugins/aws/location/geoCollectionDataEncrypted.js | 2 +- plugins/aws/location/trackerDataEncrypted.js | 2 +- plugins/aws/lookout/anomalyDetectorEncrypted.js | 2 +- plugins/aws/lookout/equipmentdatasetEncrypted.js | 2 +- plugins/aws/lookout/modelDataEncrypted.js | 2 +- plugins/aws/managedblockchain/networkMemberDataEncrypted.js | 2 +- plugins/aws/memorydb/memorydbClusterEncrypted.js | 2 +- plugins/aws/mq/mqAutoMinorVersionUpgrade.js | 2 +- plugins/aws/mq/mqBrokerEncrypted.js | 2 +- plugins/aws/mq/mqBrokerPublicAccess.js | 2 +- plugins/aws/mq/mqDeploymentMode.js | 2 +- plugins/aws/mq/mqDesiredInstanceType.js | 2 +- plugins/aws/mq/mqLatestEngineVersion.js | 2 +- plugins/aws/mq/mqLogExports.js | 2 +- plugins/aws/msk/mskClusterCBEncryption.js | 2 +- plugins/aws/msk/mskClusterEncryptionAtRest.js | 2 +- plugins/aws/msk/mskClusterEncryptionInTransit.js | 2 +- plugins/aws/msk/mskClusterPublicAccess.js | 2 +- plugins/aws/msk/mskClusterUnauthAccess.js | 2 +- plugins/aws/mwaa/environmentAdminPrivileges.js | 2 +- plugins/aws/mwaa/environmentDataEncrypted.js | 2 +- plugins/aws/mwaa/webServerPublicAccess.js | 2 +- plugins/aws/neptune/neptuneDBInstanceEncrypted.js | 2 +- .../openSearchServerless/opensearchCollectionCmkEncrypted.js | 2 +- .../openSearchServerless/opensearchCollectionPublicAccess.js | 2 +- plugins/aws/opensearch/opensearchAccessFromIps.js | 2 +- plugins/aws/opensearch/opensearchClusterStatus.js | 2 +- plugins/aws/opensearch/opensearchCrossAccountAccess.js | 2 +- plugins/aws/opensearch/opensearchDedicatedMasterEnabled.js | 2 +- plugins/aws/opensearch/opensearchDesiredInstanceTypes.js | 2 +- plugins/aws/opensearch/opensearchDomainEncryptionEnabled.js | 2 +- plugins/aws/opensearch/opensearchEncryptedDomain.js | 2 +- plugins/aws/opensearch/opensearchExposedDomain.js | 2 +- plugins/aws/opensearch/opensearchHttpsOnly.js | 2 +- plugins/aws/opensearch/opensearchLoggingEnabled.js | 2 +- plugins/aws/opensearch/opensearchNodeToNodeEncryption.js | 2 +- plugins/aws/opensearch/opensearchPublicEndpoint.js | 2 +- plugins/aws/opensearch/opensearchRequireIAMAuth.js | 2 +- plugins/aws/opensearch/opensearchTlsVersion.js | 2 +- plugins/aws/opensearch/opensearchUpgradeAvailable.js | 2 +- plugins/aws/opensearch/opensearchVersion.js | 2 +- plugins/aws/opensearch/opensearchZoneAwarenessEnabled.js | 2 +- plugins/aws/organizations/enableAllFeatures.js | 2 +- plugins/aws/organizations/organizationInvite.js | 2 +- 53 files changed, 53 insertions(+), 53 deletions(-) diff --git a/plugins/aws/lambda/envVarsClientSideEncryption.js b/plugins/aws/lambda/envVarsClientSideEncryption.js index 805d313ac1..1c5a91fd0f 100644 --- a/plugins/aws/lambda/envVarsClientSideEncryption.js +++ b/plugins/aws/lambda/envVarsClientSideEncryption.js @@ -20,7 +20,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['lambda:CreateFunction', 'lambda:UpdateFunctionConfiguration'], + realtime_triggers: ['lambda:CreateFunction', 'lambda:UpdateFunctionConfiguration', 'lambda:DeleteFunction'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lambda/lambdaAdminPrivileges.js b/plugins/aws/lambda/lambdaAdminPrivileges.js index ea7b795e83..62e8d8ef99 100644 --- a/plugins/aws/lambda/lambdaAdminPrivileges.js +++ b/plugins/aws/lambda/lambdaAdminPrivileges.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Modify IAM role attached with Lambda function to provide the minimal amount of access required to perform its tasks', apis: ['Lambda:listFunctions', 'IAM:listRoles', 'IAM:listAttachedRolePolicies', 'IAM:listRolePolicies', 'IAM:listPolicies', 'IAM:getPolicy', 'IAM:getPolicyVersion', 'IAM:getRolePolicy'], - realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration' ], + realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration', 'lambda:DeleteFunction'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lambda/lambdaHasTags.js b/plugins/aws/lambda/lambdaHasTags.js index f73023ba66..3c58d2ef68 100644 --- a/plugins/aws/lambda/lambdaHasTags.js +++ b/plugins/aws/lambda/lambdaHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/lambda/latest/dg/configuration-tags.html', recommended_action: 'Modify Lambda function configurations and add new tags', apis: ['Lambda:listFunctions', 'ResourceGroupsTaggingAPI:getResources'], - realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration'], + realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration','lambda:DeleteFunction'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lambda/lambdaLogGroups.js b/plugins/aws/lambda/lambdaLogGroups.js index 580ae37921..208af60503 100644 --- a/plugins/aws/lambda/lambdaLogGroups.js +++ b/plugins/aws/lambda/lambdaLogGroups.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/lambda/latest/dg/monitoring-cloudwatchlogs.html', recommended_action: 'Update the Lambda function permissions to allow CloudWatch logging.', apis: ['Lambda:listFunctions', 'CloudWatchLogs:describeLogGroups'], - realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration'], + realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration','lambda:DeleteFunction'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lambda/lambdaOldRuntimes.js b/plugins/aws/lambda/lambdaOldRuntimes.js index f8e985c9b7..bb06472305 100644 --- a/plugins/aws/lambda/lambdaOldRuntimes.js +++ b/plugins/aws/lambda/lambdaOldRuntimes.js @@ -18,7 +18,7 @@ module.exports = { default: 0 } }, - realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration'], + realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration','lambda:DeleteFunction'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lambda/lambdaPublicAccess.js b/plugins/aws/lambda/lambdaPublicAccess.js index 7bcdff066a..351e2b1a90 100644 --- a/plugins/aws/lambda/lambdaPublicAccess.js +++ b/plugins/aws/lambda/lambdaPublicAccess.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html', recommended_action: 'Update the Lambda policy to prevent access from the public.', apis: ['Lambda:listFunctions', 'Lambda:getPolicy'], - realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration','lambda:AddPermission', 'lambda:RemovePermission'], + realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration','lambda:AddPermission', 'lambda:RemovePermission','lambda:DeleteFunction'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lambda/lambdaTracingEnabled.js b/plugins/aws/lambda/lambdaTracingEnabled.js index 653359f466..5a6aa42e60 100644 --- a/plugins/aws/lambda/lambdaTracingEnabled.js +++ b/plugins/aws/lambda/lambdaTracingEnabled.js @@ -18,7 +18,7 @@ module.exports = { default: 'Aqua-CSPM-Token-Rotator-Function,-CreateCSPMKeyFunction-,-TriggerDiscoveryFunction-,-GenerateVolumeScanningEx-,-GenerateCSPMExternalIdFu-' } }, - realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration'], + realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration','lambda:DeleteFunction'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lambda/lambdaVpcConfig.js b/plugins/aws/lambda/lambdaVpcConfig.js index a3f1b175dd..42253793ea 100644 --- a/plugins/aws/lambda/lambdaVpcConfig.js +++ b/plugins/aws/lambda/lambdaVpcConfig.js @@ -18,7 +18,7 @@ module.exports = { default: 'Aqua-CSPM-Token-Rotator-Function,-CreateCSPMKeyFunction-,-TriggerDiscoveryFunction-,-GenerateVolumeScanningEx-,-GenerateCSPMExternalIdFu-' } }, - realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration'], + realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration','lambda:DeleteFunction'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lex/lexAudioLogsEncrypted.js b/plugins/aws/lex/lexAudioLogsEncrypted.js index d61d75ed7b..fe50cb0e6b 100644 --- a/plugins/aws/lex/lexAudioLogsEncrypted.js +++ b/plugins/aws/lex/lexAudioLogsEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['lexmodelsV2:CreateBotAlias', 'lexmodelsV2:UpdateBotAlias'], + realtime_triggers: ['lexmodelsV2:CreateBotAlias', 'lexmodelsV2:UpdateBotAlias', 'lexmodelsV2:DeleteBotAlias'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/location/geoCollectionDataEncrypted.js b/plugins/aws/location/geoCollectionDataEncrypted.js index 1b1bbe5e34..c469e86672 100644 --- a/plugins/aws/location/geoCollectionDataEncrypted.js +++ b/plugins/aws/location/geoCollectionDataEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['location:CreateGeofenceCollection'], + realtime_triggers: ['location:CreateGeofenceCollection', 'location:DeleteGeofenceCollection'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/location/trackerDataEncrypted.js b/plugins/aws/location/trackerDataEncrypted.js index c5d1087c2e..1380bc1779 100644 --- a/plugins/aws/location/trackerDataEncrypted.js +++ b/plugins/aws/location/trackerDataEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['location:CreateTracker', 'location:UpdateTracker'], + realtime_triggers: ['location:CreateTracker', 'location:UpdateTracker', 'location:DeleteTracker'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lookout/anomalyDetectorEncrypted.js b/plugins/aws/lookout/anomalyDetectorEncrypted.js index 4ef6523358..4eb6527a77 100644 --- a/plugins/aws/lookout/anomalyDetectorEncrypted.js +++ b/plugins/aws/lookout/anomalyDetectorEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['lookoutmetrics:CreateAnomalyDetector', 'lookoutmetrics:UpdateAnomalyDetector'], + realtime_triggers: ['lookoutmetrics:CreateAnomalyDetector', 'lookoutmetrics:UpdateAnomalyDetector', 'lookoutmetrics:DeleteAnomalyDetector'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lookout/equipmentdatasetEncrypted.js b/plugins/aws/lookout/equipmentdatasetEncrypted.js index b9cc94fe5e..a3dd7329c3 100644 --- a/plugins/aws/lookout/equipmentdatasetEncrypted.js +++ b/plugins/aws/lookout/equipmentdatasetEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['lookoutequipment:CreateDataset'], + realtime_triggers: ['lookoutequipment:CreateDataset', 'lookoutequipment:DeleteDataset'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/lookout/modelDataEncrypted.js b/plugins/aws/lookout/modelDataEncrypted.js index 364fd81aaa..77615e634b 100644 --- a/plugins/aws/lookout/modelDataEncrypted.js +++ b/plugins/aws/lookout/modelDataEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['lookoutvision:CreateModel'], + realtime_triggers: ['lookoutvision:CreateModel', 'lookoutvision:DeleteModel'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/managedblockchain/networkMemberDataEncrypted.js b/plugins/aws/managedblockchain/networkMemberDataEncrypted.js index 4f341ae76b..147565fdf9 100644 --- a/plugins/aws/managedblockchain/networkMemberDataEncrypted.js +++ b/plugins/aws/managedblockchain/networkMemberDataEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['managedblockchain:CreateNetwork'], + realtime_triggers: ['managedblockchain:CreateNetwork', 'managedblockchain:DeleteMember'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/memorydb/memorydbClusterEncrypted.js b/plugins/aws/memorydb/memorydbClusterEncrypted.js index 6c66c26614..be159fbfb4 100644 --- a/plugins/aws/memorydb/memorydbClusterEncrypted.js +++ b/plugins/aws/memorydb/memorydbClusterEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['MemoryDB:CreateCluster'], + realtime_triggers: ['MemoryDB:CreateCluster', 'MemoryDB:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mq/mqAutoMinorVersionUpgrade.js b/plugins/aws/mq/mqAutoMinorVersionUpgrade.js index daea040839..5c9e6169ef 100644 --- a/plugins/aws/mq/mqAutoMinorVersionUpgrade.js +++ b/plugins/aws/mq/mqAutoMinorVersionUpgrade.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enabled Auto Minor Version Upgrade feature for MQ brokers', link: 'https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker.html', apis: ['MQ:listBrokers', 'MQ:describeBroker'], - realtime_triggers: ['mq:CreateBrocker', 'mq:UpdateBrocker'], + realtime_triggers: ['mq:CreateBrocker', 'mq:UpdateBrocker', 'mq:DeleteBrocker'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mq/mqBrokerEncrypted.js b/plugins/aws/mq/mqBrokerEncrypted.js index 7a24a7c42f..c48418a245 100644 --- a/plugins/aws/mq/mqBrokerEncrypted.js +++ b/plugins/aws/mq/mqBrokerEncrypted.js @@ -18,7 +18,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['mq:CreateBrocker'], + realtime_triggers: ['mq:CreateBrocker', 'mq:DeleteBrocker'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mq/mqBrokerPublicAccess.js b/plugins/aws/mq/mqBrokerPublicAccess.js index 2af4dd8429..41731262ee 100644 --- a/plugins/aws/mq/mqBrokerPublicAccess.js +++ b/plugins/aws/mq/mqBrokerPublicAccess.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Review and update the security group settings to restrict public access to Amazon MQ brokers.', link: 'https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/using-amazon-mq-securely.html', apis: ['MQ:listBrokers', 'MQ:describeBroker', 'EC2:describeSecurityGroups'], - realtime_triggers: ['mq:CreateBrocker', 'mq:UpdateBroker'], + realtime_triggers: ['mq:CreateBrocker', 'mq:UpdateBroker', 'mq:DeleteBrocker'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mq/mqDeploymentMode.js b/plugins/aws/mq/mqDeploymentMode.js index 075c609d51..b7dc226187 100644 --- a/plugins/aws/mq/mqDeploymentMode.js +++ b/plugins/aws/mq/mqDeploymentMode.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enabled Deployment Mode feature for MQ brokers', link: 'https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/active-standby-broker-deployment.html', apis: ['MQ:listBrokers'], - realtime_triggers: ['mq:CreateBrocker', 'mq:UpdateBroker'], + realtime_triggers: ['mq:CreateBrocker', 'mq:UpdateBroker', 'mq:DeleteBrocker'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mq/mqDesiredInstanceType.js b/plugins/aws/mq/mqDesiredInstanceType.js index b1159480de..a89260b78a 100644 --- a/plugins/aws/mq/mqDesiredInstanceType.js +++ b/plugins/aws/mq/mqDesiredInstanceType.js @@ -18,7 +18,7 @@ module.exports = { default:'' } }, - realtime_triggers: ['mq:CreateBrocker'], + realtime_triggers: ['mq:CreateBrocker', 'mq:DeleteBrocker'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mq/mqLatestEngineVersion.js b/plugins/aws/mq/mqLatestEngineVersion.js index b9598c4ad2..169b342f7d 100644 --- a/plugins/aws/mq/mqLatestEngineVersion.js +++ b/plugins/aws/mq/mqLatestEngineVersion.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update Amazon MQ brokers to the latest version of Apache ActiveMQ broker engine.', link: 'https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/activemq-version-management.html', apis: ['MQ:listBrokers', 'MQ:describeBroker'], - realtime_triggers: ['mq:CreateBrocker','mq:UpdateBrocker'], + realtime_triggers: ['mq:CreateBrocker','mq:UpdateBrocker', 'mq:DeleteBrocker'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mq/mqLogExports.js b/plugins/aws/mq/mqLogExports.js index 6bbb6a34a0..fb5808f8e1 100644 --- a/plugins/aws/mq/mqLogExports.js +++ b/plugins/aws/mq/mqLogExports.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable Log Exports feature for MQ brokers', link: 'https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/security-logging-monitoring.html', apis: ['MQ:listBrokers', 'MQ:describeBroker'], - realtime_triggers: ['mq:CreateBroker', 'mq:UpdateBroker'], + realtime_triggers: ['mq:CreateBroker', 'mq:UpdateBroker','mq:DeleteBrocker'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/msk/mskClusterCBEncryption.js b/plugins/aws/msk/mskClusterCBEncryption.js index 6197ff23fe..c302e0c501 100644 --- a/plugins/aws/msk/mskClusterCBEncryption.js +++ b/plugins/aws/msk/mskClusterCBEncryption.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html', recommended_action: 'Enable only TLS encryption between the client and broker for all MSK clusters', apis: ['Kafka:listClusters'], - realtime_triggers: ['kafka:CreateCluster','kafka:UpdateClusterConfiguration'], + realtime_triggers: ['kafka:CreateCluster','kafka:UpdateClusterConfiguration', 'kafka:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/msk/mskClusterEncryptionAtRest.js b/plugins/aws/msk/mskClusterEncryptionAtRest.js index c834c9f5e0..c6d1dd238e 100644 --- a/plugins/aws/msk/mskClusterEncryptionAtRest.js +++ b/plugins/aws/msk/mskClusterEncryptionAtRest.js @@ -18,7 +18,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['kafka:CreateCluster'], + realtime_triggers: ['kafka:CreateCluster', 'kafka:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/msk/mskClusterEncryptionInTransit.js b/plugins/aws/msk/mskClusterEncryptionInTransit.js index f4e4c68c1e..275952b1aa 100644 --- a/plugins/aws/msk/mskClusterEncryptionInTransit.js +++ b/plugins/aws/msk/mskClusterEncryptionInTransit.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html', recommended_action: 'Enable TLS encryption within the cluster for all MSK clusters', apis: ['Kafka:listClusters'], - realtime_triggers: ['kafka:CreateCluster','kafka:UpdateClusterConfiguration'], + realtime_triggers: ['kafka:CreateCluster','kafka:UpdateClusterConfiguration','kafka:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/msk/mskClusterPublicAccess.js b/plugins/aws/msk/mskClusterPublicAccess.js index b97f5ee88b..c9aa02ad65 100644 --- a/plugins/aws/msk/mskClusterPublicAccess.js +++ b/plugins/aws/msk/mskClusterPublicAccess.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/msk/latest/developerguide/public-access.html', recommended_action: 'Check for public access feature within the cluster for all MSK clusters', apis: ['Kafka:listClusters'], - realtime_triggers: ['kafka:CreateCluster'], + realtime_triggers: ['kafka:CreateCluster', 'kafka:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/msk/mskClusterUnauthAccess.js b/plugins/aws/msk/mskClusterUnauthAccess.js index 2e3406d5fd..39d89407b9 100644 --- a/plugins/aws/msk/mskClusterUnauthAccess.js +++ b/plugins/aws/msk/mskClusterUnauthAccess.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html', recommended_action: 'Ensure that MSK clusters does not have unauthenticated access enabled.', apis: ['Kafka:listClusters'], - realtime_triggers: ['kafka:CreateCluster','kafka:UpdateSecurity'], + realtime_triggers: ['kafka:CreateCluster','kafka:UpdateSecurity', 'kafka:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mwaa/environmentAdminPrivileges.js b/plugins/aws/mwaa/environmentAdminPrivileges.js index 38aa54aa1d..bfe179d612 100644 --- a/plugins/aws/mwaa/environmentAdminPrivileges.js +++ b/plugins/aws/mwaa/environmentAdminPrivileges.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Modify IAM role attached with MWAA environment to provide the minimal amount of access required to perform its tasks', apis: ['MWAA:listEnvironments', 'MWAA:getEnvironment', 'IAM:listRoles', 'IAM:listAttachedRolePolicies', 'IAM:listRolePolicies', 'IAM:listPolicies', 'IAM:getPolicy', 'IAM:getPolicyVersion', 'IAM:getRolePolicy', 'STS:getCallerIdentity'], - realtime_triggers: ['mwaa:CreateEnvironment','mwaa:UpdateEnviroment'], + realtime_triggers: ['mwaa:CreateEnvironment','mwaa:UpdateEnviroment', 'mwaa:DeleteEnvironment'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mwaa/environmentDataEncrypted.js b/plugins/aws/mwaa/environmentDataEncrypted.js index 3b315eabca..9fe621624a 100644 --- a/plugins/aws/mwaa/environmentDataEncrypted.js +++ b/plugins/aws/mwaa/environmentDataEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['mwaa:CreateEnvironment'], + realtime_triggers: ['mwaa:CreateEnvironment', 'mwaa:DeleteEnvironment'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/mwaa/webServerPublicAccess.js b/plugins/aws/mwaa/webServerPublicAccess.js index 44896bb915..c49e7e48bb 100644 --- a/plugins/aws/mwaa/webServerPublicAccess.js +++ b/plugins/aws/mwaa/webServerPublicAccess.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/mwaa/latest/userguide/vpc-create.html', recommended_action: 'Modify Amazon MWAA environments to set web server access mode to be private only', apis: ['MWAA:listEnvironments', 'MWAA:getEnvironment', 'STS:getCallerIdentity'], - realtime_triggers: ['mwaa:CreateEnvironment','mwaa:UpdateEnviroment'], + realtime_triggers: ['mwaa:CreateEnvironment','mwaa:UpdateEnviroment', 'mwaa:DeleteEnvironment'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/neptune/neptuneDBInstanceEncrypted.js b/plugins/aws/neptune/neptuneDBInstanceEncrypted.js index 31f9dad7c1..3d16098a54 100644 --- a/plugins/aws/neptune/neptuneDBInstanceEncrypted.js +++ b/plugins/aws/neptune/neptuneDBInstanceEncrypted.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['neptune:CreateDBCluster'], + realtime_triggers: ['neptune:CreateDBCluster', 'neptune:DeleteDBCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/openSearchServerless/opensearchCollectionCmkEncrypted.js b/plugins/aws/openSearchServerless/opensearchCollectionCmkEncrypted.js index 44ad6e1da1..4abe1dc6cb 100644 --- a/plugins/aws/openSearchServerless/opensearchCollectionCmkEncrypted.js +++ b/plugins/aws/openSearchServerless/opensearchCollectionCmkEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['opensearchserverless:CreateCollection'], + realtime_triggers: ['opensearchserverless:CreateCollection', 'opensearchserverless:DeleteCollection'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/openSearchServerless/opensearchCollectionPublicAccess.js b/plugins/aws/openSearchServerless/opensearchCollectionPublicAccess.js index 9d3d45c2e4..fd825b8515 100644 --- a/plugins/aws/openSearchServerless/opensearchCollectionPublicAccess.js +++ b/plugins/aws/openSearchServerless/opensearchCollectionPublicAccess.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-network.html', recommended_action: 'Update the network policy and remove the public access to the collection.', apis: ['OpenSearchServerless:listNetworkSecurityPolicies', 'OpenSearchServerless:getNetworkSecurityPolicy', 'OpenSearchServerless:listCollections'], - realtime_triggers: ['opensearchserverless:CreateCollection', 'opensearserverless:UpdateCollection'], + realtime_triggers: ['opensearchserverless:CreateCollection', 'opensearserverless:UpdateCollection', 'opensearchserverless:DeleteCollection'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchAccessFromIps.js b/plugins/aws/opensearch/opensearchAccessFromIps.js index 2819498265..fb832995b8 100644 --- a/plugins/aws/opensearch/opensearchAccessFromIps.js +++ b/plugins/aws/opensearch/opensearchAccessFromIps.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig', 'opensearch:DeleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchClusterStatus.js b/plugins/aws/opensearch/opensearchClusterStatus.js index 7ef4bf389c..c66b7b2951 100644 --- a/plugins/aws/opensearch/opensearchClusterStatus.js +++ b/plugins/aws/opensearch/opensearchClusterStatus.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cloudwatch-alarms.html', recommended_action: 'Configure alarms to send notification if cluster status remains red for more than a minute.', apis: ['OpenSearch:listDomainNames', 'CloudWatch:getEsMetricStatistics', 'STS:getCallerIdentity'], - realtime_triggers: ['openSearch:CreateDomain', 'opensearch:UpdateDomainConfig'], + realtime_triggers: ['openSearch:CreateDomain', 'opensearch:UpdateDomainConfig','opensearch:DeleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchCrossAccountAccess.js b/plugins/aws/opensearch/opensearchCrossAccountAccess.js index 940a80f6c3..00b181fa11 100644 --- a/plugins/aws/opensearch/opensearchCrossAccountAccess.js +++ b/plugins/aws/opensearch/opensearchCrossAccountAccess.js @@ -37,7 +37,7 @@ module.exports = { default: 'aws:PrincipalArn,aws:PrincipalAccount,aws:PrincipalOrgID,aws:SourceAccount,aws:SourceArn,aws:SourceOwner' }, }, - realtime_triggers: ['opensearch:CreateDomain','opensearch:UpdateDomainConfig'], + realtime_triggers: ['opensearch:CreateDomain','opensearch:UpdateDomainConfig', 'opensearch:DeleteDomain'], run: function(cache, settings, callback) { var config= { diff --git a/plugins/aws/opensearch/opensearchDedicatedMasterEnabled.js b/plugins/aws/opensearch/opensearchDedicatedMasterEnabled.js index 44b9122604..43de0e7762 100644 --- a/plugins/aws/opensearch/opensearchDedicatedMasterEnabled.js +++ b/plugins/aws/opensearch/opensearchDedicatedMasterEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-dedicatedmasternodes.html', recommended_action: 'Update the domain to use dedicated master nodes.', apis: ['OpenSearch:listDomainNames', 'OpenSearch:describeDomain', 'STS:getCallerIdentity'], - realtime_triggers: ['opensearch:CreateDomain','opensearch:UpdateDomainConfig'], + realtime_triggers: ['opensearch:CreateDomain','opensearch:UpdateDomainConfig', 'opensearch:DeleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchDesiredInstanceTypes.js b/plugins/aws/opensearch/opensearchDesiredInstanceTypes.js index 1efad7e53f..d4a6406a32 100644 --- a/plugins/aws/opensearch/opensearchDesiredInstanceTypes.js +++ b/plugins/aws/opensearch/opensearchDesiredInstanceTypes.js @@ -24,7 +24,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['opensearch:CreateDomain'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:DeleteDomain'], run: function(cache, settings, callback) { const results = []; diff --git a/plugins/aws/opensearch/opensearchDomainEncryptionEnabled.js b/plugins/aws/opensearch/opensearchDomainEncryptionEnabled.js index 2b1f5e25cc..3aa4f70fc0 100644 --- a/plugins/aws/opensearch/opensearchDomainEncryptionEnabled.js +++ b/plugins/aws/opensearch/opensearchDomainEncryptionEnabled.js @@ -18,7 +18,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig', 'opensearch:DeleteDomain'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/opensearch/opensearchEncryptedDomain.js b/plugins/aws/opensearch/opensearchEncryptedDomain.js index da385d931f..c35b8a3eec 100644 --- a/plugins/aws/opensearch/opensearchEncryptedDomain.js +++ b/plugins/aws/opensearch/opensearchEncryptedDomain.js @@ -29,7 +29,7 @@ module.exports = { remediate: ['opensearch:UpdateDomainConfig'], rollback: ['opensearch:UpdateDomainConfig'] }, - realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig', 'opensearch:DeleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchExposedDomain.js b/plugins/aws/opensearch/opensearchExposedDomain.js index 4fd6aa519c..245e375757 100644 --- a/plugins/aws/opensearch/opensearchExposedDomain.js +++ b/plugins/aws/opensearch/opensearchExposedDomain.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html', recommended_action: 'Update OpenSearch domain to set access control.', apis: ['OpenSearch:listDomainNames', 'OpenSearch:describeDomain', 'STS:getCallerIdentity'], - realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig', 'opensearch:DeleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchHttpsOnly.js b/plugins/aws/opensearch/opensearchHttpsOnly.js index 95f9bb914d..2b54ac0147 100644 --- a/plugins/aws/opensearch/opensearchHttpsOnly.js +++ b/plugins/aws/opensearch/opensearchHttpsOnly.js @@ -29,7 +29,7 @@ module.exports = { remediate: ['opensearch:UpdateDomainConfig'], rollback: ['opensearch:UpdateDomainConfig'] }, - realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig', 'opensearch:DeleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchLoggingEnabled.js b/plugins/aws/opensearch/opensearchLoggingEnabled.js index d3a7a214e0..2c7b971ea2 100644 --- a/plugins/aws/opensearch/opensearchLoggingEnabled.js +++ b/plugins/aws/opensearch/opensearchLoggingEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createdomain-configure-slow-logs.html', recommended_action: 'Ensure logging is enabled and a CloudWatch log group is specified for each OpenSearch domain.', apis: ['OpenSearch:listDomainNames', 'OpenSearch:describeDomain'], - realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig', 'opensearch:DeleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchNodeToNodeEncryption.js b/plugins/aws/opensearch/opensearchNodeToNodeEncryption.js index 2b185c9759..a3d5a2aacb 100644 --- a/plugins/aws/opensearch/opensearchNodeToNodeEncryption.js +++ b/plugins/aws/opensearch/opensearchNodeToNodeEncryption.js @@ -21,7 +21,7 @@ module.exports = { remediate: ['opensearch:UpdateDomainConfig'], rollback: ['opensearch:UpdateDomainConfig'] }, - realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig', 'opensearch:DeleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchPublicEndpoint.js b/plugins/aws/opensearch/opensearchPublicEndpoint.js index b273453acd..81483aa106 100644 --- a/plugins/aws/opensearch/opensearchPublicEndpoint.js +++ b/plugins/aws/opensearch/opensearchPublicEndpoint.js @@ -18,7 +18,7 @@ module.exports = { default: 'false' }, }, - realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig', 'opensearch:DeleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchRequireIAMAuth.js b/plugins/aws/opensearch/opensearchRequireIAMAuth.js index 747972334d..8a3f4b8104 100644 --- a/plugins/aws/opensearch/opensearchRequireIAMAuth.js +++ b/plugins/aws/opensearch/opensearchRequireIAMAuth.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html', recommended_action: 'Configure the OpenSearch domain to have an access policy without a global principal or no principal', apis: ['OpenSearch:listDomainNames', 'OpenSearch:describeDomain'], - realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig', 'opensearch:DeleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchTlsVersion.js b/plugins/aws/opensearch/opensearchTlsVersion.js index 26339f9188..7c7fb6b13f 100644 --- a/plugins/aws/opensearch/opensearchTlsVersion.js +++ b/plugins/aws/opensearch/opensearchTlsVersion.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html', recommended_action: 'Update OpenSearch domain to set TLSSecurityPolicy to contain TLS version 1.2.', apis: ['OpenSearch:listDomainNames', 'OpenSearch:describeDomain', 'STS:getCallerIdentity'], - realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig', 'opensearch:DeleteDomain'], run: function(cache, settings, callback) { const results = []; diff --git a/plugins/aws/opensearch/opensearchUpgradeAvailable.js b/plugins/aws/opensearch/opensearchUpgradeAvailable.js index 98ecfbc3ca..921344ef65 100644 --- a/plugins/aws/opensearch/opensearchUpgradeAvailable.js +++ b/plugins/aws/opensearch/opensearchUpgradeAvailable.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/version-migration.html', recommended_action: 'Ensure each OpenSearch domain is running the latest service software and update out-of-date domains.', apis: ['OpenSearch:listDomainNames', 'OpenSearch:describeDomain'], - realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig', 'opensearch:DeleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchVersion.js b/plugins/aws/opensearch/opensearchVersion.js index c4b66531e8..8055d23077 100644 --- a/plugins/aws/opensearch/opensearchVersion.js +++ b/plugins/aws/opensearch/opensearchVersion.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html', recommended_action: 'Update OpenSearch domain to set to latest engine version.', apis: ['OpenSearch:listDomainNames', 'OpenSearch:describeDomain'], - realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig', 'opensearch:DeleteDomain'], run:function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/opensearch/opensearchZoneAwarenessEnabled.js b/plugins/aws/opensearch/opensearchZoneAwarenessEnabled.js index fba41f24cd..c9a606c93c 100644 --- a/plugins/aws/opensearch/opensearchZoneAwarenessEnabled.js +++ b/plugins/aws/opensearch/opensearchZoneAwarenessEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/', recommended_action: 'Modify OpenSearch domain configuration and enable domain zone awareness.', apis: ['OpenSearch:listDomainNames', 'OpenSearch:describeDomain', 'STS:getCallerIdentity'], - realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig'], + realtime_triggers: ['opensearch:CreateDomain', 'opensearch:UpdateDomainConfig', 'opensearch:DeleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/organizations/enableAllFeatures.js b/plugins/aws/organizations/enableAllFeatures.js index 1d00b26e7b..a20b6aaa8b 100644 --- a/plugins/aws/organizations/enableAllFeatures.js +++ b/plugins/aws/organizations/enableAllFeatures.js @@ -9,7 +9,7 @@ module.exports = { recommended_action: 'Enable all AWS Organizations features.', link: 'https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html?icmpid=docs_orgs_console', apis: ['Organizations:describeOrganization'], - realtime_triggers: ['organizations:CreateOrganization', 'organizations:EnableAllFeatures'], + realtime_triggers: ['organizations:CreateOrganization', 'organizations:EnableAllFeatures', 'organizations:DeleteOrganization'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/organizations/organizationInvite.js b/plugins/aws/organizations/organizationInvite.js index 273576d215..35fe368ba0 100644 --- a/plugins/aws/organizations/organizationInvite.js +++ b/plugins/aws/organizations/organizationInvite.js @@ -9,7 +9,7 @@ module.exports = { recommended_action: 'Enable all AWS Organizations features', link: 'https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html?icmpid=docs_orgs_console', apis: ['Organizations:listHandshakesForAccount'], - realtime_triggers: ['organizations:CreateOrganization', 'organizations:AcceptHandshake' ,'organizations:DeclineHandshake', 'organizations:CancleHandshake'], + realtime_triggers: ['organizations:CreateOrganization', 'organizations:AcceptHandshake' ,'organizations:DeclineHandshake', 'organizations:CancleHandshake', 'organizations:DeleteOrganization'], run: function(cache, settings, callback) { var results = []; From c3784d8367ea928ae2bea7889fc5832ca33f1835 Mon Sep 17 00:00:00 2001 From: --global Date: Thu, 21 Sep 2023 13:01:50 +0500 Subject: [PATCH 029/498] added delete tiggers --- plugins/aws/proton/environmentTemplateEncrypted.js | 2 +- plugins/aws/qldb/ledgerEncrypted.js | 2 +- plugins/aws/rds/iamDbAuthenticationEnabled.js | 2 +- plugins/aws/rds/mysqlVulnerabilityCheck.js | 2 +- plugins/aws/rds/overutilizedRDSInstance.js | 2 +- plugins/aws/rds/rdsAutomatedBackups.js | 2 +- plugins/aws/rds/rdsCmkEncryptionEnabled.js | 2 +- plugins/aws/rds/rdsDefaultPort.js | 2 +- plugins/aws/rds/rdsDefaultUsername.js | 2 +- plugins/aws/rds/rdsDeletionProtectionEnabled.js | 2 +- plugins/aws/rds/rdsEncryptionEnabled.js | 2 +- plugins/aws/rds/rdsInstanceGeneration.js | 2 +- plugins/aws/rds/rdsInstanceHasTags.js | 2 +- plugins/aws/rds/rdsLoggingEnabled.js | 2 +- plugins/aws/rds/rdsMinorVersionUpgrade.js | 2 +- plugins/aws/rds/rdsMultiAz.js | 2 +- plugins/aws/rds/rdsPublicSubnet.js | 2 +- plugins/aws/rds/rdsPubliclyAccessible.js | 2 +- plugins/aws/rds/rdsRestorable.js | 2 +- plugins/aws/rds/rdsSnapshotPubliclyAccessible.js | 2 +- plugins/aws/rds/rdsTransportEncryption.js | 2 +- plugins/aws/rds/sqlServerTLSVersion.js | 2 +- plugins/aws/redshift/auditLoggingEnabled.js | 2 +- plugins/aws/redshift/redshiftAllowVersionUpgrade.js | 2 +- plugins/aws/redshift/redshiftClusterCmkEncrypted.js | 2 +- plugins/aws/redshift/redshiftClusterDefaultPort.js | 2 +- plugins/aws/redshift/redshiftClusterInVpc.js | 2 +- plugins/aws/redshift/redshiftClusterMasterUsername.js | 2 +- plugins/aws/redshift/redshiftDesiredNodeType.js | 2 +- plugins/aws/redshift/redshiftEncryptionEnabled.js | 2 +- plugins/aws/redshift/redshiftPubliclyAccessible.js | 2 +- plugins/aws/redshift/redshiftSSLEnabled.js | 2 +- plugins/aws/redshift/redshiftUnusedReservedNodes.js | 2 +- plugins/aws/redshift/snapshotRetentionPeriod.js | 2 +- plugins/aws/redshift/underutilizedRedshiftCluster.js | 2 +- plugins/aws/redshift/userActivityLoggingEnabled.js | 2 +- plugins/aws/route53/danglingDnsRecords.js | 2 +- plugins/aws/route53/domainAutoRenew.js | 2 +- plugins/aws/route53/domainExpiry.js | 2 +- plugins/aws/route53/domainTransferLock.js | 2 +- plugins/aws/route53/privacyProtection.js | 2 +- plugins/aws/route53/senderPolicyFwInUse.js | 2 +- plugins/aws/route53/senderPolicyFwRecordPresent.js | 2 +- plugins/aws/wafv2/aclRulesDefaultAction.js | 2 +- plugins/aws/wafv2/wafv2CloudwatchMetricsEnabled.js | 2 +- plugins/aws/workspaces/workspacesDesiredBundleType.js | 2 +- plugins/aws/workspaces/workspacesInstanceCount.js | 2 +- plugins/aws/workspaces/workspacesIpAccessControl.js | 2 +- plugins/aws/workspaces/workspacesVolumeEncryption.js | 2 +- 49 files changed, 49 insertions(+), 49 deletions(-) diff --git a/plugins/aws/proton/environmentTemplateEncrypted.js b/plugins/aws/proton/environmentTemplateEncrypted.js index 6eff30bb69..1b4b6caa91 100644 --- a/plugins/aws/proton/environmentTemplateEncrypted.js +++ b/plugins/aws/proton/environmentTemplateEncrypted.js @@ -18,7 +18,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['proton:CreateEnviromentTemplate'], + realtime_triggers: ['proton:CreateEnviromentTemplate', 'proton:DeleteEnviromentTemplate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/qldb/ledgerEncrypted.js b/plugins/aws/qldb/ledgerEncrypted.js index 0a926e1c15..e54e081503 100644 --- a/plugins/aws/qldb/ledgerEncrypted.js +++ b/plugins/aws/qldb/ledgerEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['qldb:CreateLedger', 'qldb:UpdateLedger'], + realtime_triggers: ['qldb:CreateLedger', 'qldb:UpdateLedger', 'qldb:DeleteLedger'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/iamDbAuthenticationEnabled.js b/plugins/aws/rds/iamDbAuthenticationEnabled.js index 23b3c8afec..a6e61fee57 100644 --- a/plugins/aws/rds/iamDbAuthenticationEnabled.js +++ b/plugins/aws/rds/iamDbAuthenticationEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html', recommended_action: 'Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication.', apis: ['RDS:describeDBInstances'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3', 'rds:DeleteDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/mysqlVulnerabilityCheck.js b/plugins/aws/rds/mysqlVulnerabilityCheck.js index 9c9ef6efb2..c8a07e10ee 100644 --- a/plugins/aws/rds/mysqlVulnerabilityCheck.js +++ b/plugins/aws/rds/mysqlVulnerabilityCheck.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://aws.amazon.com/security/security-bulletins/mysql-5-5-and-5-6-security-advisory/', recommended_action: 'Update the MySQL engine version to a more recent, patched version to mitigate the vulnerabilities.', apis: ['RDS:describeDBInstances'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3','rds:DeleteDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/overutilizedRDSInstance.js b/plugins/aws/rds/overutilizedRDSInstance.js index bcac975f68..cf7baf3bfc 100644 --- a/plugins/aws/rds/overutilizedRDSInstance.js +++ b/plugins/aws/rds/overutilizedRDSInstance.js @@ -18,7 +18,7 @@ module.exports = { default: '90' } }, - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3','rds:DeleteDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsAutomatedBackups.js b/plugins/aws/rds/rdsAutomatedBackups.js index 0a21fd04a1..049e7353e1 100644 --- a/plugins/aws/rds/rdsAutomatedBackups.js +++ b/plugins/aws/rds/rdsAutomatedBackups.js @@ -18,7 +18,7 @@ module.exports = { default: 6 } }, - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance','rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance','rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3','rds:DeleteDBInstance'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/rds/rdsCmkEncryptionEnabled.js b/plugins/aws/rds/rdsCmkEncryptionEnabled.js index bfb683c2d1..3fa3336128 100644 --- a/plugins/aws/rds/rdsCmkEncryptionEnabled.js +++ b/plugins/aws/rds/rdsCmkEncryptionEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html', recommended_action: 'RDS does not currently allow modifications to encryption after the instance has been launched, so a new instance will need to be created with KMS CMK encryption enabled.', apis: ['RDS:describeDBInstances', 'KMS:listAliases'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3', 'rds:DeleteDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsDefaultPort.js b/plugins/aws/rds/rdsDefaultPort.js index e049ee4683..82437846c2 100644 --- a/plugins/aws/rds/rdsDefaultPort.js +++ b/plugins/aws/rds/rdsDefaultPort.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.Connect.html', recommended_action: 'Change the default port number of the RDS instance to non-default port.', apis: ['RDS:describeDBInstances'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3','rds:DeleteDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsDefaultUsername.js b/plugins/aws/rds/rdsDefaultUsername.js index d2a105bdf1..0a27096336 100644 --- a/plugins/aws/rds/rdsDefaultUsername.js +++ b/plugins/aws/rds/rdsDefaultUsername.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateDBInstance.html', recommended_action: 'Create a new RDS instance with the desired username, and migrate the database to the new instance.', apis: ['RDS:describeDBInstances'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3','rds:DeleteDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsDeletionProtectionEnabled.js b/plugins/aws/rds/rdsDeletionProtectionEnabled.js index c223c0ed9a..cf02863048 100644 --- a/plugins/aws/rds/rdsDeletionProtectionEnabled.js +++ b/plugins/aws/rds/rdsDeletionProtectionEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/', recommended_action: 'Modify the RDS instances to enable deletion protection.', apis: ['RDS:describeDBInstances'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3','rds:DeleteDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsEncryptionEnabled.js b/plugins/aws/rds/rdsEncryptionEnabled.js index 17d4c5e4bc..c8281b9ddb 100644 --- a/plugins/aws/rds/rdsEncryptionEnabled.js +++ b/plugins/aws/rds/rdsEncryptionEnabled.js @@ -33,7 +33,7 @@ module.exports = { 'encryption should be enabled for all instances storing this type ' + 'of data.' }, - realtime_triggers: ['rds:CreateDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3','rds:DeleteDBInstance'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/rds/rdsInstanceGeneration.js b/plugins/aws/rds/rdsInstanceGeneration.js index c34d269813..44f546bbd2 100644 --- a/plugins/aws/rds/rdsInstanceGeneration.js +++ b/plugins/aws/rds/rdsInstanceGeneration.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html', recommended_action: 'Upgrade the instance to its latest generation.', apis: ['RDS:describeDBInstances'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3','rds:DeleteDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsInstanceHasTags.js b/plugins/aws/rds/rdsInstanceHasTags.js index fecc2cad11..7a59c082c7 100644 --- a/plugins/aws/rds/rdsInstanceHasTags.js +++ b/plugins/aws/rds/rdsInstanceHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html', recommended_action: 'Modify the RDS instance to add tags.', apis: ['RDS:describeDBInstances'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:AddTagsToResource', 'rds:RemoveTagsToResource', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:AddTagsToResource', 'rds:RemoveTagsToResource', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3','rds:DeleteDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsLoggingEnabled.js b/plugins/aws/rds/rdsLoggingEnabled.js index 6c65d14907..226659c711 100755 --- a/plugins/aws/rds/rdsLoggingEnabled.js +++ b/plugins/aws/rds/rdsLoggingEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html', recommended_action: 'Modify the RDS instance to enable logging as required.', apis: ['RDS:describeDBInstances', 'RDS:describeDBEngineVersions'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3','rds:DeleteDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsMinorVersionUpgrade.js b/plugins/aws/rds/rdsMinorVersionUpgrade.js index 56ac835d2c..f2066c1ec0 100644 --- a/plugins/aws/rds/rdsMinorVersionUpgrade.js +++ b/plugins/aws/rds/rdsMinorVersionUpgrade.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html#USER_UpgradeDBInstance.Upgrading.AutoMinorVersionUpgrades', recommended_action: 'Enable automatic minor version upgrades on RDS and DocumentDB databases', apis: ['RDS:describeDBInstances'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3','rds:DeleteDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsMultiAz.js b/plugins/aws/rds/rdsMultiAz.js index 830331b927..1ef56f3b6b 100644 --- a/plugins/aws/rds/rdsMultiAz.js +++ b/plugins/aws/rds/rdsMultiAz.js @@ -18,7 +18,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3','rds:DeleteDBInstance'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/rds/rdsPublicSubnet.js b/plugins/aws/rds/rdsPublicSubnet.js index fac8585b54..5575c87880 100644 --- a/plugins/aws/rds/rdsPublicSubnet.js +++ b/plugins/aws/rds/rdsPublicSubnet.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-public-access-check.html', recommended_action: 'Replace the subnet groups of rds instance with the private subnets.', apis: ['RDS:describeDBInstances', 'EC2:describeRouteTables', 'EC2:describeSubnets'], - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3','rds:DeleteDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsPubliclyAccessible.js b/plugins/aws/rds/rdsPubliclyAccessible.js index 8657e99798..f8600aa2d0 100644 --- a/plugins/aws/rds/rdsPubliclyAccessible.js +++ b/plugins/aws/rds/rdsPubliclyAccessible.js @@ -20,7 +20,7 @@ module.exports = { 'Ensure RDS instances are not accessible from the Internet ' + 'and use proper jump box access mechanisms.' }, - realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:ModifyDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3','rds:DeleteDBInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsRestorable.js b/plugins/aws/rds/rdsRestorable.js index 72393af091..9ca3b42eb9 100644 --- a/plugins/aws/rds/rdsRestorable.js +++ b/plugins/aws/rds/rdsRestorable.js @@ -29,7 +29,7 @@ module.exports = { default: 6 } }, - realtime_triggers: ['rds:CreateDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3'], + realtime_triggers: ['rds:CreateDBInstance', 'rds:RestoreDBInstanceFromDBSnapshot', 'rds:RestoreDBInstanceFromS3','rds:DeleteDBInstance'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/rds/rdsSnapshotPubliclyAccessible.js b/plugins/aws/rds/rdsSnapshotPubliclyAccessible.js index ece0a30db4..ff765a20f8 100644 --- a/plugins/aws/rds/rdsSnapshotPubliclyAccessible.js +++ b/plugins/aws/rds/rdsSnapshotPubliclyAccessible.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html', recommended_action: 'Ensure Amazon RDS database snapshot is not publicly accessible and available for any AWS account to copy or restore it.', apis: ['RDS:describeDBSnapshots', 'RDS:describeDBSnapshotAttributes'], - realtime_triggers: ['rds:CreateDBSnapshot', 'rds:ModifyDBSnapshotAttribute'], + realtime_triggers: ['rds:CreateDBSnapshot', 'rds:ModifyDBSnapshotAttribute','rds:DeleteDBSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/rdsTransportEncryption.js b/plugins/aws/rds/rdsTransportEncryption.js index d31b08f2f7..d9343a759a 100644 --- a/plugins/aws/rds/rdsTransportEncryption.js +++ b/plugins/aws/rds/rdsTransportEncryption.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html', recommended_action: 'Update the parameter group associated with the RDS instance to have rds.force_ssl set to true', apis: ['RDS:describeDBInstances', 'RDS:describeDBParameters', 'RDS:describeDBParameterGroups'], - realtime_triggers: ['rds:CreateDBParameterGroup', 'rds:ModifyDBParameterGroup'], + realtime_triggers: ['rds:CreateDBParameterGroup', 'rds:ModifyDBParameterGroup', 'rds:DeleteDBParameterGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/rds/sqlServerTLSVersion.js b/plugins/aws/rds/sqlServerTLSVersion.js index 41b471a798..77fcea402b 100644 --- a/plugins/aws/rds/sqlServerTLSVersion.js +++ b/plugins/aws/rds/sqlServerTLSVersion.js @@ -21,7 +21,7 @@ module.exports = { remediate: ['rds:ModifyDBParameterGroup'], rollback: ['rds:ModifyDBParameterGroup'] }, - realtime_triggers: ['rds:CreateDBParameterGroup', 'rds:ModifyDBParameterGroup'], + realtime_triggers: ['rds:CreateDBParameterGroup', 'rds:ModifyDBParameterGroup','rds:DeleteDBParameterGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/auditLoggingEnabled.js b/plugins/aws/redshift/auditLoggingEnabled.js index f904157a81..5449d6a76f 100644 --- a/plugins/aws/redshift/auditLoggingEnabled.js +++ b/plugins/aws/redshift/auditLoggingEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing-console.html', recommended_action: 'Modify Redshift clusters to enable audit logging', apis: ['Redshift:describeClusters', 'Redshift:describeLoggingStatus', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster', 'redshift:EditLogging', 'redshift:RestoreFromClusterSnapshot'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:EditLogging', 'redshift:RestoreFromClusterSnapshot', 'redshift:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftAllowVersionUpgrade.js b/plugins/aws/redshift/redshiftAllowVersionUpgrade.js index 6750fc4c43..f9065a0562 100644 --- a/plugins/aws/redshift/redshiftAllowVersionUpgrade.js +++ b/plugins/aws/redshift/redshiftAllowVersionUpgrade.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.amazonaws.cn/en_us/redshift/latest/mgmt/redshift-mgmt.pdf', recommended_action: 'Modify Redshift clusters to allow version upgrade', apis: ['Redshift:describeClusters', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot','redshift:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftClusterCmkEncrypted.js b/plugins/aws/redshift/redshiftClusterCmkEncrypted.js index cd708d8ecb..46b5cee17f 100644 --- a/plugins/aws/redshift/redshiftClusterCmkEncrypted.js +++ b/plugins/aws/redshift/redshiftClusterCmkEncrypted.js @@ -10,7 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html', recommended_action: 'Update Redshift clusters encryption configuration to use KMS CMKs instead of AWS managed-keys.', apis: ['Redshift:describeClusters', 'KMS:listAliases', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot','redshift:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftClusterDefaultPort.js b/plugins/aws/redshift/redshiftClusterDefaultPort.js index 67c4e1b05b..73fb101a0b 100644 --- a/plugins/aws/redshift/redshiftClusterDefaultPort.js +++ b/plugins/aws/redshift/redshiftClusterDefaultPort.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.amazonaws.cn/en_us/redshift/latest/gsg/rs-gsg-launch-sample-cluster.html', recommended_action: 'Update Amazon Redshift cluster endpoint port.', apis: ['Redshift:describeClusters', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot','redshift:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftClusterInVpc.js b/plugins/aws/redshift/redshiftClusterInVpc.js index 8ef046ea11..bf37befd99 100644 --- a/plugins/aws/redshift/redshiftClusterInVpc.js +++ b/plugins/aws/redshift/redshiftClusterInVpc.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#cluster-platforms', recommended_action: 'Update Amazon Redshift cluster and attach it to VPC', apis: ['Redshift:describeClusters', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot', 'redshift:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftClusterMasterUsername.js b/plugins/aws/redshift/redshiftClusterMasterUsername.js index dc8ee932fc..be48bce405 100644 --- a/plugins/aws/redshift/redshiftClusterMasterUsername.js +++ b/plugins/aws/redshift/redshiftClusterMasterUsername.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.amazonaws.cn/en_us/redshift/latest/gsg/rs-gsg-launch-sample-cluster.html', recommended_action: 'Update Amazon Redshift cluster master username.', apis: ['Redshift:describeClusters', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster', 'redshift:RestoreFromClusterSnapshot'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:RestoreFromClusterSnapshot', 'redshift:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftDesiredNodeType.js b/plugins/aws/redshift/redshiftDesiredNodeType.js index bc3d5671f8..c68d43b238 100644 --- a/plugins/aws/redshift/redshiftDesiredNodeType.js +++ b/plugins/aws/redshift/redshiftDesiredNodeType.js @@ -18,7 +18,7 @@ module.exports = { default: '' }, }, - realtime_triggers: ['redshift:CreateCluster', 'redshift:RestoreFromClusterSnapshot'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:RestoreFromClusterSnapshot', 'redshift:DeleteCluster'], run: function(cache, settings, callback) { var redshift_cluster_node_type = settings.redshift_cluster_node_type || this.settings.redshift_cluster_node_type.default; diff --git a/plugins/aws/redshift/redshiftEncryptionEnabled.js b/plugins/aws/redshift/redshiftEncryptionEnabled.js index 66c99c3b55..248ea453eb 100644 --- a/plugins/aws/redshift/redshiftEncryptionEnabled.js +++ b/plugins/aws/redshift/redshiftEncryptionEnabled.js @@ -16,7 +16,7 @@ module.exports = { 'is implemented by providing KMS-backed encryption for all Redshift ' + 'data.' }, - realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot', 'redshift:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftPubliclyAccessible.js b/plugins/aws/redshift/redshiftPubliclyAccessible.js index c4484d2c72..e011babecd 100644 --- a/plugins/aws/redshift/redshiftPubliclyAccessible.js +++ b/plugins/aws/redshift/redshiftPubliclyAccessible.js @@ -20,7 +20,7 @@ module.exports = { 'Ensure Redshift instances are not accessible from the Internet ' + 'and use proper jump box access mechanisms.' }, - realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot', 'redshift:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftSSLEnabled.js b/plugins/aws/redshift/redshiftSSLEnabled.js index 7d08ea0fa0..90a37e43ab 100644 --- a/plugins/aws/redshift/redshiftSSLEnabled.js +++ b/plugins/aws/redshift/redshiftSSLEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/redshift/latest/mgmt/connecting-ssl-support.html', recommended_action: 'Update Redshift parameter groups to have require-ssl parameter set to true.', apis: ['Redshift:describeClusters', 'Redshift:describeClusterParameterGroups', 'Redshift:describeClusterParameters', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyClusterParameterGroup', 'redshift:RestoreFromClusterSnapshot'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyClusterParameterGroup', 'redshift:RestoreFromClusterSnapshot', 'redshift:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/redshiftUnusedReservedNodes.js b/plugins/aws/redshift/redshiftUnusedReservedNodes.js index 56ecfa2067..3e9e1cd8ed 100644 --- a/plugins/aws/redshift/redshiftUnusedReservedNodes.js +++ b/plugins/aws/redshift/redshiftUnusedReservedNodes.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/redshift/latest/mgmt/purchase-reserved-node-instance.html', recommended_action: 'Provision new Redshift clusters matching the criteria of reserved nodes', apis: ['Redshift:describeClusters', 'Redshift:describeReservedNodes', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster', 'redshift:RestoreFromClusterSnapshot'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:RestoreFromClusterSnapshot', 'redshift:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/snapshotRetentionPeriod.js b/plugins/aws/redshift/snapshotRetentionPeriod.js index b95500cf34..507b0eeb17 100644 --- a/plugins/aws/redshift/snapshotRetentionPeriod.js +++ b/plugins/aws/redshift/snapshotRetentionPeriod.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-snapshots.html', recommended_action: 'Modify Amazon Redshift cluster to set snapshot retention period', apis: ['Redshift:describeClusters', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyCluster', 'redshift:RestoreFromClusterSnapshot', 'redshift:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/underutilizedRedshiftCluster.js b/plugins/aws/redshift/underutilizedRedshiftCluster.js index bb4a0438d6..3927a5ba97 100644 --- a/plugins/aws/redshift/underutilizedRedshiftCluster.js +++ b/plugins/aws/redshift/underutilizedRedshiftCluster.js @@ -18,7 +18,7 @@ module.exports = { default: '5' } }, - realtime_triggers: ['redshift:CreateCluster','redshift:CreateClusterSnapshot', 'redshift:RestoreFromClusterSnapshot'], + realtime_triggers: ['redshift:CreateCluster','redshift:CreateClusterSnapshot', 'redshift:RestoreFromClusterSnapshot','redshift:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/redshift/userActivityLoggingEnabled.js b/plugins/aws/redshift/userActivityLoggingEnabled.js index 35df581a2e..a51511d951 100644 --- a/plugins/aws/redshift/userActivityLoggingEnabled.js +++ b/plugins/aws/redshift/userActivityLoggingEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html#db-auditing-enable-logging', recommended_action: 'Update Redshift parameter groups to enable user activity logging', apis: ['Redshift:describeClusters', 'Redshift:describeClusterParameterGroups', 'Redshift:describeClusterParameters', 'STS:getCallerIdentity'], - realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyClusterParameterGroup', 'redshift:RestoreFromClusterSnapshot'], + realtime_triggers: ['redshift:CreateCluster', 'redshift:ModifyClusterParameterGroup', 'redshift:RestoreFromClusterSnapshot', 'redshift:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/route53/danglingDnsRecords.js b/plugins/aws/route53/danglingDnsRecords.js index 5a8a277807..d2a6e4ac38 100644 --- a/plugins/aws/route53/danglingDnsRecords.js +++ b/plugins/aws/route53/danglingDnsRecords.js @@ -18,7 +18,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['route53:CreateHostedZone','route53:ChangeResourceRecordSets'], + realtime_triggers: ['route53:CreateHostedZone','route53:ChangeResourceRecordSets', 'route53:DeleteHostedZone'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/route53/domainAutoRenew.js b/plugins/aws/route53/domainAutoRenew.js index 9a9431687a..75a69ead01 100644 --- a/plugins/aws/route53/domainAutoRenew.js +++ b/plugins/aws/route53/domainAutoRenew.js @@ -9,7 +9,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/Route53/latest/APIReference/api-enable-domain-auto-renew.html', recommended_action: 'Enable auto renew for the domain', apis: ['Route53Domains:listDomains'], - realtime_triggers: ['route53domains:RegisterDomain','route53domains:EnableAutoRenew', 'route53domians:DisableDomainAutoRenew'], + realtime_triggers: ['route53domains:RegisterDomain','route53domains:EnableAutoRenew', 'route53domians:DisableDomainAutoRenew', 'route53domians:DeleteDomain'], run: function(cache, settings, callback) { diff --git a/plugins/aws/route53/domainExpiry.js b/plugins/aws/route53/domainExpiry.js index 4b2c327082..22b67a35aa 100644 --- a/plugins/aws/route53/domainExpiry.js +++ b/plugins/aws/route53/domainExpiry.js @@ -9,7 +9,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/registrar.html', recommended_action: 'Reregister the expiring domain', apis: ['Route53Domains:listDomains'], - realtime_triggers: ['route53domains:RegisterDomain','route53domains:RenewDomain'], + realtime_triggers: ['route53domains:RegisterDomain','route53domains:RenewDomain','route53domians:DeleteDomain'], run: function(cache, settings, callback) { diff --git a/plugins/aws/route53/domainTransferLock.js b/plugins/aws/route53/domainTransferLock.js index 514448ee6c..d6c02c3ef6 100644 --- a/plugins/aws/route53/domainTransferLock.js +++ b/plugins/aws/route53/domainTransferLock.js @@ -9,7 +9,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-transfer-from-route-53.html', recommended_action: 'Enable the transfer lock for the domain', apis: ['Route53Domains:listDomains'], - realtime_triggers: ['route53domains:RegisterDomain', 'route53domain:EnableDomainTransferLock', 'route53domain:DisableDomainTransferLock'], + realtime_triggers: ['route53domains:RegisterDomain', 'route53domain:EnableDomainTransferLock', 'route53domain:DisableDomainTransferLock','route53domians:DeleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/route53/privacyProtection.js b/plugins/aws/route53/privacyProtection.js index 9d0e11f32c..cb55a44cd8 100644 --- a/plugins/aws/route53/privacyProtection.js +++ b/plugins/aws/route53/privacyProtection.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-privacy-protection.html', recommended_action: 'Enable Privacy Protection for Domain', apis: ['Route53Domains:listDomains', 'Route53Domains:getDomainDetail'], - realtime_triggers: ['route53domains:RegisterDomain', 'route53domains:UpdateDomainContactPrivacy'], + realtime_triggers: ['route53domains:RegisterDomain', 'route53domains:UpdateDomainContactPrivacy','route53domians:DeleteDomain'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/route53/senderPolicyFwInUse.js b/plugins/aws/route53/senderPolicyFwInUse.js index 125d798bba..0ce2f0851d 100644 --- a/plugins/aws/route53/senderPolicyFwInUse.js +++ b/plugins/aws/route53/senderPolicyFwInUse.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/rrsets-working-with.html', recommended_action: 'Updated the domain records to have SPF.', apis: ['Route53:listHostedZones', 'Route53:listResourceRecordSets'], - realtime_triggers: ['route53:CreateHostedZone','route53:ChangeResourceRecordSets'], + realtime_triggers: ['route53:CreateHostedZone','route53:ChangeResourceRecordSets','route53:DeleteHostedZone'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/route53/senderPolicyFwRecordPresent.js b/plugins/aws/route53/senderPolicyFwRecordPresent.js index 4ce121e67b..96cad5ec48 100644 --- a/plugins/aws/route53/senderPolicyFwRecordPresent.js +++ b/plugins/aws/route53/senderPolicyFwRecordPresent.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html', recommended_action: 'Add SPF records to the DNS records.', apis: ['Route53:listHostedZones', 'Route53:listResourceRecordSets'], - realtime_triggers: ['route53:CreateHostedZone','route53:ChangeResourceRecordSets'], + realtime_triggers: ['route53:CreateHostedZone','route53:ChangeResourceRecordSets','route53:DeleteHostedZone'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/wafv2/aclRulesDefaultAction.js b/plugins/aws/wafv2/aclRulesDefaultAction.js index f9cc698c8c..6487e5dd06 100644 --- a/plugins/aws/wafv2/aclRulesDefaultAction.js +++ b/plugins/aws/wafv2/aclRulesDefaultAction.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/waf/latest/APIReference/API_DefaultAction.html', recommended_action: 'Modify Web ACL and set default action to block requests.', apis: ['WAFV2:listWebACLs', 'WAFV2:getWebACL'], - realtime_triggers: ['wafv2:CreateWebACL', 'wafv2:UpdateWebACL'], + realtime_triggers: ['wafv2:CreateWebACL', 'wafv2:UpdateWebACL','wafv2:DeleteWebACL'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/wafv2/wafv2CloudwatchMetricsEnabled.js b/plugins/aws/wafv2/wafv2CloudwatchMetricsEnabled.js index 11f901f97b..e81c983e57 100644 --- a/plugins/aws/wafv2/wafv2CloudwatchMetricsEnabled.js +++ b/plugins/aws/wafv2/wafv2CloudwatchMetricsEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html', recommended_action: 'Modify WAFv2 and enable cloud watch metrics.', apis: ['WAFV2:listWebACLs', 'WAFV2:getWebACL'], - realtime_triggers: ['wafv2:CreateWebACL','wafv2:updateWebACL'], + realtime_triggers: ['wafv2:CreateWebACL','wafv2:updateWebACL', 'wafv2:DeleteWebACL'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/workspaces/workspacesDesiredBundleType.js b/plugins/aws/workspaces/workspacesDesiredBundleType.js index 4690a9f408..ac913e5ed3 100644 --- a/plugins/aws/workspaces/workspacesDesiredBundleType.js +++ b/plugins/aws/workspaces/workspacesDesiredBundleType.js @@ -9,7 +9,7 @@ module.exports = { more_info: 'A bundle in AWS WorkSpaces defines the hardware and software for AWS WorkSpaces. You can create a WorkSpaces instance using a predefined or custom bundle. Setting a limit to the types that can be used will help you control billing and address internal compliance requirements.', recommended_action: 'Ensure that WorkSpaces instances are using desired bundle types', link: 'https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-bundles.html', - apis: ['WorkSpaces:describeWorkspaces', 'STS:getCallerIdentity'], + apis: ['WorkSpaces:describeWorkspaces', 'STS:getCallerIdentity','workspace:TerminateWorkspaces'], settings: { workspace_desired_bundle_type: { name: 'Workspaces desired bundle type', diff --git a/plugins/aws/workspaces/workspacesInstanceCount.js b/plugins/aws/workspaces/workspacesInstanceCount.js index 5facb76660..866ca5c3ec 100644 --- a/plugins/aws/workspaces/workspacesInstanceCount.js +++ b/plugins/aws/workspaces/workspacesInstanceCount.js @@ -9,7 +9,7 @@ module.exports = { more_info: 'In order to manage your WorkSpaces compute resources efficiently and prevent unexpected charges on your AWS bill, monitor and configure limits for the maximum number of WorkSpaces instances provisioned within your AWS account.', recommended_action: 'Ensure that number of WorkSpaces created within your AWS account is within set limit', link: 'https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-limits.html', - apis: ['WorkSpaces:describeWorkspaces'], + apis: ['WorkSpaces:describeWorkspaces', 'workspace:TerminateWorkspaces'], settings: { workspace_instance_limit: { name: 'Limit for the number of WorkSpaces instances.', diff --git a/plugins/aws/workspaces/workspacesIpAccessControl.js b/plugins/aws/workspaces/workspacesIpAccessControl.js index 34de3a145b..936771cf56 100644 --- a/plugins/aws/workspaces/workspacesIpAccessControl.js +++ b/plugins/aws/workspaces/workspacesIpAccessControl.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-ip-access-control-groups.html', recommended_action: 'Enable proper IP Access Controls for all workspaces', apis: ['WorkSpaces:describeWorkspaces', 'WorkSpaces:describeWorkspaceDirectories', 'WorkSpaces:describeIpGroups', 'STS:getCallerIdentity'], - realtime_triggers: ['workspaces:CreateWorkspaces', 'workspaces:ModifyWorkspaceAccessProperties'], + realtime_triggers: ['workspaces:CreateWorkspaces', 'workspaces:ModifyWorkspaceAccessProperties', 'workspace:TerminateWorkspaces'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/workspaces/workspacesVolumeEncryption.js b/plugins/aws/workspaces/workspacesVolumeEncryption.js index 57ffce8a51..892a594cda 100644 --- a/plugins/aws/workspaces/workspacesVolumeEncryption.js +++ b/plugins/aws/workspaces/workspacesVolumeEncryption.js @@ -22,7 +22,7 @@ module.exports = { default: 'awskms' } }, - realtime_triggers: ['workspace:CreateWorkSpaces'], + realtime_triggers: ['workspace:CreateWorkSpaces', 'workspace:TerminateWorkspaces'], run: function(cache, settings, callback) { var results = []; From 75341d472321fea55104d9f7989df1e06e9fee5a Mon Sep 17 00:00:00 2001 From: --global Date: Thu, 21 Sep 2023 13:26:12 +0500 Subject: [PATCH 030/498] added delete tiggers --- plugins/aws/s3/bucketAllUsersAcl.js | 2 +- plugins/aws/s3/bucketAllUsersPolicy.js | 2 +- plugins/aws/s3/bucketDnsCompliantName.js | 2 +- plugins/aws/s3/bucketEncryption.js | 2 +- plugins/aws/s3/bucketEncryptionInTransit.js | 2 +- plugins/aws/s3/bucketEnforceEncryption.js | 2 +- plugins/aws/s3/bucketLifecycleConfiguration.js | 2 +- plugins/aws/s3/bucketLogging.js | 2 +- plugins/aws/s3/bucketMFADeleteEnabled.js | 2 +- plugins/aws/s3/bucketPolicyCloudFrontOac.js | 2 +- plugins/aws/s3/bucketPolicyCloudFrontOai.js | 2 +- plugins/aws/s3/bucketPublicAccessBlock.js | 2 +- plugins/aws/s3/bucketSecureTransportEnabled.js | 2 +- plugins/aws/s3/bucketTransferAcceleration.js | 2 +- plugins/aws/s3/bucketVersioning.js | 2 +- plugins/aws/s3/bucketWebsiteEnabled.js | 2 +- plugins/aws/s3/objectLevelReadEventLogging.js | 2 +- plugins/aws/s3/objectLevelWriteEventLogging.js | 2 +- plugins/aws/s3/s3BucketHasTags.js | 2 +- plugins/aws/s3/s3Encryption.js | 2 +- plugins/aws/s3/versionedBucketsLC.js | 2 +- plugins/aws/s3glacier/vaultPublicAccess.js | 2 +- plugins/aws/sagemaker/notebookDataEncrypted.js | 2 +- plugins/aws/sagemaker/notebookDirectInternetAccess.js | 2 +- plugins/aws/sagemaker/notebookInstanceInVpc.js | 2 +- plugins/aws/secretsmanager/secretHasTags.js | 2 +- plugins/aws/secretsmanager/secretRotationEnabled.js | 2 +- plugins/aws/secretsmanager/secretsManagerEncrypted.js | 2 +- plugins/aws/ses/dkimEnabled.js | 2 +- plugins/aws/ses/emailMessagesEncrypted.js | 2 +- plugins/aws/shield/shieldAdvancedEnabled.js | 2 +- plugins/aws/shield/shieldEmergencyContacts.js | 2 +- plugins/aws/sns/snsCrossAccount.js | 2 +- plugins/aws/sns/snsTopicHasTags.js | 2 +- plugins/aws/sns/snsTopicNoHttpPolicy.js | 2 +- plugins/aws/sns/topicCmkEncrypted.js | 2 +- plugins/aws/sns/topicEncrypted.js | 2 +- plugins/aws/sns/topicPolicies.js | 2 +- plugins/aws/sqs/queueUnprocessedMessages.js | 2 +- plugins/aws/sqs/sqsCrossAccount.js | 2 +- plugins/aws/sqs/sqsDeadLetterQueue.js | 2 +- plugins/aws/sqs/sqsEncrypted.js | 2 +- plugins/aws/sqs/sqsEncryptionEnabled.js | 2 +- plugins/aws/sqs/sqsPublicAccess.js | 2 +- plugins/aws/ssm/ssmActiveOnAllInstances.js | 2 +- plugins/aws/ssm/ssmAgentAutoUpdateEnabled.js | 2 +- plugins/aws/ssm/ssmAgentLatestVersion.js | 2 +- plugins/aws/ssm/ssmEncryptedParameters.js | 2 +- plugins/aws/ssm/ssmManagedInstances.js | 2 +- plugins/aws/timestreamwrite/timestreamDatabaseEncrypted.js | 2 +- plugins/aws/transfer/transferLoggingEnabled.js | 2 +- plugins/aws/transfer/transferPrivateLinkInUse.js | 2 +- 52 files changed, 52 insertions(+), 52 deletions(-) diff --git a/plugins/aws/s3/bucketAllUsersAcl.js b/plugins/aws/s3/bucketAllUsersAcl.js index b0a0173007..be8f63810e 100644 --- a/plugins/aws/s3/bucketAllUsersAcl.js +++ b/plugins/aws/s3/bucketAllUsersAcl.js @@ -28,7 +28,7 @@ module.exports = { remediate: ['s3:PutBucketAcl'], rollback: ['s3:PutBucketAcl'] }, - realtime_triggers: ['s3:PutBucketAcl', 's3:CreateBucket'], + realtime_triggers: ['s3:PutBucketAcl', 's3:CreateBucket', 's3:DeleteBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketAllUsersPolicy.js b/plugins/aws/s3/bucketAllUsersPolicy.js index 57c7938990..3412e9bfcc 100644 --- a/plugins/aws/s3/bucketAllUsersPolicy.js +++ b/plugins/aws/s3/bucketAllUsersPolicy.js @@ -25,7 +25,7 @@ module.exports = { remediate: ['s3:DeleteBucketPolicy'], rollback: ['s3:PutBucketPolicy'] }, - realtime_triggers: ['s3:CreateBucket', 's3:PutBucketPolicy', 's3:DeleteBucketPolicy'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketPolicy', 's3:DeleteBucketPolicy','s3:DeleteBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketDnsCompliantName.js b/plugins/aws/s3/bucketDnsCompliantName.js index c4475abb71..29dd1f567d 100644 --- a/plugins/aws/s3/bucketDnsCompliantName.js +++ b/plugins/aws/s3/bucketDnsCompliantName.js @@ -9,7 +9,7 @@ module.exports = { recommended_action: 'Recreate S3 bucket to use "-" instead of "." in S3 bucket names.', link: 'https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html', apis: ['S3:listBuckets', 'S3:getBucketLocation'], - realtime_triggers: ['s3:CreateBucket'], + realtime_triggers: ['s3:CreateBucket', 's3:DeleteBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketEncryption.js b/plugins/aws/s3/bucketEncryption.js index d6de100aa3..887611ee9f 100644 --- a/plugins/aws/s3/bucketEncryption.js +++ b/plugins/aws/s3/bucketEncryption.js @@ -30,7 +30,7 @@ module.exports = { required: false } }, - realtime_triggers: ['s3:DeleteBucketEncryption', 's3:CreateBucket', 's3:putBucketEncryption'], + realtime_triggers: ['s3:DeleteBucketEncryption', 's3:CreateBucket', 's3:putBucketEncryption','s3:DeleteBucket'], settings: { s3_encryption_require_cmk: { name: 'S3 Encryption Require CMK', diff --git a/plugins/aws/s3/bucketEncryptionInTransit.js b/plugins/aws/s3/bucketEncryptionInTransit.js index 183fee1f73..c18eb0633c 100644 --- a/plugins/aws/s3/bucketEncryptionInTransit.js +++ b/plugins/aws/s3/bucketEncryptionInTransit.js @@ -38,7 +38,7 @@ module.exports = { remediate: ['s3:PutBucketPolicy'], rollback: ['s3:PutBucketPolicy '] }, - realtime_triggers: ['s3:putBucketPolicy', 's3:CreateBucket'], + realtime_triggers: ['s3:putBucketPolicy', 's3:CreateBucket','s3:DeleteBucket'], settings: { s3_allow_unencrypted_static_websites: { name: 'S3 Allow Unencrypted Static Websites', diff --git a/plugins/aws/s3/bucketEnforceEncryption.js b/plugins/aws/s3/bucketEnforceEncryption.js index d69e2db42b..8571d14eba 100644 --- a/plugins/aws/s3/bucketEnforceEncryption.js +++ b/plugins/aws/s3/bucketEnforceEncryption.js @@ -23,7 +23,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['s3:CreateBucket' , 's3:PutBucketPolicy','s3:DeleteBucketPolicy'], + realtime_triggers: ['s3:CreateBucket' , 's3:PutBucketPolicy','s3:DeleteBucketPolicy','s3:DeleteBucket'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/s3/bucketLifecycleConfiguration.js b/plugins/aws/s3/bucketLifecycleConfiguration.js index 2a9a270bee..663f76c8e9 100644 --- a/plugins/aws/s3/bucketLifecycleConfiguration.js +++ b/plugins/aws/s3/bucketLifecycleConfiguration.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update S3 bucket and create lifecycle rule configuration', link: 'https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-set-lifecycle-configuration-intro.html', apis: ['S3:listBuckets', 'S3:getBucketLifecycleConfiguration', 'S3:getBucketLocation'], - realtime_triggers: ['s3:CreateBucket', 's3:PutBucketLifeCycleConfiguration', 's3:DeleteBucketLifeCycle'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketLifeCycleConfiguration', 's3:DeleteBucketLifeCycle','s3:DeleteBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketLogging.js b/plugins/aws/s3/bucketLogging.js index 1fe3aee722..11c6b61906 100644 --- a/plugins/aws/s3/bucketLogging.js +++ b/plugins/aws/s3/bucketLogging.js @@ -31,7 +31,7 @@ module.exports = { } ] }, - realtime_triggers: ['s3:CreateBucket','s3:PutBucketLogging'], + realtime_triggers: ['s3:CreateBucket','s3:PutBucketLogging','s3:DeleteBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketMFADeleteEnabled.js b/plugins/aws/s3/bucketMFADeleteEnabled.js index 25b78a7b6c..fd9500c5a9 100644 --- a/plugins/aws/s3/bucketMFADeleteEnabled.js +++ b/plugins/aws/s3/bucketMFADeleteEnabled.js @@ -22,7 +22,7 @@ module.exports = { default: '', } }, - realtime_triggers: ['s3:CreateBucket', 's3:PutBucketVersionning'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketVersionning','s3:DeleteBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketPolicyCloudFrontOac.js b/plugins/aws/s3/bucketPolicyCloudFrontOac.js index 986d242797..6e5d1cbb86 100644 --- a/plugins/aws/s3/bucketPolicyCloudFrontOac.js +++ b/plugins/aws/s3/bucketPolicyCloudFrontOac.js @@ -16,7 +16,7 @@ module.exports = { 'If an S3 bucket backing a CloudFront distribution does not require the end ' + 'user to access the contents through CloudFront, this policy may be violated.' }, - realtime_triggers: ['s3:CreateBucket', 's3:PutBucketPolicy', 's3:DeleteBucketPolicy'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketPolicy', 's3:DeleteBucketPolicy','s3:DeleteBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketPolicyCloudFrontOai.js b/plugins/aws/s3/bucketPolicyCloudFrontOai.js index abe523560e..24f641f907 100644 --- a/plugins/aws/s3/bucketPolicyCloudFrontOai.js +++ b/plugins/aws/s3/bucketPolicyCloudFrontOai.js @@ -16,7 +16,7 @@ module.exports = { 'If an S3 bucket backing a CloudFront distribution does not require the end ' + 'user to access the contents through CloudFront, this policy may be violated.' }, - realtime_triggers: ['s3:CreateBucket', 's3:PutBucketPolicy', 's3:DeleteBucketPolicy'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketPolicy', 's3:DeleteBucketPolicy','s3:DeleteBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketPublicAccessBlock.js b/plugins/aws/s3/bucketPublicAccessBlock.js index a166fe65f0..30747e1e87 100644 --- a/plugins/aws/s3/bucketPublicAccessBlock.js +++ b/plugins/aws/s3/bucketPublicAccessBlock.js @@ -23,7 +23,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['s3:CreateBucket', 's3:PutPublicAccessBlock'], + realtime_triggers: ['s3:CreateBucket', 's3:PutPublicAccessBlock','s3:DeleteBucket'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/s3/bucketSecureTransportEnabled.js b/plugins/aws/s3/bucketSecureTransportEnabled.js index 18c83eb619..0833acca5b 100644 --- a/plugins/aws/s3/bucketSecureTransportEnabled.js +++ b/plugins/aws/s3/bucketSecureTransportEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update S3 bucket policy to enforse SSL to secure data in transit.', link: 'https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/', apis: ['S3:listBuckets', 'S3:getBucketPolicy', 'S3:getBucketLocation'], - realtime_triggers: ['s3:CreateBucket', 's3:PutBucketPolicy', 's3:DeleteBucketPolicy'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketPolicy', 's3:DeleteBucketPolicy','s3:DeleteBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketTransferAcceleration.js b/plugins/aws/s3/bucketTransferAcceleration.js index d04ee027df..ca2042db30 100644 --- a/plugins/aws/s3/bucketTransferAcceleration.js +++ b/plugins/aws/s3/bucketTransferAcceleration.js @@ -9,7 +9,7 @@ module.exports = { recommended_action: 'Modify S3 bucket to enable transfer acceleration.', link: 'https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html', apis: ['S3:listBuckets', 'S3:getBucketAccelerateConfiguration', 'S3:getBucketLocation'], - realtime_triggers: ['s3:CreateBucket', 's3:PutBucketAccelerateConfiguration'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketAccelerateConfiguration','s3:DeleteBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/bucketVersioning.js b/plugins/aws/s3/bucketVersioning.js index baa8f9b0ba..7a229ee8cd 100644 --- a/plugins/aws/s3/bucketVersioning.js +++ b/plugins/aws/s3/bucketVersioning.js @@ -23,7 +23,7 @@ module.exports = { remediate: ['s3:PutBucketVersioning'], rollback: ['s3:PutBucketVersioning'] }, - realtime_triggers: ['s3:CreateBucket', 's3:PutBucketVersioning'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketVersioning','s3:DeleteBucket'], asl: { conditions: [ { diff --git a/plugins/aws/s3/bucketWebsiteEnabled.js b/plugins/aws/s3/bucketWebsiteEnabled.js index cc808137dd..0e05b84558 100644 --- a/plugins/aws/s3/bucketWebsiteEnabled.js +++ b/plugins/aws/s3/bucketWebsiteEnabled.js @@ -17,7 +17,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['s3:CreateBucket', 's3:PutBucketWebsite', 's3:DeleteBucketWebsite'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketWebsite', 's3:DeleteBucketWebsite','s3:DeleteBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/objectLevelReadEventLogging.js b/plugins/aws/s3/objectLevelReadEventLogging.js index 07f5903a87..3376238cf0 100644 --- a/plugins/aws/s3/objectLevelReadEventLogging.js +++ b/plugins/aws/s3/objectLevelReadEventLogging.js @@ -9,7 +9,7 @@ module.exports = { recommended_action: 'Enable object level logging for read events for each S3 bucket.', link: 'https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html#enable-cloudtrail-events', apis: ['S3:listBuckets', 'CloudTrail:describeTrails', 'CloudTrail:getEventSelectors', 'S3:getBucketLocation'], - realtime_triggers: ['s3:CreateBucket', 'cloudtrail:CreateTrail', 'cloudtrail:PutEventSelectors', 'cloudtrail:PutInsightSelectors'], + realtime_triggers: ['s3:CreateBucket', 'cloudtrail:CreateTrail', 'cloudtrail:PutEventSelectors', 'cloudtrail:PutInsightSelectors','s3:DeleteBucket', 'cloudtrail:DeleteTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/objectLevelWriteEventLogging.js b/plugins/aws/s3/objectLevelWriteEventLogging.js index 8da32a9a8f..10dad0bb2b 100644 --- a/plugins/aws/s3/objectLevelWriteEventLogging.js +++ b/plugins/aws/s3/objectLevelWriteEventLogging.js @@ -9,7 +9,7 @@ module.exports = { recommended_action: 'Enable object level logging for Write events for each S3 bucket.', link: 'https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html#enable-cloudtrail-events.', apis: ['S3:listBuckets', 'CloudTrail:describeTrails', 'CloudTrail:getEventSelectors', 'S3:getBucketLocation'], - realtime_triggers: ['s3:CreateBucket', 'cloudtrail:CreateTrail', 'cloudtrail:PutEventSelectors', 'cloudtrail:PutInsightSelectors'], + realtime_triggers: ['s3:CreateBucket', 'cloudtrail:CreateTrail', 'cloudtrail:PutEventSelectors', 'cloudtrail:PutInsightSelectors','s3:DeleteBucket', 'cloudtrail:DeleteTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/s3BucketHasTags.js b/plugins/aws/s3/s3BucketHasTags.js index b14f02bbdd..fa2977aa60 100644 --- a/plugins/aws/s3/s3BucketHasTags.js +++ b/plugins/aws/s3/s3BucketHasTags.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify S3 buckets and add tags.', link: 'https://docs.aws.amazon.com/AmazonS3/latest/userguide/CostAllocTagging.html', apis: ['S3:listBuckets', 'ResourceGroupsTaggingAPI:getResources', 'S3:getBucketLocation'], - realtime_triggers: ['s3:CreateBucket', 's3:PutBucketTagging'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketTagging','s3:DeleteBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/s3Encryption.js b/plugins/aws/s3/s3Encryption.js index 98fa92069f..f3231b705a 100644 --- a/plugins/aws/s3/s3Encryption.js +++ b/plugins/aws/s3/s3Encryption.js @@ -70,7 +70,7 @@ module.exports = { default: 'false', } }, - realtime_triggers: ['s3:CreateBucket', 's3:putBucketEncryption'], + realtime_triggers: ['s3:CreateBucket', 's3:putBucketEncryption','s3:DeleteBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3/versionedBucketsLC.js b/plugins/aws/s3/versionedBucketsLC.js index 4d07a113cd..a988a3eb12 100644 --- a/plugins/aws/s3/versionedBucketsLC.js +++ b/plugins/aws/s3/versionedBucketsLC.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Configure lifecycle rules for buckets which have versioning enabled', link: 'https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-set-lifecycle-configuration-intro.html', apis: ['S3:listBuckets', 'S3:getBucketVersioning', 'S3:getBucketLocation', 'S3:getBucketLifecycleConfiguration'], - realtime_triggers: ['s3:CreateBucket', 's3:PutBucketVersioninng', 's3:putBucketLifecycleConfiguration'], + realtime_triggers: ['s3:CreateBucket', 's3:PutBucketVersioninng', 's3:putBucketLifecycleConfiguration','s3:DeleteBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/s3glacier/vaultPublicAccess.js b/plugins/aws/s3glacier/vaultPublicAccess.js index 6f3ca4dd6f..31511ac623 100644 --- a/plugins/aws/s3glacier/vaultPublicAccess.js +++ b/plugins/aws/s3glacier/vaultPublicAccess.js @@ -17,7 +17,7 @@ module.exports = { default: 'aws:PrincipalArn,aws:PrincipalAccount,aws:PrincipalOrgID,aws:SourceOwner,aws:SourceArn,aws:SourceAccount' } }, - realtime_triggers: ['glacier:CreateVault', 'glacier:SetVaultAccessPolicy'], + realtime_triggers: ['glacier:CreateVault', 'glacier:SetVaultAccessPolicy', 'glacier:DeleteVault'], run: function(cache, settings, callback) { const results = []; diff --git a/plugins/aws/sagemaker/notebookDataEncrypted.js b/plugins/aws/sagemaker/notebookDataEncrypted.js index 2340188773..f0f167c0c8 100644 --- a/plugins/aws/sagemaker/notebookDataEncrypted.js +++ b/plugins/aws/sagemaker/notebookDataEncrypted.js @@ -15,7 +15,7 @@ module.exports = { 'data at rest. SageMaker encryption ensures Notebook data is ' + 'encrypted at rest.' }, - realtime_triggers: ['sagemaker:CreateNotebookInstance'], + realtime_triggers: ['sagemaker:CreateNotebookInstance', 'sagemaker:DeleteNotebookInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sagemaker/notebookDirectInternetAccess.js b/plugins/aws/sagemaker/notebookDirectInternetAccess.js index 3cdcdbc177..a0a9b578a3 100644 --- a/plugins/aws/sagemaker/notebookDirectInternetAccess.js +++ b/plugins/aws/sagemaker/notebookDirectInternetAccess.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Disable DirectInternetAccess for each SageMaker notebook.', link: 'https://docs.aws.amazon.com/sagemaker/latest/dg/appendix-additional-considerations.html#appendix-notebook-and-internet-access', apis: ['SageMaker:listNotebookInstances'], - realtime_triggers: ['sagemaker:CreateNotebookInstance', 'sagemaker:UpdateNootbookInstance'], + realtime_triggers: ['sagemaker:CreateNotebookInstance', 'sagemaker:UpdateNootbookInstance','sagemaker:DeleteNotebookInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sagemaker/notebookInstanceInVpc.js b/plugins/aws/sagemaker/notebookInstanceInVpc.js index 971ff854f5..8f70e4da14 100644 --- a/plugins/aws/sagemaker/notebookInstanceInVpc.js +++ b/plugins/aws/sagemaker/notebookInstanceInVpc.js @@ -18,7 +18,7 @@ module.exports = { 'segmentation criteria for PCI. Ensure all instances are launched ' + 'within a VPC to comply with isolation requirements.' }, - realtime_triggers: ['sagemaker:CreateNotebookInstance'], + realtime_triggers: ['sagemaker:CreateNotebookInstance','sagemaker:DeleteNotebookInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/secretsmanager/secretHasTags.js b/plugins/aws/secretsmanager/secretHasTags.js index ff914f1bdf..eca1bd03c2 100644 --- a/plugins/aws/secretsmanager/secretHasTags.js +++ b/plugins/aws/secretsmanager/secretHasTags.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update Secrets and add tags.', apis: ['SecretsManager:listSecrets'], link: 'https://docs.aws.amazon.com/secretsmanager/latest/userguide/managing-secrets_tagging.html', - realtime_triggers: ['secretesmanager:CreateSecret', 'secretesmanager:TagResource', 'secretesmanager:UntagResource'], + realtime_triggers: ['secretesmanager:CreateSecret', 'secretesmanager:TagResource', 'secretesmanager:UntagResource', 'secretesmanager:DeleteSecret'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/secretsmanager/secretRotationEnabled.js b/plugins/aws/secretsmanager/secretRotationEnabled.js index 828e97115a..993aeb7f14 100644 --- a/plugins/aws/secretsmanager/secretRotationEnabled.js +++ b/plugins/aws/secretsmanager/secretRotationEnabled.js @@ -18,7 +18,7 @@ module.exports = { default: '40', } }, - realtime_triggers: ['secretesmanager:CreateSecret', 'secretesmanager:RotateSecret', 'secretsmanager:CancelRotateSecret'], + realtime_triggers: ['secretesmanager:CreateSecret', 'secretesmanager:RotateSecret', 'secretsmanager:CancelRotateSecret','secretesmanager:DeleteSecret'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/secretsmanager/secretsManagerEncrypted.js b/plugins/aws/secretsmanager/secretsManagerEncrypted.js index eef7a25112..5bdbd88928 100644 --- a/plugins/aws/secretsmanager/secretsManagerEncrypted.js +++ b/plugins/aws/secretsmanager/secretsManagerEncrypted.js @@ -28,7 +28,7 @@ module.exports = { default: 'awskms', } }, - realtime_triggers: ['secretesmanager:CreateSecret', 'secretesmanager:UpdateSecret'], + realtime_triggers: ['secretesmanager:CreateSecret', 'secretesmanager:UpdateSecret','secretesmanager:DeleteSecret'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ses/dkimEnabled.js b/plugins/aws/ses/dkimEnabled.js index 2cc2b0aaf9..ee1696f8df 100644 --- a/plugins/aws/ses/dkimEnabled.js +++ b/plugins/aws/ses/dkimEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable DKIM for all domains and addresses in all regions used to send email through SES.', link: 'http://docs.aws.amazon.com/ses/latest/DeveloperGuide/easy-dkim.html', apis: ['SES:listIdentities', 'SES:getIdentityDkimAttributes', 'STS:getCallerIdentity'], - realtime_triggers: ['ses:CreateEmailIdentity','ses:SetIdentityDkimEnabled', 'ses:PutEmailIdentityDkimAttributes'], + realtime_triggers: ['ses:CreateEmailIdentity','ses:SetIdentityDkimEnabled', 'ses:PutEmailIdentityDkimAttributes', 'ses:DeleteEmailIdentity'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ses/emailMessagesEncrypted.js b/plugins/aws/ses/emailMessagesEncrypted.js index 3bf029a21c..a7f322bd4f 100644 --- a/plugins/aws/ses/emailMessagesEncrypted.js +++ b/plugins/aws/ses/emailMessagesEncrypted.js @@ -18,7 +18,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['ses:CreateEmailIdentity','ses:SetActiveReceiptRuleSet'], + realtime_triggers: ['ses:CreateEmailIdentity','ses:SetActiveReceiptRuleSet','ses:DeleteEmailIdentity'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/shield/shieldAdvancedEnabled.js b/plugins/aws/shield/shieldAdvancedEnabled.js index da607a6607..9a15496392 100644 --- a/plugins/aws/shield/shieldAdvancedEnabled.js +++ b/plugins/aws/shield/shieldAdvancedEnabled.js @@ -9,7 +9,7 @@ module.exports = { recommended_action: 'Enable AWS Shield Advanced for the account.', link: 'https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html#ddos-advanced', apis: ['Shield:describeSubscription'], - realtime_triggers: ['shield:CreateSubscription', 'sheild:UpdateSubscription'], + realtime_triggers: ['shield:CreateSubscription', 'sheild:UpdateSubscription', 'shield:DeleteSubscription'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/shield/shieldEmergencyContacts.js b/plugins/aws/shield/shieldEmergencyContacts.js index 216bb66b7b..ebac06be83 100644 --- a/plugins/aws/shield/shieldEmergencyContacts.js +++ b/plugins/aws/shield/shieldEmergencyContacts.js @@ -9,7 +9,7 @@ module.exports = { recommended_action: 'Configure emergency contacts within AWS Shield for the account.', link: 'https://docs.aws.amazon.com/waf/latest/developerguide/ddos-edit-drt.html', apis: ['Shield:describeEmergencyContactSettings'], - realtime_triggers: ['shield:CreateSubscription','shield:UpdateEmergencyContactSettings'], + realtime_triggers: ['shield:CreateSubscription','shield:UpdateEmergencyContactSettings','shield:DeleteSubscription'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sns/snsCrossAccount.js b/plugins/aws/sns/snsCrossAccount.js index 16d1e9c700..c3313cf8d5 100644 --- a/plugins/aws/sns/snsCrossAccount.js +++ b/plugins/aws/sns/snsCrossAccount.js @@ -30,7 +30,7 @@ module.exports = { default: 'aws:PrincipalArn,aws:PrincipalAccount,aws:PrincipalOrgID,aws:SourceAccount,aws:SourceArn,aws:SourceOwner,sns:Endpoint' }, }, - realtime_triggers: ['sns:CreateTopic', 'sns:SetTopicAttributes'], + realtime_triggers: ['sns:CreateTopic', 'sns:SetTopicAttributes', 'sns:DeleteTopic'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sns/snsTopicHasTags.js b/plugins/aws/sns/snsTopicHasTags.js index 7abc1b5850..07aa20db91 100644 --- a/plugins/aws/sns/snsTopicHasTags.js +++ b/plugins/aws/sns/snsTopicHasTags.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify SNS topic and add tags.', link: 'https://docs.aws.amazon.com/sns/latest/dg/sns-tags.html', apis: ['SNS:listTopics', 'ResourceGroupsTaggingAPI:getResources'], - realtime_triggers: ['sns:CreateTopic', 'sns:TagResource', 'sns:UntagResource'], + realtime_triggers: ['sns:CreateTopic', 'sns:TagResource', 'sns:UntagResource','sns:DeleteTopic'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sns/snsTopicNoHttpPolicy.js b/plugins/aws/sns/snsTopicNoHttpPolicy.js index 13f9ce1640..69b81f1518 100644 --- a/plugins/aws/sns/snsTopicNoHttpPolicy.js +++ b/plugins/aws/sns/snsTopicNoHttpPolicy.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Adjust the topic policy to only allow authorized AWS users in known accounts to send or subscribe via the HTTP protocol.', link: 'http://docs.aws.amazon.com/sns/latest/dg/AccessPolicyLanguage.html', apis: ['SNS:listTopics', 'SNS:getTopicAttributes'], - realtime_triggers: ['sns:CreateTopic', 'sns:SetTopicAttributes'], + realtime_triggers: ['sns:CreateTopic', 'sns:SetTopicAttributes','sns:DeleteTopic'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sns/topicCmkEncrypted.js b/plugins/aws/sns/topicCmkEncrypted.js index 8c2f2524e9..e655af8910 100644 --- a/plugins/aws/sns/topicCmkEncrypted.js +++ b/plugins/aws/sns/topicCmkEncrypted.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Update SNS topics to use Customer Master Keys (CMKs) for Server-Side Encryption.', link: 'https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html', apis: ['SNS:listTopics', 'SNS:getTopicAttributes'], - realtime_triggers: ['sns:CreateTopic', 'sns:SetTopicAttributes'], + realtime_triggers: ['sns:CreateTopic', 'sns:SetTopicAttributes','sns:DeleteTopic'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sns/topicEncrypted.js b/plugins/aws/sns/topicEncrypted.js index ee7f89c083..aa915a703e 100644 --- a/plugins/aws/sns/topicEncrypted.js +++ b/plugins/aws/sns/topicEncrypted.js @@ -29,7 +29,7 @@ module.exports = { remediate: ['sns:SetTopicAttributes'], rollback: ['sns:SetTopicAttributes'] }, - realtime_triggers: ['sns:CreateTopic', 'sns:SetTopicAttributes'], + realtime_triggers: ['sns:CreateTopic', 'sns:SetTopicAttributes', 'sns:DeleteTopic'], asl: { conditions: [ { diff --git a/plugins/aws/sns/topicPolicies.js b/plugins/aws/sns/topicPolicies.js index c3f8c38a66..a3bc980700 100644 --- a/plugins/aws/sns/topicPolicies.js +++ b/plugins/aws/sns/topicPolicies.js @@ -22,7 +22,7 @@ module.exports = { default: 'aws:PrincipalArn,aws:PrincipalAccount,aws:PrincipalOrgID,aws:SourceOwner,aws:SourceArn,aws:SourceAccount,sns:Endpoint' } }, - realtime_triggers: ['sns:CreateTopic', 'sns:SetTopicAttributes'], + realtime_triggers: ['sns:CreateTopic', 'sns:SetTopicAttributes','sns:DeleteTopic'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sqs/queueUnprocessedMessages.js b/plugins/aws/sqs/queueUnprocessedMessages.js index b6bb2217e8..19a3858ac0 100644 --- a/plugins/aws/sqs/queueUnprocessedMessages.js +++ b/plugins/aws/sqs/queueUnprocessedMessages.js @@ -18,7 +18,7 @@ module.exports = { default: 1000 } }, - realtime_triggers: ['sqs:CreateQueue', 'sqs:SetQueueAttributes'], + realtime_triggers: ['sqs:CreateQueue', 'sqs:SetQueueAttributes', 'sqs:DeleteQueue'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sqs/sqsCrossAccount.js b/plugins/aws/sqs/sqsCrossAccount.js index 2e54d659e3..57b41ca79f 100644 --- a/plugins/aws/sqs/sqsCrossAccount.js +++ b/plugins/aws/sqs/sqsCrossAccount.js @@ -35,7 +35,7 @@ module.exports = { default: 'aws:PrincipalArn,aws:PrincipalAccount,aws:PrincipalOrgID,aws:SourceAccount,aws:SourceArn,aws:SourceOwner' }, }, - realtime_triggers: ['sqs:CreateQueue', 'sqs:SetQueueAttributes'], + realtime_triggers: ['sqs:CreateQueue', 'sqs:SetQueueAttributes','sqs:DeleteQueue'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sqs/sqsDeadLetterQueue.js b/plugins/aws/sqs/sqsDeadLetterQueue.js index 5d00815516..e95881e98a 100644 --- a/plugins/aws/sqs/sqsDeadLetterQueue.js +++ b/plugins/aws/sqs/sqsDeadLetterQueue.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update Amazon SQS queue and configure dead letter queue.', link: 'https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-dead-letter-queues.html', apis: ['SQS:listQueues', 'SQS:getQueueAttributes', 'STS:getCallerIdentity'], - realtime_triggers: ['sqs:CreateQueue', 'sqs:SetQueueAttributes'], + realtime_triggers: ['sqs:CreateQueue', 'sqs:SetQueueAttributes', 'sqs:DeleteQueue'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sqs/sqsEncrypted.js b/plugins/aws/sqs/sqsEncrypted.js index 42e12b7e47..95678e16f9 100644 --- a/plugins/aws/sqs/sqsEncrypted.js +++ b/plugins/aws/sqs/sqsEncrypted.js @@ -39,7 +39,7 @@ module.exports = { remediate: ['sqs:SetQueueAttributes'], rollback: ['sqs:SetQueueAttributes'] }, - realtime_triggers: ['sqs:CreateQueue', 'sqs:SetQueueAttributes'], + realtime_triggers: ['sqs:CreateQueue', 'sqs:SetQueueAttributes', 'sqs:DeleteQueue'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sqs/sqsEncryptionEnabled.js b/plugins/aws/sqs/sqsEncryptionEnabled.js index b8bab2a499..edebab2bd3 100644 --- a/plugins/aws/sqs/sqsEncryptionEnabled.js +++ b/plugins/aws/sqs/sqsEncryptionEnabled.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['sqs:CreateQueue', 'sqs:SetQueueAttributes'], + realtime_triggers: ['sqs:CreateQueue', 'sqs:SetQueueAttributes', 'sqs:DeleteQueue'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/sqs/sqsPublicAccess.js b/plugins/aws/sqs/sqsPublicAccess.js index 96667ca304..29e3d3a9ff 100644 --- a/plugins/aws/sqs/sqsPublicAccess.js +++ b/plugins/aws/sqs/sqsPublicAccess.js @@ -18,7 +18,7 @@ module.exports = { default: 'aws:PrincipalArn,aws:PrincipalAccount,aws:PrincipalOrgID,aws:SourceAccount,aws:SourceArn,aws:SourceOwner' }, }, - realtime_triggers: ['sqs:CreateQueue', 'sqs:AddPermission', 'sqs:RemovePermission'], + realtime_triggers: ['sqs:CreateQueue', 'sqs:AddPermission', 'sqs:RemovePermission', 'sqs:DeleteQueue'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ssm/ssmActiveOnAllInstances.js b/plugins/aws/ssm/ssmActiveOnAllInstances.js index 6f5026438b..44247dbb35 100644 --- a/plugins/aws/ssm/ssmActiveOnAllInstances.js +++ b/plugins/aws/ssm/ssmActiveOnAllInstances.js @@ -18,7 +18,7 @@ module.exports = { default: 20 } }, - realtime_triggers: ['ec2:RunInstance', 'ssm:CreateAssociation', 'ssm:UpdateAssociation'], + realtime_triggers: ['ec2:RunInstance', 'ssm:CreateAssociation', 'ssm:UpdateAssociation', 'ec2:TerminateInstance', 'ssm:DeleteAssociation'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ssm/ssmAgentAutoUpdateEnabled.js b/plugins/aws/ssm/ssmAgentAutoUpdateEnabled.js index 2f8b12dad6..5b5c529708 100644 --- a/plugins/aws/ssm/ssmAgentAutoUpdateEnabled.js +++ b/plugins/aws/ssm/ssmAgentAutoUpdateEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-automatic-updates.html', recommended_action: 'Update the SSM agent configuration for all managed instances to use automatic updates.', apis: ['SSM:describeInstanceInformation', 'SSM:listAssociations', 'STS:getCallerIdentity'], - realtime_triggers: ['ssm:CreateAssoication', 'ssm:UpdateAssociation'], + realtime_triggers: ['ssm:CreateAssoication', 'ssm:UpdateAssociation', 'ssm:DeleteAssociation'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ssm/ssmAgentLatestVersion.js b/plugins/aws/ssm/ssmAgentLatestVersion.js index 93db03b9ab..42df64e546 100644 --- a/plugins/aws/ssm/ssmAgentLatestVersion.js +++ b/plugins/aws/ssm/ssmAgentLatestVersion.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-automatic-updates.html', recommended_action: 'Update the SSM agent on all Linux hosts to the latest version.', apis: ['SSM:describeInstanceInformation', 'STS:getCallerIdentity'], - realtime_triggers: ['ssm:CreateAssociation', 'ssm:UpdateAssociation'], + realtime_triggers: ['ssm:CreateAssociation', 'ssm:UpdateAssociation', 'ssm:DeleteAssociation'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ssm/ssmEncryptedParameters.js b/plugins/aws/ssm/ssmEncryptedParameters.js index 64b7f75058..a75477bc33 100644 --- a/plugins/aws/ssm/ssmEncryptedParameters.js +++ b/plugins/aws/ssm/ssmEncryptedParameters.js @@ -34,7 +34,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['ssm:PutParameter'], + realtime_triggers: ['ssm:PutParameter', 'ssm:DeleteParameter'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ssm/ssmManagedInstances.js b/plugins/aws/ssm/ssmManagedInstances.js index e22bdfc2ab..da3c775464 100644 --- a/plugins/aws/ssm/ssmManagedInstances.js +++ b/plugins/aws/ssm/ssmManagedInstances.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Configure AWS EC2 instance as SSM Managed Instances', link: 'https://docs.aws.amazon.com/systems-manager/latest/userguide/managed_instances.html', apis: ['EC2:describeInstances', 'SSM:describeInstanceInformation', 'STS:getCallerIdentity'], - realtime_triggers: ['ssm:CreateAssociation', 'ec2:RunInstance', 'ec2:AssociateIamInstanceProfile'], + realtime_triggers: ['ssm:CreateAssociation', 'ec2:RunInstance', 'ec2:AssociateIamInstanceProfile', 'ec2:TerminateInsatance', 'ssm:DeleteAssociation'], run: function(cache, settings, callback) { diff --git a/plugins/aws/timestreamwrite/timestreamDatabaseEncrypted.js b/plugins/aws/timestreamwrite/timestreamDatabaseEncrypted.js index 9b94381cd3..8868d2abfe 100644 --- a/plugins/aws/timestreamwrite/timestreamDatabaseEncrypted.js +++ b/plugins/aws/timestreamwrite/timestreamDatabaseEncrypted.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['timestreamwrite:CreateDatabase', 'timestreamwrite:UpdateDatabase'], + realtime_triggers: ['timestreamwrite:CreateDatabase', 'timestreamwrite:UpdateDatabase', 'timestreamwrite:DeleteDatabase'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/transfer/transferLoggingEnabled.js b/plugins/aws/transfer/transferLoggingEnabled.js index dd9928f41a..ed2eb74f5d 100644 --- a/plugins/aws/transfer/transferLoggingEnabled.js +++ b/plugins/aws/transfer/transferLoggingEnabled.js @@ -14,7 +14,7 @@ module.exports = { hipaa: 'HIPAA requires that all data access is audited via proper logging configurations.', pci: 'PCI requires that all account access activity be logged.' }, - realtime_triggers: ['transfer:CreateServer', 'transfer:UpdateServer'], + realtime_triggers: ['transfer:CreateServer', 'transfer:UpdateServer', 'transfer:DeleteServer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/transfer/transferPrivateLinkInUse.js b/plugins/aws/transfer/transferPrivateLinkInUse.js index 35410dbc73..80ea702c27 100644 --- a/plugins/aws/transfer/transferPrivateLinkInUse.js +++ b/plugins/aws/transfer/transferPrivateLinkInUse.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/transfer/latest/userguide/update-endpoint-type-vpc.html', recommended_action: 'Configure the SFTP server endpoints to use endpoints powered by PrivateLink.', apis: ['Transfer:listServers'], - realtime_triggers: ['transfer:CreateServer', 'trannsfer:UpdateServer'], + realtime_triggers: ['transfer:CreateServer', 'trannsfer:UpdateServer', 'transfer:DeleteServer'], run: function(cache, settings, callback) { var results = []; From f81cd8d609b8fc42a67c73e2de0d24b643ecf4f3 Mon Sep 17 00:00:00 2001 From: --global Date: Thu, 21 Sep 2023 21:59:25 +0500 Subject: [PATCH 031/498] added delete tiggers --- plugins/aws/ec2/allowedCustomPorts.js | 2 +- plugins/aws/ec2/amiHasTags.js | 2 +- plugins/aws/ec2/appTierInstanceIamRole.js | 2 +- plugins/aws/ec2/classicInstances.js | 2 +- plugins/aws/ec2/crossVpcPublicPrivate.js | 2 +- plugins/aws/ec2/defaultSecurityGroup.js | 2 +- plugins/aws/ec2/defaultSecurityGroupInUse.js | 2 +- plugins/aws/ec2/defaultVpcExists.js | 2 +- plugins/aws/ec2/defaultVpcInUse.js | 2 +- plugins/aws/ec2/ebsBackupEnabled.js | 2 +- plugins/aws/ec2/ebsDefaultEncryptionEnabled.js | 2 +- plugins/aws/ec2/ebsEncryptionEnabled.js | 2 +- plugins/aws/ec2/ebsRecentSnapshots.js | 2 +- plugins/aws/ec2/ebsSnapshotHasTags.js | 2 +- plugins/aws/ec2/ebsSnapshotLifecycle.js | 2 +- plugins/aws/ec2/ebsSnapshotPublic.js | 2 +- plugins/aws/ec2/ebsVolumeHasTags.js | 2 +- plugins/aws/ec2/ec2HasTags.js | 2 +- plugins/aws/ec2/ec2MetadataOptions.js | 2 +- plugins/aws/ec2/enableDetailedMonitoring.js | 2 +- plugins/aws/ec2/encryptedAmi.js | 2 +- plugins/aws/ec2/flowLogsEnabled.js | 2 +- plugins/aws/ec2/instanceIamRole.js | 2 +- plugins/aws/ec2/instanceKeyBasedLogin.js | 2 +- plugins/aws/ec2/instanceLimit.js | 2 +- plugins/aws/ec2/instanceMaxCount.js | 2 +- plugins/aws/ec2/instanceVcpusLimit.js | 2 +- plugins/aws/ec2/internetGatewayInVpc.js | 2 +- plugins/aws/ec2/managedNatGateway.js | 2 +- plugins/aws/ec2/natMultiAz.js | 2 +- plugins/aws/ec2/networkAclHasTags.js | 2 +- plugins/aws/ec2/networkAclInboundTraffic.js | 2 +- plugins/aws/ec2/networkAclOutboundTraffic.js | 2 +- plugins/aws/ec2/openAllPortsProtocols.js | 2 +- plugins/aws/ec2/openAllPortsProtocolsEgress.js | 2 +- plugins/aws/ec2/openCIFS.js | 2 +- plugins/aws/ec2/openCassandraClient.js | 2 +- plugins/aws/ec2/openCassandraInternode.js | 2 +- plugins/aws/ec2/openCassandraMonitoring.js | 2 +- plugins/aws/ec2/openCassandraThrift.js | 2 +- plugins/aws/ec2/openCustomPorts.js | 2 +- plugins/aws/ec2/openDNS.js | 2 +- plugins/aws/ec2/openDocker.js | 2 +- plugins/aws/ec2/openElasticsearch.js | 2 +- plugins/aws/ec2/openFTP.js | 2 +- plugins/aws/ec2/openHTTP.js | 2 +- plugins/aws/ec2/openHTTPS.js | 2 +- plugins/aws/ec2/openHadoopNameNode.js | 2 +- plugins/aws/ec2/openHadoopNameNodeWebUI.js | 2 +- plugins/aws/ec2/openInternalWeb.js | 2 +- plugins/aws/ec2/openKibana.js | 2 +- plugins/aws/ec2/openLDAP.js | 2 +- plugins/aws/ec2/openLDAPS.js | 2 +- plugins/aws/ec2/openMemcached.js | 2 +- plugins/aws/ec2/openMongoDB.js | 2 +- plugins/aws/ec2/openMySQL.js | 2 +- plugins/aws/ec2/openNetBIOS.js | 2 +- plugins/aws/ec2/openOracle.js | 2 +- plugins/aws/ec2/openOracleAutoDataWarehouse.js | 2 +- plugins/aws/ec2/openPostgreSQL.js | 2 +- plugins/aws/ec2/openRDP.js | 2 +- plugins/aws/ec2/openRPC.js | 2 +- plugins/aws/ec2/openRedis.js | 2 +- plugins/aws/ec2/openSMBoTCP.js | 2 +- plugins/aws/ec2/openSMTP.js | 2 +- plugins/aws/ec2/openSNMP.js | 2 +- plugins/aws/ec2/openSQLServer.js | 2 +- plugins/aws/ec2/openSSH.js | 2 +- plugins/aws/ec2/openSalt.js | 2 +- plugins/aws/ec2/openTelnet.js | 2 +- plugins/aws/ec2/openVNCClient.js | 2 +- plugins/aws/ec2/openVNCServer.js | 2 +- plugins/aws/ec2/outdatedAmiInUse.js | 2 +- plugins/aws/ec2/overlappingSecurityGroups.js | 2 +- plugins/aws/ec2/overutilizedEC2Instance.js | 2 +- plugins/aws/ec2/publicAmi.js | 2 +- plugins/aws/ec2/publicIpAddress.js | 2 +- plugins/aws/ec2/securityGroupRfc1918.js | 2 +- plugins/aws/ec2/securityGroupsHasTags.js | 2 +- plugins/aws/ec2/subnetIpAvailability.js | 2 +- plugins/aws/ec2/unusedSecurityGroups.js | 2 +- plugins/aws/ec2/vpcEndpointAcceptance.js | 2 +- plugins/aws/ec2/vpcEndpointCrossAccount.js | 2 +- plugins/aws/ec2/vpcEndpointExposed.js | 2 +- plugins/aws/ec2/vpcHasTags.js | 2 +- plugins/aws/ec2/vpcSubnetInstancesPresent.js | 2 +- plugins/aws/ec2/vpnGatewayInVpc.js | 2 +- plugins/aws/ec2/vpnTunnelState.js | 2 +- plugins/aws/ec2/webTierInstanceIamRole.js | 2 +- plugins/aws/ecr/ecrImageVulnerability.js | 2 +- plugins/aws/ecr/ecrRepositoryEncrypted.js | 2 +- plugins/aws/ecr/ecrRepositoryHasTags.js | 2 +- plugins/aws/ecr/ecrRepositoryPolicy.js | 2 +- plugins/aws/ecr/ecrRepositoryTagImmutability.js | 2 +- plugins/aws/ecs/ecsClusterActiveService.js | 2 +- plugins/aws/ecs/ecsClusterWithActiveTask.js | 2 +- plugins/aws/ecs/ecsClustersHaveTags.js | 2 +- plugins/aws/ecs/ecsContainerInsightsEnabled.js | 2 +- 98 files changed, 98 insertions(+), 98 deletions(-) diff --git a/plugins/aws/ec2/allowedCustomPorts.js b/plugins/aws/ec2/allowedCustomPorts.js index ca1ceefe10..18b6c90328 100644 --- a/plugins/aws/ec2/allowedCustomPorts.js +++ b/plugins/aws/ec2/allowedCustomPorts.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/amiHasTags.js b/plugins/aws/ec2/amiHasTags.js index 48e97c5743..099b5a53b4 100644 --- a/plugins/aws/ec2/amiHasTags.js +++ b/plugins/aws/ec2/amiHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/about-aws/whats-new/2020/12/amazon-machine-images-support-tag-on-create-tag-based-access-control/', recommended_action: 'Modify AMI and add tags.', apis: ['EC2:describeImages'], - realtime_triggers: ['ec2:CreateImage', 'ec2:CreateTags', 'ec2:DeleteTags'], + realtime_triggers: ['ec2:CreateImage', 'ec2:CreateTags', 'ec2:DeleteTags', 'ec2:DeregisterImage'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/appTierInstanceIamRole.js b/plugins/aws/ec2/appTierInstanceIamRole.js index ddc9783c74..d53a3c2c6e 100644 --- a/plugins/aws/ec2/appTierInstanceIamRole.js +++ b/plugins/aws/ec2/appTierInstanceIamRole.js @@ -19,7 +19,7 @@ module.exports = { default: '' }, }, - realtime_triggers: ['ec2:RunInstance', 'ec2:AssociateIamInstanceProfile', 'ec2:DisassociateIamInstanceProfile'], + realtime_triggers: ['ec2:RunInstances', 'ec2:AssociateIamInstanceProfile', 'ec2:DisassociateIamInstanceProfile', 'ec2:TerminateInstances'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/classicInstances.js b/plugins/aws/ec2/classicInstances.js index c9743ddf64..a6f0ae8946 100644 --- a/plugins/aws/ec2/classicInstances.js +++ b/plugins/aws/ec2/classicInstances.js @@ -19,7 +19,7 @@ module.exports = { 'segmentation criteria for PCI. Ensure all instances are launched ' + 'within a VPC to comply with isolation requirements.' }, - realtime_triggers: ['ec2:RunInstance'], + realtime_triggers: ['ec2:RunInstances','ec2:TerminateInstances'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/crossVpcPublicPrivate.js b/plugins/aws/ec2/crossVpcPublicPrivate.js index 22404af170..823299f687 100644 --- a/plugins/aws/ec2/crossVpcPublicPrivate.js +++ b/plugins/aws/ec2/crossVpcPublicPrivate.js @@ -16,7 +16,7 @@ module.exports = { 'communicate across these segmented boundaries. Ensure that public ' + 'services in one VPC cannot communicate with the private tier of another.' }, - realtime_triggers: ['ec2:CreateVpcPeeringConnection', 'ec2:ModifyVpcPeeringConnectionOptions'], + realtime_triggers: ['ec2:CreateVpcPeeringConnection', 'ec2:ModifyVpcPeeringConnectionOptions', 'ec2:DeleteVpcPeeringConnection'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/defaultSecurityGroup.js b/plugins/aws/ec2/defaultSecurityGroup.js index afb26825e7..314dc28782 100644 --- a/plugins/aws/ec2/defaultSecurityGroup.js +++ b/plugins/aws/ec2/defaultSecurityGroup.js @@ -17,7 +17,7 @@ module.exports = { 'unintended traffic to cross these isolation boundaries.', cis2: '4.3 Ensure the default security group of every VPC restricts all traffic' }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/defaultSecurityGroupInUse.js b/plugins/aws/ec2/defaultSecurityGroupInUse.js index a06db51908..f984506ab7 100644 --- a/plugins/aws/ec2/defaultSecurityGroupInUse.js +++ b/plugins/aws/ec2/defaultSecurityGroupInUse.js @@ -10,7 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-security-group', recommended_action: 'Modify EC2 instances and change security group.', apis: ['EC2:describeInstances'], - realtime_triggers: ['ec2:RunInstance', 'ec2:ModifyInstanceAttribute'], + realtime_triggers: ['ec2:RunInstances', 'ec2:ModifyInstanceAttribute', 'ec2:TerminateInnstances'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/defaultVpcExists.js b/plugins/aws/ec2/defaultVpcExists.js index c328295b9e..4f449f3b90 100644 --- a/plugins/aws/ec2/defaultVpcExists.js +++ b/plugins/aws/ec2/defaultVpcExists.js @@ -10,7 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.html', recommended_action: 'Move resources from the default VPC to a new VPC created for that application or resource group.', apis: ['EC2:describeVpcs', 'STS:getCallerIdentity'], - realtime_triggers: ['ec2:CreateVpc', 'ec2:ModifyVpcAttribute'], + realtime_triggers: ['ec2:CreateVpc', 'ec2:ModifyVpcAttribute', 'ec2:DeleteVpc'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/defaultVpcInUse.js b/plugins/aws/ec2/defaultVpcInUse.js index 6bd39ddbbe..d9d0516264 100644 --- a/plugins/aws/ec2/defaultVpcInUse.js +++ b/plugins/aws/ec2/defaultVpcInUse.js @@ -10,7 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.html', recommended_action: 'Move resources from the default VPC to a new VPC created for that application or resource group.', apis: ['EC2:describeVpcs', 'EC2:describeInstances', 'ELB:describeLoadBalancers', 'Lambda:listFunctions', 'RDS:describeDBInstances', 'Redshift:describeClusters'], - realtime_triggers: ['ec2:CreateVpc', 'ec2:ModifyVpcAttribute', 'ec2:RunInstance','elasticloadbalancing:CreateLoadBalancer','elasticloadbalancing:ModifyLoadBalancerAttributes', 'lambda:CreateFunction','lambda:UpdateFunctionConfiguration', 'rds:CreateDBInstance','rds:ModifyDBInstance','redshift:CreateCluster','redshift:ModifyCluster'], + realtime_triggers: ['ec2:CreateVpc', 'ec2:DeleteVpc', 'ec2:ModifyVpcAttribute', 'ec2:RunInstances', 'TerminateInstances','elb:CreateLoadBalancer','elb:ModifyLoadBalancerAttributes','elb:DeleteLoadBalancer', 'lambda:CreateFunction','lambda:UpdateFunctionConfiguration', 'lamda:DeleteFunction','rds:CreateDBInstance','rds:ModifyDBInstance','rds:DeleteDBInstance','redshift:CreateCluster','redshift:ModifyCluster', 'redshift:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ebsBackupEnabled.js b/plugins/aws/ec2/ebsBackupEnabled.js index b04fa32e70..d14288e5e7 100644 --- a/plugins/aws/ec2/ebsBackupEnabled.js +++ b/plugins/aws/ec2/ebsBackupEnabled.js @@ -18,7 +18,7 @@ module.exports = { default: 'true' } }, - realtime_triggers: ['ec2:CreateSnapshot', 'ec2:CreateVloume'], + realtime_triggers: ['ec2:CreateSnapshot', 'ec2:CreateVloume', 'ec2: DeleteVolume', 'ec2:DeleteSnapshot'], run: function(cache, settings, callback) { let results = []; diff --git a/plugins/aws/ec2/ebsDefaultEncryptionEnabled.js b/plugins/aws/ec2/ebsDefaultEncryptionEnabled.js index d91e1a327c..6af51cbe51 100644 --- a/plugins/aws/ec2/ebsDefaultEncryptionEnabled.js +++ b/plugins/aws/ec2/ebsDefaultEncryptionEnabled.js @@ -18,7 +18,7 @@ module.exports = { default: 'awskms', }, }, - realtime_triggers: ['ec2:CreateVolume', 'ec2:EnableEbsEncryptionByDefault', 'ec2:DisableEbsEncryptionByDefault', 'ec2:ModifyEbsDefaultKmsKeyId'], + realtime_triggers: ['ec2:CreateVolume', 'ec2:EnableEbsEncryptionByDefault', 'ec2:DisableEbsEncryptionByDefault', 'ec2:ModifyEbsDefaultKmsKeyId', 'ec2:DeleteVolume'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ebsEncryptionEnabled.js b/plugins/aws/ec2/ebsEncryptionEnabled.js index 653a4ed0fb..cedce04df7 100644 --- a/plugins/aws/ec2/ebsEncryptionEnabled.js +++ b/plugins/aws/ec2/ebsEncryptionEnabled.js @@ -58,7 +58,7 @@ module.exports = { }, }, - realtime_triggers: ['ec2:CreateVolume'], + realtime_triggers: ['ec2:CreateVolume', 'ec2;DeleteVolume'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ebsRecentSnapshots.js b/plugins/aws/ec2/ebsRecentSnapshots.js index 9bd01f38da..f4898d9edc 100644 --- a/plugins/aws/ec2/ebsRecentSnapshots.js +++ b/plugins/aws/ec2/ebsRecentSnapshots.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html', recommended_action: 'Create a new snapshot for EBS volume weekly.', apis: ['EC2:describeSnapshots','STS:getCallerIdentity'], - realtime_triggers: ['ec2:CreateSnapshot'], + realtime_triggers: ['ec2:CreateSnapshot', 'ec2:DeleteSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ebsSnapshotHasTags.js b/plugins/aws/ec2/ebsSnapshotHasTags.js index e9687ba78b..f40ef54b88 100644 --- a/plugins/aws/ec2/ebsSnapshotHasTags.js +++ b/plugins/aws/ec2/ebsSnapshotHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/compute/tag-amazon-ebs-snapshots-on-creation-and-implement-stronger-security-policies/', recommended_action: 'Modify EBS snapshots and add tags.', apis: ['EC2:describeSnapshots'], - realtime_triggers: ['ec2:CreateSnapshot', 'ec2:AddTags', 'ec2:DeleteTags'], + realtime_triggers: ['ec2:CreateSnapshot', 'ec2:AddTags', 'ec2:DeleteTags','ec2:DeleteSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ebsSnapshotLifecycle.js b/plugins/aws/ec2/ebsSnapshotLifecycle.js index ee613095c5..ad140f1199 100644 --- a/plugins/aws/ec2/ebsSnapshotLifecycle.js +++ b/plugins/aws/ec2/ebsSnapshotLifecycle.js @@ -12,7 +12,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html', apis: ['EC2:describeInstances', 'EC2:describeVolumes', 'DLM:getLifecyclePolicies', 'DLM:getLifecyclePolicy', 'STS:getCallerIdentity'], - realtime_triggers: ['ec2:CreateVolume','dlm:CreateLifecyclePolicy', 'dlm:DeleteLifecyclePolicy', 'dlm:UpdateLifecyclePolicy'], + realtime_triggers: ['ec2:CreateVolume','dlm:CreateLifecyclePolicy', 'dlm:DeleteLifecyclePolicy', 'dlm:UpdateLifecyclePolicy','ec2:DeleteVolume'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ebsSnapshotPublic.js b/plugins/aws/ec2/ebsSnapshotPublic.js index 16cd944cde..7e44e3db3b 100644 --- a/plugins/aws/ec2/ebsSnapshotPublic.js +++ b/plugins/aws/ec2/ebsSnapshotPublic.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html', recommended_action: 'Modify the permissions of public snapshots to remove public access.', apis: ['EC2:describeSnapshots', 'EC2:describeSnapshotAttribute'], - realtime_triggers: ['ec2:CreateSnapshot' , 'ec2:ModifySnapshotAttribute'], + realtime_triggers: ['ec2:CreateSnapshot' , 'ec2:ModifySnapshotAttribute', 'ec2:DeleteSnapshot'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ebsVolumeHasTags.js b/plugins/aws/ec2/ebsVolumeHasTags.js index 426a7ddbe4..0d9d4f3a2c 100644 --- a/plugins/aws/ec2/ebsVolumeHasTags.js +++ b/plugins/aws/ec2/ebsVolumeHasTags.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify EBS volumes and add tags', link: 'https://aws.amazon.com/blogs/aws/new-tag-ec2-instances-ebs-volumes-on-creation/', apis: ['EC2:describeVolumes', 'STS:getCallerIdentity'], - realtime_triggers: ['ec2:CreateVolume', 'ec2:AddTags', 'ec2:DeleteTags'], + realtime_triggers: ['ec2:CreateVolume', 'ec2:AddTags', 'ec2:DeleteTags','ec2:DeleteVolume'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ec2HasTags.js b/plugins/aws/ec2/ec2HasTags.js index 6db8b342dc..34a9b7376e 100644 --- a/plugins/aws/ec2/ec2HasTags.js +++ b/plugins/aws/ec2/ec2HasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html', recommended_action: 'Modify EC2 instances and add tags.', apis: ['EC2:describeInstances'], - realtime_triggers: ['ec2:RunInstance', 'ec2:AddTags', 'ec2:DeleteTags'], + realtime_triggers: ['ec2:RunInstances', 'ec2:AddTags', 'ec2:DeleteTags', 'ec2:TerminateInstances'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/ec2MetadataOptions.js b/plugins/aws/ec2/ec2MetadataOptions.js index 192f10dd86..4d0bd8dc2f 100644 --- a/plugins/aws/ec2/ec2MetadataOptions.js +++ b/plugins/aws/ec2/ec2MetadataOptions.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#configuring-instance-metadata-service', recommended_action: 'Update instance metadata options to use IMDSv2', apis: ['EC2:describeInstances'], - realtime_triggers: ['ec2:RunInstance', 'ec2:ModifyInstanceMetadataOptions'], + realtime_triggers: ['ec2:RunInstances', 'ec2:ModifyInstanceMetadataOptions', 'ec2:TerminateInstances'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/enableDetailedMonitoring.js b/plugins/aws/ec2/enableDetailedMonitoring.js index 5170993242..97e6b74e24 100644 --- a/plugins/aws/ec2/enableDetailedMonitoring.js +++ b/plugins/aws/ec2/enableDetailedMonitoring.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html', recommended_action: 'Modify EC2 instance to enable detailed monitoring.', apis: ['EC2:describeInstances'], - realtime_triggers: ['ec2:RunInstance', 'ec2:MonitorInstances'], + realtime_triggers: ['ec2:RunInstances', 'ec2:MonitorInstances', 'ec2:TerminateInstances'], run: function(cache, settings, callback) { const results = []; diff --git a/plugins/aws/ec2/encryptedAmi.js b/plugins/aws/ec2/encryptedAmi.js index cfa8dfeada..0c0ee924a9 100644 --- a/plugins/aws/ec2/encryptedAmi.js +++ b/plugins/aws/ec2/encryptedAmi.js @@ -16,7 +16,7 @@ module.exports = { 'allow it to remain compliant with the encryption at-rest ' + 'regulatory requirement.' }, - realtime_triggers: ['ec2:CreateImage', 'ec2:CopyImage'], + realtime_triggers: ['ec2:CreateImage', 'ec2:CopyImage', 'ec2:DeregisterImage'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/flowLogsEnabled.js b/plugins/aws/ec2/flowLogsEnabled.js index 069d9912fa..5aa9d0a923 100644 --- a/plugins/aws/ec2/flowLogsEnabled.js +++ b/plugins/aws/ec2/flowLogsEnabled.js @@ -19,7 +19,7 @@ module.exports = { 'cardholder data. Enable VPC flow logs to log these network requests.', cis2: '2.9 Ensure VPC flow logging is enabled in all VPCs' }, - realtime_triggers: ['ec2:CreateVpc', 'ec2:CreateFlowLogs', 'ec2:DeleteFlowLogs'], + realtime_triggers: ['ec2:CreateVpc', 'ec2:CreateFlowLogs', 'ec2:DeleteFlowLogs', 'ec2:DeleteVpc'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/instanceIamRole.js b/plugins/aws/ec2/instanceIamRole.js index fe3d04b022..442ec4682e 100644 --- a/plugins/aws/ec2/instanceIamRole.js +++ b/plugins/aws/ec2/instanceIamRole.js @@ -18,7 +18,7 @@ module.exports = { default: 10 } }, - realtime_triggers: ['ec2:RunInstance','ec2:AssociateIamInstanceProfile', 'ec2:DisassociateIamInstanceProfile'], + realtime_triggers: ['ec2:RunInstances','ec2:AssociateIamInstanceProfile', 'ec2:DisassociateIamInstanceProfile', 'ec2:TerminateInstances'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/instanceKeyBasedLogin.js b/plugins/aws/ec2/instanceKeyBasedLogin.js index ea66558a4b..4a970a4e96 100644 --- a/plugins/aws/ec2/instanceKeyBasedLogin.js +++ b/plugins/aws/ec2/instanceKeyBasedLogin.js @@ -18,7 +18,7 @@ module.exports = { default: '10' } }, - realtime_triggers: ['ec2:RunInstance', 'ec2:ModifyInstanceAttribute'], + realtime_triggers: ['ec2:RunInstances', 'ec2:ModifyInstanceAttribute', 'ec2;TerminateInstances'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/instanceLimit.js b/plugins/aws/ec2/instanceLimit.js index b6e55ea493..2b97ec831c 100644 --- a/plugins/aws/ec2/instanceLimit.js +++ b/plugins/aws/ec2/instanceLimit.js @@ -24,7 +24,7 @@ module.exports = { default: 75 } }, - realtime_triggers: ['ec2:RunInstance', 'ec2:TerminateInstance'], + realtime_triggers: ['ec2:RunInstances', 'ec2:TerminateInstances'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/instanceMaxCount.js b/plugins/aws/ec2/instanceMaxCount.js index 548625d245..ed97e11487 100644 --- a/plugins/aws/ec2/instanceMaxCount.js +++ b/plugins/aws/ec2/instanceMaxCount.js @@ -205,7 +205,7 @@ module.exports = { }, }, - realtime_triggers: ['ec2:RunInstance', 'ec2:TerminateInstance'], + realtime_triggers: ['ec2:RunInstances', 'ec2:TerminateInstances'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/instanceVcpusLimit.js b/plugins/aws/ec2/instanceVcpusLimit.js index ed85d96e6f..80a558d826 100644 --- a/plugins/aws/ec2/instanceVcpusLimit.js +++ b/plugins/aws/ec2/instanceVcpusLimit.js @@ -24,7 +24,7 @@ module.exports = { default: 75 } }, - realtime_triggers: ['ec2:RunInstance', 'ec2:TerminateInstance', 'servicequotas:RequestServiceQuotaIncrease'], + realtime_triggers: ['ec2:RunInstances', 'ec2:TerminateInstances', 'servicequotas:RequestServiceQuotaIncrease'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/internetGatewayInVpc.js b/plugins/aws/ec2/internetGatewayInVpc.js index ef68b75fcd..c4d515c531 100644 --- a/plugins/aws/ec2/internetGatewayInVpc.js +++ b/plugins/aws/ec2/internetGatewayInVpc.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html', recommended_action: 'Ensure Internet Gateways have VPC attached to them.', apis: ['EC2:describeInternetGateways', 'STS:getCallerIdentity'], - realtime_triggers: ['ec2:CreateInternetGateway', 'ec2:DetachInternetGateway', 'ec2:AttachInternetGateway'], + realtime_triggers: ['ec2:CreateInternetGateway', 'ec2:DetachInternetGateway', 'ec2:AttachInternetGateway', 'ec2:DeleteInternatGateway'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/managedNatGateway.js b/plugins/aws/ec2/managedNatGateway.js index c7cafdfec6..70411b6787 100644 --- a/plugins/aws/ec2/managedNatGateway.js +++ b/plugins/aws/ec2/managedNatGateway.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/new-managed-nat-network-address-translation-gateway-for-aws/', recommended_action: 'Update VPCs to use Managed NAT Gateways instead of NAT instances', apis: ['EC2:describeVpcs', 'EC2:describeNatGateways', 'STS:getCallerIdentity'], - realtime_triggers: ['ec2:CreateNatGateway', 'ec2:ReplaceRoute','ec2:CreateVpc'], + realtime_triggers: ['ec2:CreateNatGateway', 'ec2:ReplaceRoute','ec2:CreateVpc', 'ec2:DeleteNatGateway', 'ec2:DeleteVpc'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/natMultiAz.js b/plugins/aws/ec2/natMultiAz.js index 3a513e46f7..6332727fc7 100644 --- a/plugins/aws/ec2/natMultiAz.js +++ b/plugins/aws/ec2/natMultiAz.js @@ -10,7 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html', recommended_action: 'Launch managed NAT instances in multiple AZs.', apis: ['EC2:describeVpcs', 'EC2:describeNatGateways', 'STS:getCallerIdentity'], - realtime_triggers: ['ec2:CreateNatGateway'], + realtime_triggers: ['ec2:CreateNatGateway', 'ec2:DeleteNatGateway'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/networkAclHasTags.js b/plugins/aws/ec2/networkAclHasTags.js index a53f75eb86..59d38bf3fb 100644 --- a/plugins/aws/ec2/networkAclHasTags.js +++ b/plugins/aws/ec2/networkAclHasTags.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify Network ACL and add tags.', link: 'https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html', apis: ['EC2:describeNetworkAcls', 'STS:getCallerIdentity'], - realtime_triggers: ['ec2:CreateNetworkAcl', 'ec2:AddTags', 'ec2:DeleteTags'], + realtime_triggers: ['ec2:CreateNetworkAcl', 'ec2:AddTags', 'ec2:DeleteTags', 'ec2:DeleteNetworkAcl'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/networkAclInboundTraffic.js b/plugins/aws/ec2/networkAclInboundTraffic.js index 3ea2ed9399..c0bb6b5cec 100644 --- a/plugins/aws/ec2/networkAclInboundTraffic.js +++ b/plugins/aws/ec2/networkAclInboundTraffic.js @@ -13,7 +13,7 @@ module.exports = { compliance: { cis1: '5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports', }, - realtime_triggers: ['ec2:CreateNetworkAcl', 'ec2:ReplaceNetworkAclEntry'], + realtime_triggers: ['ec2:CreateNetworkAcl', 'ec2:ReplaceNetworkAclEntry', 'ec2:DeleteNetworkAcl'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/networkAclOutboundTraffic.js b/plugins/aws/ec2/networkAclOutboundTraffic.js index d0190c12a7..e7fef5758d 100644 --- a/plugins/aws/ec2/networkAclOutboundTraffic.js +++ b/plugins/aws/ec2/networkAclOutboundTraffic.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update Network ACL to allow outbound/egress traffic to specific port ranges only', link: 'https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html', apis: ['EC2:describeNetworkAcls', 'STS:getCallerIdentity'], - realtime_triggers: ['ec2:CreateNetworkAcl', 'ec2:ReplaceNetworkAclEntry'], + realtime_triggers: ['ec2:CreateNetworkAcl', 'ec2:ReplaceNetworkAclEntry', 'ec2:DeleteNetworkAcl'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/openAllPortsProtocols.js b/plugins/aws/ec2/openAllPortsProtocols.js index 6b5a551e49..71185bf914 100644 --- a/plugins/aws/ec2/openAllPortsProtocols.js +++ b/plugins/aws/ec2/openAllPortsProtocols.js @@ -27,7 +27,7 @@ module.exports = { 'Security groups should be properly secured to prevent access to ' + 'backend services.' }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openAllPortsProtocolsEgress.js b/plugins/aws/ec2/openAllPortsProtocolsEgress.js index 1af9a4f4e2..1c24ee7dad 100644 --- a/plugins/aws/ec2/openAllPortsProtocolsEgress.js +++ b/plugins/aws/ec2/openAllPortsProtocolsEgress.js @@ -18,7 +18,7 @@ module.exports = { default: 'false', } }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openCIFS.js b/plugins/aws/ec2/openCIFS.js index ef285cc08f..54a2ab5b92 100644 --- a/plugins/aws/ec2/openCIFS.js +++ b/plugins/aws/ec2/openCIFS.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openCassandraClient.js b/plugins/aws/ec2/openCassandraClient.js index 86da19db1e..7ea97b2bf6 100644 --- a/plugins/aws/ec2/openCassandraClient.js +++ b/plugins/aws/ec2/openCassandraClient.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openCassandraInternode.js b/plugins/aws/ec2/openCassandraInternode.js index 986271e5ce..1439db076c 100644 --- a/plugins/aws/ec2/openCassandraInternode.js +++ b/plugins/aws/ec2/openCassandraInternode.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openCassandraMonitoring.js b/plugins/aws/ec2/openCassandraMonitoring.js index 49dd4276cf..8c2b723f0e 100644 --- a/plugins/aws/ec2/openCassandraMonitoring.js +++ b/plugins/aws/ec2/openCassandraMonitoring.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress','ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openCassandraThrift.js b/plugins/aws/ec2/openCassandraThrift.js index 5679561ed5..821611e8b9 100644 --- a/plugins/aws/ec2/openCassandraThrift.js +++ b/plugins/aws/ec2/openCassandraThrift.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress','ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openCustomPorts.js b/plugins/aws/ec2/openCustomPorts.js index 7bbffa3a93..2c8524b042 100644 --- a/plugins/aws/ec2/openCustomPorts.js +++ b/plugins/aws/ec2/openCustomPorts.js @@ -24,7 +24,7 @@ module.exports = { default: 'false', } }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openDNS.js b/plugins/aws/ec2/openDNS.js index 4f8c5c4509..91090378c6 100644 --- a/plugins/aws/ec2/openDNS.js +++ b/plugins/aws/ec2/openDNS.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openDocker.js b/plugins/aws/ec2/openDocker.js index 77376f3a2c..dc39dc4ff1 100644 --- a/plugins/aws/ec2/openDocker.js +++ b/plugins/aws/ec2/openDocker.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:RevokeSecurityGroupIngress'], rollback: ['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress','ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openElasticsearch.js b/plugins/aws/ec2/openElasticsearch.js index 53bf3cab5a..0aaec97c48 100644 --- a/plugins/aws/ec2/openElasticsearch.js +++ b/plugins/aws/ec2/openElasticsearch.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openFTP.js b/plugins/aws/ec2/openFTP.js index 8369757b17..64a61ce490 100644 --- a/plugins/aws/ec2/openFTP.js +++ b/plugins/aws/ec2/openFTP.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openHTTP.js b/plugins/aws/ec2/openHTTP.js index 2286a29b77..879cb6323b 100644 --- a/plugins/aws/ec2/openHTTP.js +++ b/plugins/aws/ec2/openHTTP.js @@ -10,7 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html', recommended_action: 'Restrict TCP port 80 to known IP addresses', apis: ['EC2:describeSecurityGroups'], - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { diff --git a/plugins/aws/ec2/openHTTPS.js b/plugins/aws/ec2/openHTTPS.js index 827153c8cf..e79bcbd772 100644 --- a/plugins/aws/ec2/openHTTPS.js +++ b/plugins/aws/ec2/openHTTPS.js @@ -10,7 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html', recommended_action: 'Restrict TCP port 443 to known IP addresses.', apis: ['EC2:describeSecurityGroups'], - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/openHadoopNameNode.js b/plugins/aws/ec2/openHadoopNameNode.js index e487c8cf44..56e4af6c23 100644 --- a/plugins/aws/ec2/openHadoopNameNode.js +++ b/plugins/aws/ec2/openHadoopNameNode.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openHadoopNameNodeWebUI.js b/plugins/aws/ec2/openHadoopNameNodeWebUI.js index b718f1e707..41a09a8d0c 100644 --- a/plugins/aws/ec2/openHadoopNameNodeWebUI.js +++ b/plugins/aws/ec2/openHadoopNameNodeWebUI.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openInternalWeb.js b/plugins/aws/ec2/openInternalWeb.js index 71f8e774d2..b39b853c95 100644 --- a/plugins/aws/ec2/openInternalWeb.js +++ b/plugins/aws/ec2/openInternalWeb.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openKibana.js b/plugins/aws/ec2/openKibana.js index c838720ea5..c04fb3e0f7 100644 --- a/plugins/aws/ec2/openKibana.js +++ b/plugins/aws/ec2/openKibana.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openLDAP.js b/plugins/aws/ec2/openLDAP.js index 5299b55323..1b0c4e5191 100644 --- a/plugins/aws/ec2/openLDAP.js +++ b/plugins/aws/ec2/openLDAP.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openLDAPS.js b/plugins/aws/ec2/openLDAPS.js index ba6eeac259..8dce4530b1 100644 --- a/plugins/aws/ec2/openLDAPS.js +++ b/plugins/aws/ec2/openLDAPS.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openMemcached.js b/plugins/aws/ec2/openMemcached.js index 82a60c1598..df730a8714 100644 --- a/plugins/aws/ec2/openMemcached.js +++ b/plugins/aws/ec2/openMemcached.js @@ -49,7 +49,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openMongoDB.js b/plugins/aws/ec2/openMongoDB.js index caa1c69984..6eebc6c1bc 100644 --- a/plugins/aws/ec2/openMongoDB.js +++ b/plugins/aws/ec2/openMongoDB.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openMySQL.js b/plugins/aws/ec2/openMySQL.js index 7fdf5c5421..f7144eb641 100644 --- a/plugins/aws/ec2/openMySQL.js +++ b/plugins/aws/ec2/openMySQL.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openNetBIOS.js b/plugins/aws/ec2/openNetBIOS.js index 7f0f73ea66..262b7a5290 100644 --- a/plugins/aws/ec2/openNetBIOS.js +++ b/plugins/aws/ec2/openNetBIOS.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openOracle.js b/plugins/aws/ec2/openOracle.js index b9f82980a9..fd0365e72e 100644 --- a/plugins/aws/ec2/openOracle.js +++ b/plugins/aws/ec2/openOracle.js @@ -45,7 +45,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openOracleAutoDataWarehouse.js b/plugins/aws/ec2/openOracleAutoDataWarehouse.js index beb59c5ead..79e1760332 100644 --- a/plugins/aws/ec2/openOracleAutoDataWarehouse.js +++ b/plugins/aws/ec2/openOracleAutoDataWarehouse.js @@ -45,7 +45,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openPostgreSQL.js b/plugins/aws/ec2/openPostgreSQL.js index 41b820a87d..1b9815ca42 100644 --- a/plugins/aws/ec2/openPostgreSQL.js +++ b/plugins/aws/ec2/openPostgreSQL.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openRDP.js b/plugins/aws/ec2/openRDP.js index b0bab5708f..057d4ad766 100644 --- a/plugins/aws/ec2/openRDP.js +++ b/plugins/aws/ec2/openRDP.js @@ -46,7 +46,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openRPC.js b/plugins/aws/ec2/openRPC.js index 27b75a3a3e..cc0154d8e5 100644 --- a/plugins/aws/ec2/openRPC.js +++ b/plugins/aws/ec2/openRPC.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openRedis.js b/plugins/aws/ec2/openRedis.js index ad8ec70c88..15733527ec 100644 --- a/plugins/aws/ec2/openRedis.js +++ b/plugins/aws/ec2/openRedis.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openSMBoTCP.js b/plugins/aws/ec2/openSMBoTCP.js index 8278832d5a..69c774736b 100644 --- a/plugins/aws/ec2/openSMBoTCP.js +++ b/plugins/aws/ec2/openSMBoTCP.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openSMTP.js b/plugins/aws/ec2/openSMTP.js index 9d4975db31..d51c7a00f5 100644 --- a/plugins/aws/ec2/openSMTP.js +++ b/plugins/aws/ec2/openSMTP.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openSNMP.js b/plugins/aws/ec2/openSNMP.js index c4dc1a706f..aca23dc54a 100644 --- a/plugins/aws/ec2/openSNMP.js +++ b/plugins/aws/ec2/openSNMP.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openSQLServer.js b/plugins/aws/ec2/openSQLServer.js index 7c90205ef7..3ad6ba44bf 100644 --- a/plugins/aws/ec2/openSQLServer.js +++ b/plugins/aws/ec2/openSQLServer.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openSSH.js b/plugins/aws/ec2/openSSH.js index 0f4ae55f82..8ad91ba87d 100644 --- a/plugins/aws/ec2/openSSH.js +++ b/plugins/aws/ec2/openSSH.js @@ -46,7 +46,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openSalt.js b/plugins/aws/ec2/openSalt.js index b8fd45ee98..d8c5bed1d8 100644 --- a/plugins/aws/ec2/openSalt.js +++ b/plugins/aws/ec2/openSalt.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openTelnet.js b/plugins/aws/ec2/openTelnet.js index e1a681488d..4c39c0558e 100644 --- a/plugins/aws/ec2/openTelnet.js +++ b/plugins/aws/ec2/openTelnet.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules', 'ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openVNCClient.js b/plugins/aws/ec2/openVNCClient.js index 72b00bf760..e16467fbee 100644 --- a/plugins/aws/ec2/openVNCClient.js +++ b/plugins/aws/ec2/openVNCClient.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/openVNCServer.js b/plugins/aws/ec2/openVNCServer.js index e16a0efe9b..32145e6236 100644 --- a/plugins/aws/ec2/openVNCServer.js +++ b/plugins/aws/ec2/openVNCServer.js @@ -43,7 +43,7 @@ module.exports = { remediate: ['ec2:AuthorizeSecurityGroupIngress','ec2:RevokeSecurityGroupIngress'], rollback:['ec2:AuthorizeSecurityGroupIngress'] }, - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:ModifySecurityGroupRules','ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/outdatedAmiInUse.js b/plugins/aws/ec2/outdatedAmiInUse.js index a684aeb209..097aad4f5d 100644 --- a/plugins/aws/ec2/outdatedAmiInUse.js +++ b/plugins/aws/ec2/outdatedAmiInUse.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Delete the instances using deprecated AMIs', apis: ['EC2:describeImages', 'EC2:describeInstances', 'AutoScaling:describeLaunchConfigurations', 'EC2:describeLaunchTemplates', 'EC2:describeLaunchTemplateVersions','STS:getCallerIdentity'], - realtime_triggers: ['ec2:RunInstance', 'ec2:TerminateInstance'], + realtime_triggers: ['ec2:RunInstances', 'ec2:TerminateInstances'], run: function(cache, settings, callback) { const results = []; diff --git a/plugins/aws/ec2/overlappingSecurityGroups.js b/plugins/aws/ec2/overlappingSecurityGroups.js index 83e241fc92..560ffb0a53 100644 --- a/plugins/aws/ec2/overlappingSecurityGroups.js +++ b/plugins/aws/ec2/overlappingSecurityGroups.js @@ -13,7 +13,7 @@ module.exports = { recommended_action: 'Structure security groups to provide a single category of access and do not ' + 'duplicate rules across groups used by the same instances.', apis: ['EC2:describeInstances', 'EC2:describeSecurityGroups'], - realtime_triggers: ['ec2:RunInnstance', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:RunInstances', 'ec2:ModifyInstanceAttribute', 'ec2:ModifySecurityGroupRules', 'ec2:TerminateInstances'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/overutilizedEC2Instance.js b/plugins/aws/ec2/overutilizedEC2Instance.js index 27809a3fac..2fc3f322c4 100644 --- a/plugins/aws/ec2/overutilizedEC2Instance.js +++ b/plugins/aws/ec2/overutilizedEC2Instance.js @@ -18,7 +18,7 @@ module.exports = { default: '90' } }, - realtime_triggers: ['ec2:RunInstace', 'ec2:ModifyInstanceAttribute'], + realtime_triggers: ['ec2:RunInstances', 'ec2:ModifyInstanceAttribute', 'ec2:TerminateInstances'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/publicAmi.js b/plugins/aws/ec2/publicAmi.js index 3a8b408738..98398806a6 100644 --- a/plugins/aws/ec2/publicAmi.js +++ b/plugins/aws/ec2/publicAmi.js @@ -10,7 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html', recommended_action: 'Convert the public AMI a private image.', apis: ['EC2:describeImages'], - realtime_triggers: ['ec2:CreateImage', 'ec2:ResetImageAttribute', 'ec2:ModifyImageAttribute'], + realtime_triggers: ['ec2:CreateImage', 'ec2:ResetImageAttribute', 'ec2:ModifyImageAttribute', 'ec2:DeregisterImage'], run: function(cache, settings, callback) { diff --git a/plugins/aws/ec2/publicIpAddress.js b/plugins/aws/ec2/publicIpAddress.js index 87534b780a..064c4c63d2 100644 --- a/plugins/aws/ec2/publicIpAddress.js +++ b/plugins/aws/ec2/publicIpAddress.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html', recommended_action: 'Remove the public IP address from the EC2 instances to block public access to the instance', apis: ['EC2:describeInstances', 'STS:getCallerIdentity', 'EC2:describeSecurityGroups'], - realtime_triggers: ['ec2:RunInstance','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules'], + realtime_triggers: ['ec2:RunInstances','ec2:AuthorizeSecurityGroupIngress','ec2:ModifySecurityGroupRules', 'ec2:TerminateInstances'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/securityGroupRfc1918.js b/plugins/aws/ec2/securityGroupRfc1918.js index 35f10c3200..8f8618e139 100644 --- a/plugins/aws/ec2/securityGroupRfc1918.js +++ b/plugins/aws/ec2/securityGroupRfc1918.js @@ -18,7 +18,7 @@ module.exports = { default: '10.0.0.0/8,172.16.0.0/12,192.168.0.0/16' } }, - realtime_triggers: ['ec2:AuthorizeSecurityGroupIngress', 'ec2:RevokeSecurityGroupIngress'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:AuthorizeSecurityGroupIngress', 'ec2:RevokeSecurityGroupIngress', 'ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/securityGroupsHasTags.js b/plugins/aws/ec2/securityGroupsHasTags.js index 65a34a7d88..fd84e3836d 100644 --- a/plugins/aws/ec2/securityGroupsHasTags.js +++ b/plugins/aws/ec2/securityGroupsHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/about-aws/whats-new/2021/07/amazon-ec2-adds-resource-identifiers-tags-vpc-security-groups-rules/', recommended_action: 'Update Security Group and add Tags', apis: ['EC2:describeSecurityGroups'], - realtime_triggers: ['ec2:CreateSecurityGroup', 'ec2:AddTags', 'ec2:DeleteTags'], + realtime_triggers: ['ec2:CreateSecurityGroup', 'ec2:AddTags', 'ec2:DeleteTags','ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/subnetIpAvailability.js b/plugins/aws/ec2/subnetIpAvailability.js index 1852f44223..4b24499ee7 100644 --- a/plugins/aws/ec2/subnetIpAvailability.js +++ b/plugins/aws/ec2/subnetIpAvailability.js @@ -24,7 +24,7 @@ module.exports = { default: 75 } }, - realtime_triggers: ['ec2:CreateSubnet'], + realtime_triggers: ['ec2:CreateSubnet', 'ec2:DeleteSubnet'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ec2/unusedSecurityGroups.js b/plugins/aws/ec2/unusedSecurityGroups.js index 3f3eb63933..465e2d78ed 100644 --- a/plugins/aws/ec2/unusedSecurityGroups.js +++ b/plugins/aws/ec2/unusedSecurityGroups.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html', recommended_action: 'Remove security groups that are not being used.', apis: ['EC2:describeSecurityGroups', 'EC2:describeNetworkInterfaces', 'Lambda:listFunctions'], - realtime_triggers: ['ec2:CreateSecurityGroup','ec2:DeleteSecurityGroup','ec2:RunInstances','ec2:ModifyInstanceAttribute'], + realtime_triggers: ['ec2:CreateSecurityGroup','ec2:DeleteSecurityGroup','ec2:RunInstances','ec2:ModifyInstanceAttribute', 'ec2:TerminateInstances'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/vpcEndpointAcceptance.js b/plugins/aws/ec2/vpcEndpointAcceptance.js index 4d32d66ea4..4b998d1236 100644 --- a/plugins/aws/ec2/vpcEndpointAcceptance.js +++ b/plugins/aws/ec2/vpcEndpointAcceptance.js @@ -18,7 +18,7 @@ module.exports = { default: 'false' }, }, - realtime_triggers: ['ec2:CreateVpcEndpointServiceConfiguration', 'ec2:ModifyVpcEndpointServiceConfiguration'], + realtime_triggers: ['ec2:CreateVpcEndpointServiceConfiguration', 'ec2:ModifyVpcEndpointServiceConfiguration', 'ec2:DeleteVpcEndpointServiceConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/vpcEndpointCrossAccount.js b/plugins/aws/ec2/vpcEndpointCrossAccount.js index d2e5032341..7525126dee 100644 --- a/plugins/aws/ec2/vpcEndpointCrossAccount.js +++ b/plugins/aws/ec2/vpcEndpointCrossAccount.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['ec2:CreateVpcEndpoint', 'ec2:ModifyVpcEndpoint'], + realtime_triggers: ['ec2:CreateVpcEndpoint', 'ec2:ModifyVpcEndpoint', 'ec2:DeleteVpcEndpoint'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/vpcEndpointExposed.js b/plugins/aws/ec2/vpcEndpointExposed.js index 5be435d624..62ebe65038 100644 --- a/plugins/aws/ec2/vpcEndpointExposed.js +++ b/plugins/aws/ec2/vpcEndpointExposed.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update VPC endpoint access policy in order to stop any unsigned requests', link: 'https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html', apis: ['EC2:describeVpcEndpoints', 'EC2:describeSubnets', 'EC2:describeRouteTables', 'STS:getCallerIdentity'], - realtime_triggers: ['ec2:CreateVpcEndpoint', 'ec2:ModifyVpcEndpoint'], + realtime_triggers: ['ec2:CreateVpcEndpoint', 'ec2:ModifyVpcEndpoint', 'ec2:DeleteVpcEndpoint'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/vpcHasTags.js b/plugins/aws/ec2/vpcHasTags.js index affbc3e0e4..f807239097 100644 --- a/plugins/aws/ec2/vpcHasTags.js +++ b/plugins/aws/ec2/vpcHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/about-aws/whats-new/2020/07/amazon-vpc-resources-support-tag-on-create/', recommended_action: 'Modify VPCs and add new tags', apis: ['EC2:describeVpcs'], - realtime_triggers: ['ec2:CreateVpc', 'ec2:AddTags', 'ec2:DeleteTags'], + realtime_triggers: ['ec2:CreateVpc', 'ec2:AddTags', 'ec2:DeleteTags', 'ec2:DeleteVpc'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/vpcSubnetInstancesPresent.js b/plugins/aws/ec2/vpcSubnetInstancesPresent.js index 375aa27791..549e3b4dbb 100644 --- a/plugins/aws/ec2/vpcSubnetInstancesPresent.js +++ b/plugins/aws/ec2/vpcSubnetInstancesPresent.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update VPC subnets and attach instances to it or remove the unused VPC subnets', link: 'https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html', apis: ['EC2:describeInstances', 'EC2:describeSubnets'], - realtime_triggers: ['ec2:RunInstance', 'ec2:CreateSubnet', 'ec2:TerminateInstance','ec2:DeleteSubnet'], + realtime_triggers: ['ec2:RunInstances', 'ec2:CreateSubnet', 'ec2:TerminateInstances','ec2:DeleteSubnet'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/vpnGatewayInVpc.js b/plugins/aws/ec2/vpnGatewayInVpc.js index 479e082e30..25bca90846 100644 --- a/plugins/aws/ec2/vpnGatewayInVpc.js +++ b/plugins/aws/ec2/vpnGatewayInVpc.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html', recommended_action: 'Check if virtual private gateways have vpc associated', apis: ['EC2:describeVpnGateways', 'STS:getCallerIdentity'], - realtime_triggers: ['ec2:CreateVpnGateway', 'ec2:AttachVpnGateway', 'ec2:DeattachVpnGateway'], + realtime_triggers: ['ec2:CreateVpnGateway', 'ec2:AttachVpnGateway', 'ec2:DeattachVpnGateway', 'ec2:DeleteVpnGateway'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/vpnTunnelState.js b/plugins/aws/ec2/vpnTunnelState.js index 2c1323fedb..3e46f7ec32 100644 --- a/plugins/aws/ec2/vpnTunnelState.js +++ b/plugins/aws/ec2/vpnTunnelState.js @@ -18,7 +18,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['ec2:CreateVpnConnection'], + realtime_triggers: ['ec2:CreateVpnConnection', 'ec2:DeleteVpnConnection'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ec2/webTierInstanceIamRole.js b/plugins/aws/ec2/webTierInstanceIamRole.js index 5e26957b3a..4dc84f4d79 100644 --- a/plugins/aws/ec2/webTierInstanceIamRole.js +++ b/plugins/aws/ec2/webTierInstanceIamRole.js @@ -19,7 +19,7 @@ module.exports = { default: '' }, }, - realtime_triggers: ['ec2:RunInstance','ec2:AssociateIamInstanceProfile', 'ec2:DisassociateIamInstanceProfile'], + realtime_triggers: ['ec2:RunInstances','ec2:AssociateIamInstanceProfile', 'ec2:DisassociateIamInstanceProfile', 'ec2:TerminateInstances'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ecr/ecrImageVulnerability.js b/plugins/aws/ecr/ecrImageVulnerability.js index e849d7cd8d..d739668329 100644 --- a/plugins/aws/ecr/ecrImageVulnerability.js +++ b/plugins/aws/ecr/ecrImageVulnerability.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#scanning-on-push', recommended_action: 'Enable "Scan on Push" for your Amazon ECR repositories.', apis: ['ECR:describeRepositories'], - realtime_triggers: ['ecr:CreateRepository', 'ecr:PutImageScanningConfiguration'], + realtime_triggers: ['ecr:CreateRepository', 'ecr:PutImageScanningConfiguration', 'ecr:DeleteRepository'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ecr/ecrRepositoryEncrypted.js b/plugins/aws/ecr/ecrRepositoryEncrypted.js index ff601925e0..7497e5572f 100644 --- a/plugins/aws/ecr/ecrRepositoryEncrypted.js +++ b/plugins/aws/ecr/ecrRepositoryEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['ecr:CreateRepository'], + realtime_triggers: ['ecr:CreateRepository', 'ecr:DeleteRepository'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ecr/ecrRepositoryHasTags.js b/plugins/aws/ecr/ecrRepositoryHasTags.js index 124386dcfd..4b2114895a 100644 --- a/plugins/aws/ecr/ecrRepositoryHasTags.js +++ b/plugins/aws/ecr/ecrRepositoryHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-using-tags.html', recommended_action: 'Modify ECR repository and add tags.', apis: ['ECR:describeRepositories', 'ResourceGroupsTaggingAPI:getResources'], - realtime_triggers: ['ecr:CreateRepository', 'ecr:TagResource', 'ecr:UntagResource'], + realtime_triggers: ['ecr:CreateRepository', 'ecr:TagResource', 'ecr:UntagResource', 'ecr:DeleteRepository'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ecr/ecrRepositoryPolicy.js b/plugins/aws/ecr/ecrRepositoryPolicy.js index b86ee2b11d..28636c742f 100644 --- a/plugins/aws/ecr/ecrRepositoryPolicy.js +++ b/plugins/aws/ecr/ecrRepositoryPolicy.js @@ -24,7 +24,7 @@ module.exports = { default: 'true' } }, - realtime_triggers: ['ecr:CreateRepository', 'ecr:SetRepositoryPolicy'], + realtime_triggers: ['ecr:CreateRepository', 'ecr:SetRepositoryPolicy', 'ecr:DeleteRepository'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/ecr/ecrRepositoryTagImmutability.js b/plugins/aws/ecr/ecrRepositoryTagImmutability.js index ac81cd9708..72aad900ab 100644 --- a/plugins/aws/ecr/ecrRepositoryTagImmutability.js +++ b/plugins/aws/ecr/ecrRepositoryTagImmutability.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-tag-mutability.html', recommended_action: 'Update ECR registry configurations to ensure image tag mutability is set to immutable.', apis: ['ECR:describeRepositories'], - realtime_triggers: ['ecr:CreateRepository', 'ecr:PutImageTagMutability'], + realtime_triggers: ['ecr:CreateRepository', 'ecr:PutImageTagMutability', 'ecr:DeleteRepository'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ecs/ecsClusterActiveService.js b/plugins/aws/ecs/ecsClusterActiveService.js index 04757f8fa7..3f41f72f7b 100644 --- a/plugins/aws/ecs/ecsClusterActiveService.js +++ b/plugins/aws/ecs/ecsClusterActiveService.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify Cluster and create new service.', link: 'https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html', apis: ['ECS:listClusters', 'ECS:describeCluster'], - realtime_triggers: ['ecs:CreateCluster', 'ecs:CreateService', 'ecs:UpdateService', 'ecs:DeleteService'], + realtime_triggers: ['ecs:CreateCluster', 'ecs:CreateService', 'ecs:UpdateService', 'ecs:DeleteService', 'ecs:DeleteCluster'], run: function(cache, settings, callback){ var results = []; diff --git a/plugins/aws/ecs/ecsClusterWithActiveTask.js b/plugins/aws/ecs/ecsClusterWithActiveTask.js index 0c4fb04fc3..9543178e59 100644 --- a/plugins/aws/ecs/ecsClusterWithActiveTask.js +++ b/plugins/aws/ecs/ecsClusterWithActiveTask.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify Cluster services and add tasks', link: 'https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html', apis: ['ECS:listClusters', 'ECS:describeCluster'], - realtime_triggers: ['ecs:CreateCluster', 'ecs:RunTask', 'ecs:StopTask'], + realtime_triggers: ['ecs:CreateCluster', 'ecs:RunTask', 'ecs:StopTask', 'ecs:DeleteCluster'], run: function(cache, settings, callback){ var results = []; diff --git a/plugins/aws/ecs/ecsClustersHaveTags.js b/plugins/aws/ecs/ecsClustersHaveTags.js index 67e4a38c1b..2650669206 100644 --- a/plugins/aws/ecs/ecsClustersHaveTags.js +++ b/plugins/aws/ecs/ecsClustersHaveTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-using-tags.html', recommended_action: 'Modify ECS Cluster and add tags.', apis: ['ECS:listClusters', 'ResourceGroupsTaggingAPI:getResources'], - realtime_triggers: ['ecs:CreateCluster', 'ecs:TagResource', 'ecs:UntagResource'], + realtime_triggers: ['ecs:CreateCluster', 'ecs:TagResource', 'ecs:UntagResource', 'ecs:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/ecs/ecsContainerInsightsEnabled.js b/plugins/aws/ecs/ecsContainerInsightsEnabled.js index 7df5a3ef41..28a849a602 100644 --- a/plugins/aws/ecs/ecsContainerInsightsEnabled.js +++ b/plugins/aws/ecs/ecsContainerInsightsEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enabled container insights feature for ECS clusters.', link: 'https://docs.aws.amazon.com/AmazonECS/latest/developerguide/cloudwatch-container-insights.html', apis: ['ECS:listClusters', 'ECS:describeCluster'], - realtime_triggers: ['ecs:CreateCluster', 'ecs:UpdateClusterSettings'], + realtime_triggers: ['ecs:CreateCluster', 'ecs:UpdateClusterSettings', 'ecs:DeleteCluster'], run: function(cache, settings, callback){ var results = []; From 11e7dba41f484ff4b1eb87a5fc2fec4d3d35a68d Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Thu, 21 Sep 2023 22:35:57 +0500 Subject: [PATCH 032/498] Update ssmManagedInstances.js --- plugins/aws/ssm/ssmManagedInstances.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/ssm/ssmManagedInstances.js b/plugins/aws/ssm/ssmManagedInstances.js index da3c775464..1c0fa1a3b5 100644 --- a/plugins/aws/ssm/ssmManagedInstances.js +++ b/plugins/aws/ssm/ssmManagedInstances.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Configure AWS EC2 instance as SSM Managed Instances', link: 'https://docs.aws.amazon.com/systems-manager/latest/userguide/managed_instances.html', apis: ['EC2:describeInstances', 'SSM:describeInstanceInformation', 'STS:getCallerIdentity'], - realtime_triggers: ['ssm:CreateAssociation', 'ec2:RunInstance', 'ec2:AssociateIamInstanceProfile', 'ec2:TerminateInsatance', 'ssm:DeleteAssociation'], + realtime_triggers: ['ssm:CreateAssociation', 'ec2:RunInstances', 'ec2:AssociateIamInstanceProfile', 'ec2:TerminateInsatance', 'ssm:DeleteAssociation'], run: function(cache, settings, callback) { From ade63f33604f50ebd9fe5324c339f3eab1c2baf1 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Thu, 21 Sep 2023 22:36:30 +0500 Subject: [PATCH 033/498] Update ssmActiveOnAllInstances.js --- plugins/aws/ssm/ssmActiveOnAllInstances.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/ssm/ssmActiveOnAllInstances.js b/plugins/aws/ssm/ssmActiveOnAllInstances.js index 44247dbb35..c5aaaa3bcd 100644 --- a/plugins/aws/ssm/ssmActiveOnAllInstances.js +++ b/plugins/aws/ssm/ssmActiveOnAllInstances.js @@ -18,7 +18,7 @@ module.exports = { default: 20 } }, - realtime_triggers: ['ec2:RunInstance', 'ssm:CreateAssociation', 'ssm:UpdateAssociation', 'ec2:TerminateInstance', 'ssm:DeleteAssociation'], + realtime_triggers: ['ec2:RunInstances', 'ssm:CreateAssociation', 'ssm:UpdateAssociation', 'ec2:TerminateInstance', 'ssm:DeleteAssociation'], run: function(cache, settings, callback) { var results = []; From 07a019c5bd9062d0186472a9e11ba3db00eec8a3 Mon Sep 17 00:00:00 2001 From: --global Date: Fri, 22 Sep 2023 15:19:42 +0500 Subject: [PATCH 034/498] added delete tiggers --- plugins/aws/efs/efsCmkEncrypted.js | 2 +- plugins/aws/efs/efsEncryptionEnabled.js | 2 +- plugins/aws/efs/efsHasTags.js | 2 +- plugins/aws/eks/eksClusterHasTags.js | 2 +- plugins/aws/eks/eksKubernetesVersion.js | 2 +- plugins/aws/eks/eksLatestPlatformVersion.js | 2 +- plugins/aws/eks/eksLoggingEnabled.js | 2 +- plugins/aws/eks/eksPrivateEndpoint.js | 2 +- plugins/aws/eks/eksSecretsEncrypted.js | 2 +- plugins/aws/eks/eksSecurityGroups.js | 2 +- plugins/aws/elasticache/elasticCacheClusterHasTags.js | 2 +- plugins/aws/elasticache/elasticacheClusterInVpc.js | 2 +- plugins/aws/elasticache/elasticacheDefaultPorts.js | 2 +- plugins/aws/elasticache/elasticacheInstanceGeneration.js | 2 +- plugins/aws/elasticache/elasticacheNodesCount.js | 2 +- plugins/aws/elasticache/elasticacheRedisMultiAZ.js | 2 +- plugins/aws/elasticache/elasticaheDesiredNodeType.js | 2 +- plugins/aws/elasticache/idleElastiCacheNode.js | 2 +- plugins/aws/elasticache/redisClusterEncryptionAtRest.js | 2 +- plugins/aws/elasticache/redisClusterEncryptionInTransit.js | 2 +- plugins/aws/elasticache/redisEngineVersions.js | 2 +- plugins/aws/elasticache/reservedNodeLeaseExpiration.js | 2 +- plugins/aws/elasticache/reservedNodePaymentFailed.js | 2 +- plugins/aws/elasticache/reservedNodePaymentPending.js | 2 +- plugins/aws/elasticache/unusedElastiCacheReservedNode.js | 2 +- plugins/aws/elasticbeanstalk/enhancedHealthReporting.js | 2 +- plugins/aws/elasticbeanstalk/environmentAccessLogs.js | 2 +- plugins/aws/elasticbeanstalk/environmentPersistentLogs.js | 2 +- plugins/aws/elasticbeanstalk/managedPlatformUpdates.js | 2 +- plugins/aws/elastictranscoder/jobOutputsEncrypted.js | 2 +- plugins/aws/elastictranscoder/pipelineDataEncrypted.js | 2 +- plugins/aws/elb/appTierElbSecurity.js | 2 +- plugins/aws/elb/classicELBInUse.js | 2 +- plugins/aws/elb/connectionDrainingEnabled.js | 2 +- plugins/aws/elb/crosszoneLoadBalancing.js | 2 +- plugins/aws/elb/elbHasTags.js | 2 +- plugins/aws/elb/elbHttpsOnly.js | 2 +- plugins/aws/elb/elbLoggingEnabled.js | 2 +- plugins/aws/elb/elbUnhealthyInstances.js | 2 +- plugins/aws/elb/insecureCiphers.js | 2 +- plugins/aws/elbv2/elbv2DeletionProtection.js | 2 +- plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js | 2 +- plugins/aws/elbv2/elbv2DeregistrationDelay.js | 2 +- plugins/aws/elbv2/elbv2HasTags.js | 2 +- plugins/aws/elbv2/elbv2HttpsOnly.js | 2 +- plugins/aws/elbv2/elbv2InsecureCiphers.js | 2 +- plugins/aws/elbv2/elbv2LoggingEnabled.js | 2 +- plugins/aws/elbv2/elbv2MinimumTargetInstances.js | 2 +- plugins/aws/elbv2/elbv2NlbListenerSecurity.js | 2 +- plugins/aws/elbv2/elbv2SslTermination.js | 2 +- plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js | 2 +- plugins/aws/elbv2/elbv2UnhealthyInstance.js | 2 +- plugins/aws/elbv2/elbv2WafEnabled.js | 2 +- plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js | 2 +- plugins/aws/emr/emrClusterHasTags.js | 2 +- plugins/aws/emr/emrClusterInVPC.js | 2 +- plugins/aws/emr/emrClusterLogging.js | 2 +- plugins/aws/emr/emrDesiredInstanceType.js | 2 +- plugins/aws/emr/emrEncryptionAtRest.js | 2 +- plugins/aws/emr/emrEncryptionInTransit.js | 2 +- plugins/aws/emr/emrInstanceCount.js | 2 +- plugins/aws/eventbridge/eventBusCrossAccountAccess.js | 2 +- plugins/aws/eventbridge/eventBusPublicAccess.js | 2 +- plugins/aws/eventbridge/eventsInUse.js | 2 +- 64 files changed, 64 insertions(+), 64 deletions(-) diff --git a/plugins/aws/efs/efsCmkEncrypted.js b/plugins/aws/efs/efsCmkEncrypted.js index 75b25124fc..68af99d395 100644 --- a/plugins/aws/efs/efsCmkEncrypted.js +++ b/plugins/aws/efs/efsCmkEncrypted.js @@ -18,7 +18,7 @@ module.exports = { default: 20 } }, - realtime_triggers: ['efs:CreateFileSystem'], + realtime_triggers: ['efs:CreateFileSystem', 'efs:DeleteFileSystem'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/efs/efsEncryptionEnabled.js b/plugins/aws/efs/efsEncryptionEnabled.js index 871d6bc866..c5e1bb8c34 100644 --- a/plugins/aws/efs/efsEncryptionEnabled.js +++ b/plugins/aws/efs/efsEncryptionEnabled.js @@ -18,7 +18,7 @@ module.exports = { 'encryption should be enabled for all volumes storing this type ' + 'of data.' }, - realtime_triggers: ['efs:CreateFileSystem'], + realtime_triggers: ['efs:CreateFileSystem','efs:DeleteFileSystem'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/efs/efsHasTags.js b/plugins/aws/efs/efsHasTags.js index f8b644f8dd..f0d9aa5144 100644 --- a/plugins/aws/efs/efsHasTags.js +++ b/plugins/aws/efs/efsHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/efs/latest/ug/manage-fs-tags.html', recommended_action: 'Modify EFS file systems to add tags.', apis: ['EFS:describeFileSystems'], - realtime_triggers: ['efs:CreateFileSystem', 'efs:TagResource', 'efs:UnTagResource'], + realtime_triggers: ['efs:CreateFileSystem', 'efs:TagResource', 'efs:UnTagResource','efs:DeleteFileSystem'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/eks/eksClusterHasTags.js b/plugins/aws/eks/eksClusterHasTags.js index c23e8d31c3..56cd9b2131 100644 --- a/plugins/aws/eks/eksClusterHasTags.js +++ b/plugins/aws/eks/eksClusterHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/eks/latest/userguide/eks-using-tags.html', recommended_action: 'Modify EKS Cluster and add tags.', apis: ['EKS:listClusters', 'ResourceGroupsTaggingAPI:getResources', 'STS:getCallerIdentity'], - realtime_triggers: ['eks:CreateCluster', 'eks:TagResource', 'eks:UntagResource'], + realtime_triggers: ['eks:CreateCluster', 'eks:TagResource', 'eks:UntagResource', 'eks:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/eks/eksKubernetesVersion.js b/plugins/aws/eks/eksKubernetesVersion.js index 0ecc62d7e6..36146fe593 100644 --- a/plugins/aws/eks/eksKubernetesVersion.js +++ b/plugins/aws/eks/eksKubernetesVersion.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html', recommended_action: 'Upgrade the version of Kubernetes on all EKS clusters to the latest available version.', apis: ['EKS:listClusters', 'EKS:describeCluster', 'STS:getCallerIdentity'], - realtime_triggers: ['eks:CreateCluster', 'eks:UpdateClusterVersion'], + realtime_triggers: ['eks:CreateCluster', 'eks:UpdateClusterVersion', 'eks:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/eks/eksLatestPlatformVersion.js b/plugins/aws/eks/eksLatestPlatformVersion.js index 6f2fb38c1e..3e60e1cdfa 100644 --- a/plugins/aws/eks/eksLatestPlatformVersion.js +++ b/plugins/aws/eks/eksLatestPlatformVersion.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html', recommended_action: 'Check for the version on all EKS clusters to be the latest platform version.', apis: ['EKS:listClusters', 'EKS:describeCluster', 'STS:getCallerIdentity'], - realtime_triggers: ['eks:CreateCluster', 'eks:UpdateClusterVersion'], + realtime_triggers: ['eks:CreateCluster', 'eks:UpdateClusterVersion', 'eks:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/eks/eksLoggingEnabled.js b/plugins/aws/eks/eksLoggingEnabled.js index b03c6905d0..04d297c82c 100644 --- a/plugins/aws/eks/eksLoggingEnabled.js +++ b/plugins/aws/eks/eksLoggingEnabled.js @@ -15,7 +15,7 @@ module.exports = { apis_remediate: ['EKS:listClusters', 'EKS:describeCluster'], actions: {remediate: ['EKS:updateClusterConfig'], rollback: ['EKS:updateClusterConfig']}, permissions: {remediate: ['eks:UpdateClusterConfig'], rollback: ['eks:UpdateClusterConfig']}, - realtime_triggers: ['eks:CreateCluster', 'eks:updateClusterConfig'], + realtime_triggers: ['eks:CreateCluster', 'eks:updateClusterConfig', 'eks:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/eks/eksPrivateEndpoint.js b/plugins/aws/eks/eksPrivateEndpoint.js index 1fcde4fccb..30f6e3d26e 100644 --- a/plugins/aws/eks/eksPrivateEndpoint.js +++ b/plugins/aws/eks/eksPrivateEndpoint.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html', recommended_action: 'Enable the private endpoint setting for all EKS clusters.', apis: ['EKS:listClusters', 'EKS:describeCluster', 'STS:getCallerIdentity'], - realtime_triggers: ['eks:CreateCluster', 'eks:updateClusterConfig'], + realtime_triggers: ['eks:CreateCluster', 'eks:updateClusterConfig', 'eks:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/eks/eksSecretsEncrypted.js b/plugins/aws/eks/eksSecretsEncrypted.js index 798d88afc8..c6be86a066 100644 --- a/plugins/aws/eks/eksSecretsEncrypted.js +++ b/plugins/aws/eks/eksSecretsEncrypted.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/', recommended_action: 'Modify EKS clusters to enable envelope encryption for Kubernetes secrets', apis: ['EKS:listClusters', 'EKS:describeCluster', 'STS:getCallerIdentity'], - realtime_triggers: ['eks:CreateCluster'], + realtime_triggers: ['eks:CreateCluster', 'eks:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/eks/eksSecurityGroups.js b/plugins/aws/eks/eksSecurityGroups.js index d8b4cbf7d7..60fd803a3f 100644 --- a/plugins/aws/eks/eksSecurityGroups.js +++ b/plugins/aws/eks/eksSecurityGroups.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html', recommended_action: 'Configure security groups for the EKS control plane to allow access only on port 443.', apis: ['EKS:listClusters', 'EKS:describeCluster', 'EC2:describeSecurityGroups', 'STS:getCallerIdentity'], - realtime_triggers: ['eks:CreateCluster', 'ec2:RevokeSecurityGroupIngress', 'ec2:AuthorizeSecurityGroupIngress'], + realtime_triggers: ['eks:CreateCluster', 'ec2:RevokeSecurityGroupIngress', 'ec2:AuthorizeSecurityGroupIngress', 'eks:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/elasticCacheClusterHasTags.js b/plugins/aws/elasticache/elasticCacheClusterHasTags.js index 79172a0020..2ea9679735 100644 --- a/plugins/aws/elasticache/elasticCacheClusterHasTags.js +++ b/plugins/aws/elasticache/elasticCacheClusterHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Tagging-Resources.html', recommended_action: 'Modify ElastiCache cluster and add tags.', apis: ['ElastiCache:describeCacheClusters', 'ResourceGroupsTaggingAPI:getResources'], - realtime_triggers: ['elasticache:CreateCluster', 'elasticache:AddTagsToResource', 'elasticache:RemoveTagsToResource'], + realtime_triggers: ['elasticache:CreateCacheCluster', 'elasticache:DeleteCacheCluster', 'elasticache:AddTagsToResource', 'elasticache:RemoveTagsToResource'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/elasticacheClusterInVpc.js b/plugins/aws/elasticache/elasticacheClusterInVpc.js index 79ca46fa5c..b41249dc32 100644 --- a/plugins/aws/elasticache/elasticacheClusterInVpc.js +++ b/plugins/aws/elasticache/elasticacheClusterInVpc.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VPCs.EC.html', recommended_action: 'Create ElastiCache clusters within VPC network', apis: ['ElastiCache:describeCacheClusters'], - realtime_triggers: ['elasticache:CreateCluster'], + realtime_triggers: ['elasticache:CreateCacheCluster', 'elasticache:DeleteCacheCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/elasticacheDefaultPorts.js b/plugins/aws/elasticache/elasticacheDefaultPorts.js index 2a57100542..b9882bde77 100644 --- a/plugins/aws/elasticache/elasticacheDefaultPorts.js +++ b/plugins/aws/elasticache/elasticacheDefaultPorts.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/accessing-elasticache.html', recommended_action: 'Configure ElastiCache clusters to use the non-default ports.', apis: ['ElastiCache:describeCacheClusters'], - realtime_triggers: ['elasticache:CreateCluster'], + realtime_triggers: ['elasticache:CreateCacheCluster', 'elasticache:DeleteCacheCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/elasticacheInstanceGeneration.js b/plugins/aws/elasticache/elasticacheInstanceGeneration.js index a9a37d3cd5..d1d3295d54 100644 --- a/plugins/aws/elasticache/elasticacheInstanceGeneration.js +++ b/plugins/aws/elasticache/elasticacheInstanceGeneration.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://aws.amazon.com/elasticache/previous-generation/', recommended_action: 'Upgrade ElastiCache instance generaion to the latest available generation.', apis: ['ElastiCache:describeCacheClusters'], - realtime_triggers: ['elasticache:CreateCluster', 'elasticache:ModifyCacheCluster'], + realtime_triggers: ['elasticache:CreateCacheCluster', 'elasticache:DeleteCacheCluster', 'elasticache:ModifyCacheCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/elasticacheNodesCount.js b/plugins/aws/elasticache/elasticacheNodesCount.js index 4f1607b9a6..7dc55b46bd 100644 --- a/plugins/aws/elasticache/elasticacheNodesCount.js +++ b/plugins/aws/elasticache/elasticacheNodesCount.js @@ -24,7 +24,7 @@ module.exports = { default: '200' }, }, - realtime_triggers: ['elasticache:CreateCluster'], + realtime_triggers: ['elasticache:CreateCacheCluster', 'elasticache:DeleteCacheCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/elasticacheRedisMultiAZ.js b/plugins/aws/elasticache/elasticacheRedisMultiAZ.js index df0e0963a8..189595150f 100644 --- a/plugins/aws/elasticache/elasticacheRedisMultiAZ.js +++ b/plugins/aws/elasticache/elasticacheRedisMultiAZ.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/AutoFailover.html#AutoFailover.Enable', recommended_action: 'Enable Redis Multi-AZ for ElastiCache clusters', apis: ['ElastiCache:describeCacheClusters', 'ElastiCache:describeReplicationGroups'], - realtime_triggers: ['elasticache:CreateCluster', 'elasticache:ModifyReplicationGroup'], + realtime_triggers: ['elasticache:CreateCacheCluster', 'elasticache:DeleteCacheCluster', 'elasticache:ModifyReplicationGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/elasticaheDesiredNodeType.js b/plugins/aws/elasticache/elasticaheDesiredNodeType.js index e4c71c9336..9804ac9103 100644 --- a/plugins/aws/elasticache/elasticaheDesiredNodeType.js +++ b/plugins/aws/elasticache/elasticaheDesiredNodeType.js @@ -18,7 +18,7 @@ module.exports = { default:'cache.t2.micro' } }, - realtime_triggers: ['elasticache:CreateCluster','elasticache:ModifyReplicationGroup'], + realtime_triggers: ['elasticache:CreateCacheCluster', 'elasticache:DeleteCacheCluster', 'elasticache:ModifyReplicationGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/idleElastiCacheNode.js b/plugins/aws/elasticache/idleElastiCacheNode.js index a966da8a75..79891f3c65 100644 --- a/plugins/aws/elasticache/idleElastiCacheNode.js +++ b/plugins/aws/elasticache/idleElastiCacheNode.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['elasticache:CreateCluster', 'elasticache:DeleteCacheCluster'], + realtime_triggers: ['elasticache:CreateCacheCluster', 'elasticache:DeleteCacheCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/redisClusterEncryptionAtRest.js b/plugins/aws/elasticache/redisClusterEncryptionAtRest.js index d328ac38b5..2312bd7e6b 100644 --- a/plugins/aws/elasticache/redisClusterEncryptionAtRest.js +++ b/plugins/aws/elasticache/redisClusterEncryptionAtRest.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['elasticache:CreateCluster', 'elasticache:CreateReplicationGroup'], + realtime_triggers: ['elasticache:CreateCacheCluster', 'elasticache:DeleteCacheCluster', 'elasticache:CreateReplicationGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/redisClusterEncryptionInTransit.js b/plugins/aws/elasticache/redisClusterEncryptionInTransit.js index 2872698974..82fb390d1e 100644 --- a/plugins/aws/elasticache/redisClusterEncryptionInTransit.js +++ b/plugins/aws/elasticache/redisClusterEncryptionInTransit.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html', recommended_action: 'Enable in-transit encryption for ElastiCache clusters', apis: ['ElastiCache:describeCacheClusters'], - realtime_triggers: ['elasticache:CreateCluster', 'elasticache:CreateReplicationGroup','elasticache:ModifyReplicationGroup'], + realtime_triggers: ['elasticache:CreateCacheCluster', 'elasticache:DeleteCacheCluster', 'elasticache:CreateReplicationGroup','elasticache:ModifyReplicationGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/redisEngineVersions.js b/plugins/aws/elasticache/redisEngineVersions.js index 03707b8e3f..7dfb00f080 100644 --- a/plugins/aws/elasticache/redisEngineVersions.js +++ b/plugins/aws/elasticache/redisEngineVersions.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/supported-engine-versions.html', recommended_action: 'Upgrade the version of Redis on all ElastiCache clusters to the latest available version.', apis: ['ElastiCache:describeCacheClusters'], - realtime_triggers: ['elasticache:CreateCluster', 'elasticache:ModifyCacheCluster'], + realtime_triggers: ['elasticache:CreateCacheCluster', 'elasticache:DeleteCacheCluster', 'elasticache:ModifyCacheCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/reservedNodeLeaseExpiration.js b/plugins/aws/elasticache/reservedNodeLeaseExpiration.js index 88b1b8e4cc..32e1be08e7 100644 --- a/plugins/aws/elasticache/reservedNodeLeaseExpiration.js +++ b/plugins/aws/elasticache/reservedNodeLeaseExpiration.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/elasticache/reserved-cache-nodes/', recommended_action: 'Enable ElastiCache reserved cache nodes expiration days alert', apis: ['ElastiCache:describeReservedCacheNodes'], - realtime_triggers: ['elasticache:CreateCluster', 'elasticache:PurchaseReservedCacheNodesOffering'], + realtime_triggers: ['elasticache:CreateCacheCluster', 'elasticache:DeleteCacheCluster', 'elasticache:PurchaseReservedCacheNodesOffering'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/reservedNodePaymentFailed.js b/plugins/aws/elasticache/reservedNodePaymentFailed.js index 4c689ec6f6..a23b149a51 100644 --- a/plugins/aws/elasticache/reservedNodePaymentFailed.js +++ b/plugins/aws/elasticache/reservedNodePaymentFailed.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/elasticache/reserved-cache-nodes/', recommended_action: 'Identify any failed payments for ElastiCache reserved cache nodes', apis: ['ElastiCache:describeReservedCacheNodes'], - realtime_triggers: ['elasticache:CreateCluster', 'elasticache: PurchaseReservedCacheNodesOffering'], + realtime_triggers: ['elasticache:CreateCacheCluster', 'elasticache:DeleteCacheCluster', 'elasticache:PurchaseReservedCacheNodesOffering'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/reservedNodePaymentPending.js b/plugins/aws/elasticache/reservedNodePaymentPending.js index cc730ad785..c541528122 100644 --- a/plugins/aws/elasticache/reservedNodePaymentPending.js +++ b/plugins/aws/elasticache/reservedNodePaymentPending.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/elasticache/reserved-cache-nodes/', recommended_action: 'Identify any pending payments for ElastiCache reserved cache nodes', apis: ['ElastiCache:describeReservedCacheNodes'], - realtime_triggers: ['elasticache:CreateCluster','elasticache: PurchaseReservedCacheNodesOffering'], + realtime_triggers: ['elasticache:CreateCacheCluster', 'elasticache:DeleteCacheCluster','elasticache:PurchaseReservedCacheNodesOffering'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticache/unusedElastiCacheReservedNode.js b/plugins/aws/elasticache/unusedElastiCacheReservedNode.js index bff3a37417..00e7d6a9ef 100644 --- a/plugins/aws/elasticache/unusedElastiCacheReservedNode.js +++ b/plugins/aws/elasticache/unusedElastiCacheReservedNode.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/elasticache/reserved-cache-nodes/', recommended_action: 'Enable prevention of unused reserved nodes for ElastiCache clusters', apis: ['ElastiCache:describeCacheClusters', 'ElastiCache:describeReservedCacheNodes'], - realtime_triggers: ['elasticache:CreateCluster','elasticache: PurchaseReservedCacheNodesOffering'], + realtime_triggers: ['elasticache:CreateCacheCluster', 'elasticache:DeleteCacheCluster','elasticache:PurchaseReservedCacheNodesOffering'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticbeanstalk/enhancedHealthReporting.js b/plugins/aws/elasticbeanstalk/enhancedHealthReporting.js index d24bfd35b9..a20a72308e 100644 --- a/plugins/aws/elasticbeanstalk/enhancedHealthReporting.js +++ b/plugins/aws/elasticbeanstalk/enhancedHealthReporting.js @@ -12,7 +12,7 @@ module.exports = { recommended_action: 'Modify Elastic Beanstalk environmentsand enable enhanced health reporting.', link: 'https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/health-enhanced.html', apis: ['ElasticBeanstalk:describeEnvironments'], - realtime_triggers: ['elasticbeanstalk:CreateEnvironment', 'elasticbeanstalk:UpdateEnvironment'], + realtime_triggers: ['elasticbeanstalk:CreateEnvironment', 'elasticbeanstalk:UpdateEnvironment', 'elasticbeanstalk:TerminateEnvironment'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticbeanstalk/environmentAccessLogs.js b/plugins/aws/elasticbeanstalk/environmentAccessLogs.js index 55b3ea9a0c..aafd6c25e2 100644 --- a/plugins/aws/elasticbeanstalk/environmentAccessLogs.js +++ b/plugins/aws/elasticbeanstalk/environmentAccessLogs.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Go to specific environment, select Configuration, edit Load Balancer category, and enable Store logs', link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html', apis: ['ElasticBeanstalk:describeEnvironments', 'ElasticBeanstalk:describeConfigurationSettings'], - realtime_triggers: ['elasticbeanstalk:CreateEnvironment', 'elasticbeanstalk:UpdateEnvironment'], + realtime_triggers: ['elasticbeanstalk:CreateEnvironment', 'elasticbeanstalk:UpdateEnvironment', 'elasticbeanstalk:TerminateEnvironment'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticbeanstalk/environmentPersistentLogs.js b/plugins/aws/elasticbeanstalk/environmentPersistentLogs.js index 3f6fc7f4c4..0492dfe0ba 100644 --- a/plugins/aws/elasticbeanstalk/environmentPersistentLogs.js +++ b/plugins/aws/elasticbeanstalk/environmentPersistentLogs.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Go to specific environment, select Configuration, edit Software category, and enable Log streaming', link: 'https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.cloudwatchlogs.html', apis: ['ElasticBeanstalk:describeEnvironments', 'ElasticBeanstalk:describeConfigurationSettings'], - realtime_triggers: ['elasticbeanstalk:CreateEnvironment', 'elasticbeanstalk:UpdateEnvironment'], + realtime_triggers: ['elasticbeanstalk:CreateEnvironment', 'elasticbeanstalk:UpdateEnvironment', 'elasticbeanstalk:TerminateEnvironment'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elasticbeanstalk/managedPlatformUpdates.js b/plugins/aws/elasticbeanstalk/managedPlatformUpdates.js index 3d7456c36c..9142e54b8f 100644 --- a/plugins/aws/elasticbeanstalk/managedPlatformUpdates.js +++ b/plugins/aws/elasticbeanstalk/managedPlatformUpdates.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environment-platform-update-managed.html', recommended_action: 'Update the environment to enable managed updates.', apis: ['ElasticBeanstalk:describeEnvironments', 'ElasticBeanstalk:describeConfigurationSettings'], - realtime_triggers: ['elasticbeanstalk:CreateEnvironment', 'elasticbeanstalk:UpdateEnvironment'], + realtime_triggers: ['elasticbeanstalk:CreateEnvironment', 'elasticbeanstalk:UpdateEnvironment', 'elasticbeanstalk:TerminateEnvironment'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elastictranscoder/jobOutputsEncrypted.js b/plugins/aws/elastictranscoder/jobOutputsEncrypted.js index f3a1d63a70..cd079a6435 100644 --- a/plugins/aws/elastictranscoder/jobOutputsEncrypted.js +++ b/plugins/aws/elastictranscoder/jobOutputsEncrypted.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Enable encryption for Elastic Transcoder job outputs', link: 'https://docs.aws.amazon.com/elastictranscoder/latest/developerguide/encryption.html', apis: ['ElasticTranscoder:listPipelines', 'ElasticTranscoder:listJobsByPipeline'], - realtime_triggers: ['elastictranscoder:CreatePipeline', 'elastictranscoder:UpdatePipeline'], + realtime_triggers: ['elastictranscoder:CreatePipeline', 'elastictranscoder:UpdatePipeline', 'elastictranscoder:DeletePipeline'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elastictranscoder/pipelineDataEncrypted.js b/plugins/aws/elastictranscoder/pipelineDataEncrypted.js index bcc6b6dbd5..1b71a20eaf 100644 --- a/plugins/aws/elastictranscoder/pipelineDataEncrypted.js +++ b/plugins/aws/elastictranscoder/pipelineDataEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['elastictranscoder:CreatePipeline', 'elastictranscoder:UpdatePipeline'], + realtime_triggers: ['elastictranscoder:CreatePipeline', 'elastictranscoder:UpdatePipeline', 'elastictranscoder:DeletePipeline'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/appTierElbSecurity.js b/plugins/aws/elb/appTierElbSecurity.js index 86fe318c25..9e68b028bb 100644 --- a/plugins/aws/elb/appTierElbSecurity.js +++ b/plugins/aws/elb/appTierElbSecurity.js @@ -24,7 +24,7 @@ module.exports = { default: 'ELBSecurityPolicy-2016-08,ELBSecurityPolicy-TLS-1-2-2017-01,ELBSecurityPolicy-TLS-1-1-2017-01' } }, - realtime_triggers: ['elb:CreateLoadBalancerListeners','elb:CreateLoadBalancer'], + realtime_triggers: ['elb:CreateLoadBalancerListeners','elb:CreateLoadBalancer', 'elb:DeleteLoadBalancer', 'elb:DeleteLoadBalancerListeners'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/classicELBInUse.js b/plugins/aws/elb/classicELBInUse.js index b571dd3af2..ae2157c464 100644 --- a/plugins/aws/elb/classicELBInUse.js +++ b/plugins/aws/elb/classicELBInUse.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/elasticloadbalancing/features/', recommended_action: 'Detach Classic Load balancer from HTTP/HTTPS applications and attach Application Load Balancer to those applications', apis: ['ELB:describeLoadBalancers', 'STS:getCallerIdentity'], - realtime_triggers: ['elb:CreateLoadBalancer'], + realtime_triggers: ['elb:CreateLoadBalancer', 'elb:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/connectionDrainingEnabled.js b/plugins/aws/elb/connectionDrainingEnabled.js index 64b08c3d4e..7abd3ba7bb 100644 --- a/plugins/aws/elb/connectionDrainingEnabled.js +++ b/plugins/aws/elb/connectionDrainingEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html', recommended_action: 'Update ELBs to enable connection draining', apis: ['ELB:describeLoadBalancers', 'ELB:describeLoadBalancerAttributes', 'STS:getCallerIdentity'], - realtime_triggers: ['elb:CreateLoadBalancer', 'elb:ModifyLoadBalancerAttributes'], + realtime_triggers: ['elb:CreateLoadBalancer', 'elb:ModifyLoadBalancerAttributes', 'elb:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/crosszoneLoadBalancing.js b/plugins/aws/elb/crosszoneLoadBalancing.js index e6aa556590..14f702899c 100644 --- a/plugins/aws/elb/crosszoneLoadBalancing.js +++ b/plugins/aws/elb/crosszoneLoadBalancing.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html', recommended_action: 'Update AWS ELB to enable cross zone load balancing', apis: ['ELB:describeLoadBalancers', 'ELB:describeLoadBalancerAttributes', 'STS:getCallerIdentity'], - realtime_triggers: ['elb:CreateLoadBalancer', 'elb:ModifyLoadBalancerAttributes', 'elb:AttachLoadBalancerToSubnets'], + realtime_triggers: ['elb:CreateLoadBalancer', 'elb:ModifyLoadBalancerAttributes', 'elb:AttachLoadBalancerToSubnets', 'elb:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/elbHasTags.js b/plugins/aws/elb/elbHasTags.js index ff67c94381..552ea9e9bb 100644 --- a/plugins/aws/elb/elbHasTags.js +++ b/plugins/aws/elb/elbHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_AddTags.html', recommended_action: 'Modify ELB and add tags.', apis: ['ELB:describeLoadBalancers', 'ResourceGroupsTaggingAPI:getResources', 'STS:getCallerIdentity'], - realtime_triggers: ['elb:CreateLoadBalancer', 'elb:AddTags', 'elb:RemoveTags'], + realtime_triggers: ['elb:CreateLoadBalancer', 'elb:AddTags', 'elb:RemoveTags', 'elb:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/elbHttpsOnly.js b/plugins/aws/elb/elbHttpsOnly.js index c9d88cad41..4a5634ebd3 100644 --- a/plugins/aws/elb/elbHttpsOnly.js +++ b/plugins/aws/elb/elbHttpsOnly.js @@ -20,7 +20,7 @@ module.exports = { apis_remediate: ['ELB:describeLoadBalancers'], actions: {remediate: ['ELB:deleteLoadBalancerListeners'], rollback: ['ELB:createLoadBalancerListeners']}, permissions: {remediate: ['elasticloadbalancing:DeleteLoadBalancerListeners'], rollback: ['elasticloadbalancing:CreateLoadBalancerListeners']}, - realtime_triggers: ['elb:CreateLoadBalancerListeners','elb:CreateLoadBalancer'], + realtime_triggers: ['elb:CreateLoadBalancerListeners','elb:CreateLoadBalancer', 'elb:DeleteLoadBalancer', 'elb:DeleteLoadBalancerListeners'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/elbLoggingEnabled.js b/plugins/aws/elb/elbLoggingEnabled.js index ff60e3dc20..6c7d6cdbbd 100644 --- a/plugins/aws/elb/elbLoggingEnabled.js +++ b/plugins/aws/elb/elbLoggingEnabled.js @@ -22,7 +22,7 @@ module.exports = { pci: 'PCI requires logging of all network access to environments containing ' + 'cardholder data. Enable ELB logs to log these network requests.' }, - realtime_triggers: ['elb:CreateLoadBalancer', 'elb:ModifyLoadBalancerAttributes'], + realtime_triggers: ['elb:CreateLoadBalancer', 'elb:ModifyLoadBalancerAttributes', 'elb:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/elbUnhealthyInstances.js b/plugins/aws/elb/elbUnhealthyInstances.js index 4f73ea9534..c4e1e5aa5f 100644 --- a/plugins/aws/elb/elbUnhealthyInstances.js +++ b/plugins/aws/elb/elbUnhealthyInstances.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-healthchecks.html#check-instance-health', recommended_action: 'Investigate and resolve the health issues of the instances attached to the ELB.', apis: ['ELB:describeLoadBalancers', 'ELB:describeInstanceHealth', 'STS:getCallerIdentity'], - realtime_triggers: ['elb:CreateLoadBalancer', 'elb:RegisterInstancesWithLoadBalancer', 'elb:DeregisterInstancesWithLoadBalancer'], + realtime_triggers: ['elb:CreateLoadBalancer', 'elb:RegisterInstancesWithLoadBalancer', 'elb:DeregisterInstancesWithLoadBalancer', 'elb:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/insecureCiphers.js b/plugins/aws/elb/insecureCiphers.js index 3502d1bdf3..ad1601330a 100644 --- a/plugins/aws/elb/insecureCiphers.js +++ b/plugins/aws/elb/insecureCiphers.js @@ -92,7 +92,7 @@ module.exports = { pci: 'PCI requires secure transfer of cardholder data. It does not permit SSL or TLS ' + 'version 1.0. ELB listeners should be configured for TLS v1.2.' }, - realtime_triggers: ['elb:CreateLoadBalancer','elb:CreateLoadBalancerPolicy', 'elb:DeleteLoadBalancerPolicy'], + realtime_triggers: ['elb:CreateLoadBalancer','elb:CreateLoadBalancerPolicy', 'elb:DeleteLoadBalancerPolicy', 'elb:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2DeletionProtection.js b/plugins/aws/elbv2/elbv2DeletionProtection.js index e136a31e04..323c77cf7d 100644 --- a/plugins/aws/elbv2/elbv2DeletionProtection.js +++ b/plugins/aws/elbv2/elbv2DeletionProtection.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#deletion-protection', recommended_action: 'Update ELBv2 load balancers to use deletion protection to prevent accidental deletion', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeLoadBalancerAttributes'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyLoadBalancerAttributes'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyLoadBalancerAttributes', 'elbv2:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js b/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js index 1248beaa43..5cda45035f 100644 --- a/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js +++ b/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html', recommended_action: 'Modify ELBv2 listeners with the latest predefined AWS security policies.', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeListeners'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:CreateListener', 'elbv2:ModifyListener'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:CreateListener', 'elbv2:ModifyListener', 'elbv2:DeleteLoadBalancer', 'elbv2:DeleteListener'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2DeregistrationDelay.js b/plugins/aws/elbv2/elbv2DeregistrationDelay.js index 1e0854282c..d078502050 100644 --- a/plugins/aws/elbv2/elbv2DeregistrationDelay.js +++ b/plugins/aws/elbv2/elbv2DeregistrationDelay.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#deregistration-delay', recommended_action: 'Update ELBv2 target group attributes and set the deregistration delay value', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeTargetGroups', 'ELBv2:describeTargetGroupAttributes'], - realtime_triggers: ['elbv2:CreateTargetGroup', 'elbv2:ModifyTargetGroupAttributes'], + realtime_triggers: ['elbv2:CreateTargetGroup', 'elbv2:ModifyTargetGroupAttributes', 'elbv2:DeleteTargetGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2HasTags.js b/plugins/aws/elbv2/elbv2HasTags.js index dadcdc8265..440dab1c44 100644 --- a/plugins/aws/elbv2/elbv2HasTags.js +++ b/plugins/aws/elbv2/elbv2HasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_AddTags.html', recommended_action: 'Modify ELBv2 and add tags.', apis: ['ELBv2:describeLoadBalancers', 'ResourceGroupsTaggingAPI:getResources'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:AddTags', 'elbv2:RemoveTags'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:AddTags', 'elbv2:RemoveTags', 'elbv2:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2HttpsOnly.js b/plugins/aws/elbv2/elbv2HttpsOnly.js index 8192897b43..0436d1c785 100644 --- a/plugins/aws/elbv2/elbv2HttpsOnly.js +++ b/plugins/aws/elbv2/elbv2HttpsOnly.js @@ -20,7 +20,7 @@ module.exports = { apis_remediate: ['ELBv2:describeLoadBalancers','ELBv2:describeListeners'], actions: {remediate: ['ELBv2:deleteListener'], rollback: ['ELBv2:createListener']}, permissions: {remediate: ['elasticloadbalancing:DeleteListener'], rollback: ['elasticloadbalancing:CreateListener']}, - realtime_triggers: ['elbv2:CreateListener','elbv2:CreateLoadBalancer'], + realtime_triggers: ['elbv2:CreateListener','elbv2:CreateLoadBalancer', 'elbv2:DeleteLoadBalancer', 'elbv2:DeleteListener'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2InsecureCiphers.js b/plugins/aws/elbv2/elbv2InsecureCiphers.js index 7727b87ccf..4d450073b0 100644 --- a/plugins/aws/elbv2/elbv2InsecureCiphers.js +++ b/plugins/aws/elbv2/elbv2InsecureCiphers.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.htmll', recommended_action: 'Modify ELBv2 listeners with the predefined AWS security policies containing secure ciphers.', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeListeners'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:CreateListener', 'elbv2:ModifyListener'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:CreateListener', 'elbv2:ModifyListener', 'elbv2:DeleteLoadBalancer', 'elbv2:DeleteListener'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2LoggingEnabled.js b/plugins/aws/elbv2/elbv2LoggingEnabled.js index 6d91577ad1..cbceee5bdf 100644 --- a/plugins/aws/elbv2/elbv2LoggingEnabled.js +++ b/plugins/aws/elbv2/elbv2LoggingEnabled.js @@ -22,7 +22,7 @@ module.exports = { pci: 'PCI requires logging of all network access to environments containing ' + 'cardholder data. Enable ELB logs to log these network requests.' }, - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyLoadBalancerAttributes'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyLoadBalancerAttributes', 'elbv2:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2MinimumTargetInstances.js b/plugins/aws/elbv2/elbv2MinimumTargetInstances.js index 90d5472560..dd2f498a75 100644 --- a/plugins/aws/elbv2/elbv2MinimumTargetInstances.js +++ b/plugins/aws/elbv2/elbv2MinimumTargetInstances.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html', recommended_action: 'Associate at least two healthy target instances to AWS ELBv2 load balancer', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeTargetGroups', 'ELBv2:describeTargetHealth'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyTargetGroup','elbv2:RegisterTarget', 'elbv2:DeregisterTargets'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyTargetGroup','elbv2:RegisterTarget', 'elbv2:DeregisterTargets', 'elbv2:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2NlbListenerSecurity.js b/plugins/aws/elbv2/elbv2NlbListenerSecurity.js index 17c93e97ca..afda4af422 100644 --- a/plugins/aws/elbv2/elbv2NlbListenerSecurity.js +++ b/plugins/aws/elbv2/elbv2NlbListenerSecurity.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.amazonaws.cn/en_us/elasticloadbalancing/latest/network/create-tls-listener.html', recommended_action: 'Attach TLS listener to AWS Network Load Balancer', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeListeners'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:CreateListener', 'elbv2:ModifyListener','elbv2:DeleteListener'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:CreateListener', 'elbv2:ModifyListener','elbv2:DeleteListener', 'elbv2:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2SslTermination.js b/plugins/aws/elbv2/elbv2SslTermination.js index 954ee9d8a4..5c92a98064 100644 --- a/plugins/aws/elbv2/elbv2SslTermination.js +++ b/plugins/aws/elbv2/elbv2SslTermination.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/elastic-load-balancer-support-for-ssl-termination/', recommended_action: 'Attach SSL certificate with the listener to AWS Elastic Load Balancer', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeListeners'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:CreateListeners','elbv2:ModifyListener'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:CreateListeners','elbv2:ModifyListener', 'elbv2:DeleteLoadBalancer', 'elbv2:DeleteListener'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js b/plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js index 697344ab98..1f4662e39c 100644 --- a/plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js +++ b/plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html', recommended_action: 'Update ELBv2 load balancer traffic configuration to enable TLS version and cipher headers', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeLoadBalancerAttributes'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyLoadBalancerAttributes'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyLoadBalancerAttributes', 'elbv2:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2UnhealthyInstance.js b/plugins/aws/elbv2/elbv2UnhealthyInstance.js index a2c7bbd551..5723ea1ffc 100644 --- a/plugins/aws/elbv2/elbv2UnhealthyInstance.js +++ b/plugins/aws/elbv2/elbv2UnhealthyInstance.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html', recommended_action: 'Investigate and resolve the health issues with the instances attached to the ELB.', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeTargetGroups', 'ELBv2:describeTargetHealth'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyTargetGroups', 'elbv2:RegisterTarget', 'elbv2:DeregisterTargets'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyTargetGroups', 'elbv2:RegisterTarget', 'elbv2:DeregisterTargets', 'elbv2:DeleteLoadBalancer', 'elbv2:DeleteTargetGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2WafEnabled.js b/plugins/aws/elbv2/elbv2WafEnabled.js index 4a14b7252f..d2614e700b 100644 --- a/plugins/aws/elbv2/elbv2WafEnabled.js +++ b/plugins/aws/elbv2/elbv2WafEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/', recommended_action: '1. Enter the WAF service. 2. Enter Web ACLs and filter by the region the Application Load Balancer is in. 3. If no Web ACL is found, Create a new Web ACL in the region the ALB resides and in Resource type to associate with web ACL, select the Load Balancer. ', apis: ['ELBv2:describeLoadBalancers', 'WAFV2:listWebACLs', 'WAFRegional:listWebACLs', 'WAFV2:listResourcesForWebACL', 'WAFRegional:listResourcesForWebACL'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'wafv2:CreateWebAcl', 'wafv2:UpdateWebAacl', 'wafregional:CreateWebAcl', 'wafregional:UpdateWebAcl'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'wafv2:CreateWebAcl', 'wafv2:UpdateWebAacl', 'wafregional:CreateWebAcl', 'wafregional:UpdateWebAcl', 'wafv2:DeleteWebAcl', 'wafregional:DeleteWebAcl'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js b/plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js index 701e457e76..e37fb85189 100644 --- a/plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js +++ b/plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html', recommended_action: 'Update AWS ELBv2 load balancers to enable cross zone load balancing.', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeLoadBalancerAttributes'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyLoadBalancerAttributes'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyLoadBalancerAttributes', 'elbv2:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/emr/emrClusterHasTags.js b/plugins/aws/emr/emrClusterHasTags.js index 2ea372c999..7bc1bbbccd 100644 --- a/plugins/aws/emr/emrClusterHasTags.js +++ b/plugins/aws/emr/emrClusterHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-tags-add-new.html', recommended_action: 'Modify EMR cluster and add tags.', apis: ['EMR:listClusters', 'EMR:describeCluster'], - realtime_triggers: ['emr:CreateCluster', 'emr:AddTags', 'emr:RemoveTags'], + realtime_triggers: ['emr:CreateCluster', 'emr:AddTags', 'emr:RemoveTags', 'emr:TerminateClusters'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/emr/emrClusterInVPC.js b/plugins/aws/emr/emrClusterInVPC.js index 1d246792f5..f42a8bb787 100644 --- a/plugins/aws/emr/emrClusterInVPC.js +++ b/plugins/aws/emr/emrClusterInVPC.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-vpc-launching-job-flows.htmll', recommended_action: 'EMR clusters Available in VPC', apis: ['EC2:describeAccountAttributes','EMR:listClusters', 'EMR:describeCluster'], - realtime_triggers: ['emr:CreateCluster','emr:TerminateJobFlows'], + realtime_triggers: ['emr:CreateCluster','emr:TerminateJobFlows', 'emr:TerminateClusters'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/emr/emrClusterLogging.js b/plugins/aws/emr/emrClusterLogging.js index e3d252d1e4..0095fb8ab8 100644 --- a/plugins/aws/emr/emrClusterLogging.js +++ b/plugins/aws/emr/emrClusterLogging.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-debugging.html', recommended_action: 'Modify EMR clusters to enable cluster logging', apis: ['EMR:listClusters', 'EMR:describeCluster'], - realtime_triggers: ['emr:CreateCluster','emr:TerminateJobFlows'], + realtime_triggers: ['emr:CreateCluster','emr:TerminateJobFlows', 'emr:TerminateClusters'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/emr/emrDesiredInstanceType.js b/plugins/aws/emr/emrDesiredInstanceType.js index d5e51fc040..f22f4da6dc 100644 --- a/plugins/aws/emr/emrDesiredInstanceType.js +++ b/plugins/aws/emr/emrDesiredInstanceType.js @@ -24,7 +24,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['emr:CreateCluster'], + realtime_triggers: ['emr:CreateCluster', 'emr:TerminateClusters'], run: function(cache, settings, callback) { const results = []; diff --git a/plugins/aws/emr/emrEncryptionAtRest.js b/plugins/aws/emr/emrEncryptionAtRest.js index 943fb7b722..681f41535d 100644 --- a/plugins/aws/emr/emrEncryptionAtRest.js +++ b/plugins/aws/emr/emrEncryptionAtRest.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-data-encryption-options.html', recommended_action: 'Update security configuration associated with EMR cluster to enable encryption at rest for local disks.', apis: ['EMR:listClusters', 'EMR:describeCluster', 'EMR:describeSecurityConfiguration'], - realtime_triggers: ['emr:CreateCluster', 'emr:CreateSecurityConfiguration','emr:DeleteSecurityConfiguration'], + realtime_triggers: ['emr:CreateCluster', 'emr:CreateSecurityConfiguration','emr:DeleteSecurityConfiguration', 'emr:TerminateClusters'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/emr/emrEncryptionInTransit.js b/plugins/aws/emr/emrEncryptionInTransit.js index bf43ee900c..5a8934aa98 100644 --- a/plugins/aws/emr/emrEncryptionInTransit.js +++ b/plugins/aws/emr/emrEncryptionInTransit.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-data-encryption-options.html', recommended_action: 'Update security configuration associated with EMR cluster to enable encryption in transit.', apis: ['EMR:listClusters', 'EMR:describeCluster', 'EMR:describeSecurityConfiguration'], - realtime_triggers: ['emr:CreateCluster', 'emr:CreateSecurityConfiguration','emr: DeleteSecurityConfiguration'], + realtime_triggers: ['emr:CreateCluster', 'emr:CreateSecurityConfiguration','emr: DeleteSecurityConfiguration', 'emr:TerminateClusters'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/emr/emrInstanceCount.js b/plugins/aws/emr/emrInstanceCount.js index 417dbc8171..1788a48e8c 100644 --- a/plugins/aws/emr/emrInstanceCount.js +++ b/plugins/aws/emr/emrInstanceCount.js @@ -25,7 +25,7 @@ module.exports = { default: 100 } }, - realtime_triggers: ['emr:CreateCluster'], + realtime_triggers: ['emr:CreateCluster', 'emr:TerminateClusters'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/eventbridge/eventBusCrossAccountAccess.js b/plugins/aws/eventbridge/eventBusCrossAccountAccess.js index 6f7ce03cbf..1b6ae11fab 100644 --- a/plugins/aws/eventbridge/eventBusCrossAccountAccess.js +++ b/plugins/aws/eventbridge/eventBusCrossAccountAccess.js @@ -37,7 +37,7 @@ module.exports = { default: 'aws:PrincipalArn,aws:PrincipalAccount,aws:PrincipalOrgID,aws:SourceAccount,aws:SourceArn,aws:SourceOwner' }, }, - realtime_triggers: ['eventbridge:CreateEventBus','eventbridge:PutPermission'], + realtime_triggers: ['eventbridge:CreateEventBus','eventbridge:PutPermission', 'eventbridge:DeleteEventBus'], run: function(cache, settings, callback) { var config= { diff --git a/plugins/aws/eventbridge/eventBusPublicAccess.js b/plugins/aws/eventbridge/eventBusPublicAccess.js index 5b5a4f5f6f..70df29cfb7 100644 --- a/plugins/aws/eventbridge/eventBusPublicAccess.js +++ b/plugins/aws/eventbridge/eventBusPublicAccess.js @@ -19,7 +19,7 @@ module.exports = { default: 'aws:PrincipalArn,aws:PrincipalAccount,aws:PrincipalOrgID,aws:SourceOwner,aws:SourceArn,aws:SourceAccount' } }, - realtime_triggers: ['eventbridge:CreateEventBus', 'eventbridge:PutRule', 'eventbridge:PutTarget','eventbridge:PutPermission'], + realtime_triggers: ['eventbridge:CreateEventBus', 'eventbridge:PutRule', 'eventbridge:PutTarget','eventbridge:PutPermission', 'eventbridge:DeleteEventBus', 'eventbridge:DeleteRule'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/eventbridge/eventsInUse.js b/plugins/aws/eventbridge/eventsInUse.js index 9ceb27d54a..2ee7c5ae15 100644 --- a/plugins/aws/eventbridge/eventsInUse.js +++ b/plugins/aws/eventbridge/eventsInUse.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html', recommended_action: 'Create EventBridge event rules to meet regulatory and compliance requirement within your organization.', apis: ['EventBridge:listRules'], - realtime_triggers: ['eventbridge:PutRules', 'eventbridge:EnableRule'], + realtime_triggers: ['eventbridge:PutRules', 'eventbridge:EnableRule', 'eventbridge:DeleteRule'], run: function(cache, settings, callback) { var results = []; From 3916eaf8faff6031eb9e9b79820a24cdfdfee939 Mon Sep 17 00:00:00 2001 From: muzzamilinovaqo Date: Fri, 29 Sep 2023 15:44:38 +0500 Subject: [PATCH 035/498] added delete triggers --- plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js | 2 +- plugins/aws/accessanalyzer/accessAnalyzerEnabled.js | 2 +- plugins/aws/acm/acmCertificateExpiry.js | 2 +- plugins/aws/acm/acmCertificateHasTags.js | 2 +- plugins/aws/acm/acmSingleDomainNameCertificate.js | 2 +- plugins/aws/acm/acmValidation.js | 2 +- plugins/aws/apigateway/apiStageLevelCacheEncryption.js | 2 +- plugins/aws/apigateway/apigatewayAuthorization.js | 2 +- plugins/aws/apigateway/apigatewayCertificateRotation.js | 2 +- plugins/aws/apigateway/apigatewayClientCertificate.js | 2 +- plugins/aws/apigateway/apigatewayCloudwatchLogs.js | 2 +- plugins/aws/apigateway/apigatewayContentEncoding.js | 2 +- plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js | 2 +- plugins/aws/apigateway/apigatewayPrivateEndpoints.js | 2 +- plugins/aws/apigateway/apigatewayResponseCaching.js | 2 +- plugins/aws/apigateway/apigatewayTracingEnabled.js | 2 +- plugins/aws/apigateway/apigatewayWafEnabled.js | 2 +- plugins/aws/apigateway/customDomainTlsVersion.js | 2 +- plugins/aws/apigateway/detailedCloudWatchMetrics.js | 2 +- plugins/aws/appflow/flowEncrypted.js | 2 +- plugins/aws/appmesh/appmeshTLSRequired.js | 2 +- plugins/aws/appmesh/appmeshVGAccessLogging.js | 2 +- plugins/aws/appmesh/appmeshVGHealthChecks.js | 2 +- plugins/aws/appmesh/restrictExternalTraffic.js | 2 +- plugins/aws/apprunner/serviceEncrypted.js | 2 +- plugins/aws/athena/workgroupEncrypted.js | 2 +- plugins/aws/athena/workgroupEnforceConfiguration.js | 2 +- plugins/aws/auditmanager/auditmanagerDataEncrypted.js | 2 +- plugins/aws/autoscaling/appTierAsgApprovedAmi.js | 2 +- plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js | 2 +- plugins/aws/autoscaling/appTierIamRole.js | 2 +- plugins/aws/autoscaling/asgActiveNotifications.js | 2 +- plugins/aws/autoscaling/asgCooldownPeriod.js | 2 +- plugins/aws/autoscaling/asgMissingELB.js | 2 +- plugins/aws/autoscaling/asgMissingSecurityGroups.js | 2 +- plugins/aws/autoscaling/asgMultiAz.js | 2 +- plugins/aws/autoscaling/asgSuspendedProcesses.js | 5 +---- plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js | 2 +- plugins/aws/autoscaling/elbHealthCheckActive.js | 2 +- plugins/aws/autoscaling/sameAzElb.js | 2 +- plugins/aws/autoscaling/webTierAsgApprovedAmi.js | 2 +- plugins/aws/autoscaling/webTierAsgAssociatedElb.js | 2 +- plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js | 2 +- plugins/aws/autoscaling/webTierIamRole.js | 2 +- plugins/aws/backup/backupDeletionProtection.js | 2 +- plugins/aws/backup/backupInUseForRDSSnapshots.js | 2 +- plugins/aws/backup/backupNotificationEnabled.js | 2 +- plugins/aws/backup/backupVaultEncrypted.js | 2 +- plugins/aws/backup/backupVaultHasTags.js | 2 +- plugins/aws/backup/backupVaultPolicies.js | 2 +- plugins/aws/backup/compliantLifecycleConfigured.js | 2 +- plugins/aws/cloudformation/cloudformationAdminPriviliges.js | 2 +- plugins/aws/cloudformation/cloudformationInUse.js | 3 +-- plugins/aws/cloudformation/driftDetection.js | 2 +- plugins/aws/cloudformation/plainTextParameters.js | 2 +- plugins/aws/cloudformation/stackFailedStatus.js | 2 +- plugins/aws/cloudformation/stackNotifications.js | 2 +- plugins/aws/cloudformation/stackTerminationProtection.js | 2 +- plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js | 2 +- plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js | 2 +- plugins/aws/cloudfront/cloudfrontGeoRestriction.js | 3 ++- plugins/aws/cloudfront/cloudfrontHttpsOnly.js | 2 +- plugins/aws/cloudfront/cloudfrontInUse.js | 2 +- plugins/aws/cloudfront/cloudfrontLoggingEnabled.js | 3 ++- plugins/aws/cloudfront/cloudfrontOriginTlsVersion.js | 2 +- plugins/aws/cloudfront/cloudfrontTlsDeprecatedProtocols.js | 2 +- plugins/aws/cloudfront/cloudfrontTlsInsecureCipher.js | 3 ++- plugins/aws/cloudfront/cloudfrontWafEnabled.js | 3 ++- plugins/aws/cloudfront/compressObjectsAutomatically.js | 3 ++- plugins/aws/cloudfront/enableOriginFailOver.js | 3 ++- plugins/aws/cloudfront/insecureProtocols.js | 3 ++- plugins/aws/cloudfront/publicS3Origin.js | 3 ++- plugins/aws/cloudfront/secureOrigin.js | 3 ++- plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js | 4 ++-- plugins/aws/cloudtrail/cloudtrailBucketDelete.js | 2 +- plugins/aws/cloudtrail/cloudtrailBucketPrivate.js | 2 +- plugins/aws/cloudtrail/cloudtrailDataEvents.js | 2 +- plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js | 2 +- plugins/aws/cloudtrail/cloudtrailEnabled.js | 2 +- plugins/aws/cloudtrail/cloudtrailEncryption.js | 2 +- plugins/aws/cloudtrail/cloudtrailFileValidation.js | 2 +- plugins/aws/cloudtrail/cloudtrailHasTags.js | 2 +- plugins/aws/cloudtrail/cloudtrailManagementEvents.js | 2 +- plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js | 2 +- plugins/aws/cloudtrail/cloudtrailObjectLock.js | 2 +- plugins/aws/cloudtrail/cloudtrailS3Bucket.js | 2 +- plugins/aws/cloudtrail/cloudtrailToCloudwatch.js | 2 +- plugins/aws/cloudtrail/globalLoggingDuplicated.js | 2 +- plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js | 2 +- plugins/aws/cloudwatchlogs/logGroupsEncrypted.js | 2 +- plugins/aws/cloudwatchlogs/logRetentionPeriod.js | 2 +- plugins/aws/cloudwatchlogs/monitoringMetrics.js | 3 ++- plugins/aws/codebuild/codebuildValidSourceProviders.js | 2 +- plugins/aws/codebuild/projectArtifactsEncrypted.js | 2 +- plugins/aws/codepipeline/pipelineArtifactsEncrypted.js | 2 +- plugins/aws/codestar/codestarValidRepoProviders.js | 2 +- plugins/aws/cognito/cognitoHasWafEnabled.js | 2 +- plugins/aws/cognito/cognitoMFAEnabled.js | 2 +- plugins/aws/comprehend/outputResultEncryption.js | 2 +- plugins/aws/comprehend/volumeEncryption.js | 3 ++- plugins/aws/computeoptimizer/asgOptimized.js | 2 +- plugins/aws/computeoptimizer/ebsVolumesOptimized.js | 2 +- plugins/aws/computeoptimizer/ec2InstancesOptimized.js | 2 +- plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js | 2 +- plugins/aws/configservice/configComplaintRules.js | 2 +- plugins/aws/configservice/configDeliveryFailing.js | 2 +- plugins/aws/configservice/configServiceEnabled.js | 2 +- plugins/aws/configservice/configServiceMissingBucket.js | 2 +- plugins/aws/configservice/servicesInUse.js | 2 +- plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js | 2 +- plugins/aws/dms/autoMinorVersionUpgrade.js | 2 +- plugins/aws/dms/dmsEncryptionEnabled.js | 2 +- plugins/aws/dms/dmsMultiAZFeatureEnabled.js | 2 +- plugins/aws/dms/dmsPubliclyAccessibleInstances.js | 2 +- plugins/aws/documentDB/docdbClusterBackupRetention.js | 2 +- plugins/aws/documentDB/docdbClusterEncrypted.js | 2 +- plugins/aws/dynamodb/daxClusterEncryption.js | 2 +- plugins/aws/dynamodb/dynamoContinuousBackups.js | 2 +- plugins/aws/dynamodb/dynamoKmsEncryption.js | 2 +- plugins/aws/dynamodb/dynamoTableBackupExists.js | 2 +- plugins/aws/dynamodb/dynamoTableHasTags.js | 2 +- plugins/aws/iam/accessKeysExtra.js | 2 +- plugins/aws/iam/accessKeysLastUsed.js | 2 +- plugins/aws/iam/canaryKeysUsed.js | 2 +- plugins/aws/iam/certificateExpiry.js | 2 +- plugins/aws/iam/crossAccountMfaExtIdAccess.js | 2 +- plugins/aws/iam/emptyGroups.js | 2 +- plugins/aws/iam/groupInlinePolicies.js | 2 +- plugins/aws/iam/iamMasterManagerRoles.js | 2 +- plugins/aws/iam/iamPoliciesPresent.js | 2 +- plugins/aws/iam/iamRoleHasTags.js | 2 +- plugins/aws/iam/iamRolePolicies.js | 2 +- plugins/aws/iam/iamSupportPolicy.js | 2 +- plugins/aws/iam/iamUserAdmins.js | 2 +- plugins/aws/iam/iamUserHasTags.js | 2 +- plugins/aws/iam/iamUserNameRegex.js | 2 +- plugins/aws/iam/iamUserPresent.js | 2 +- plugins/aws/iam/iamUserUnauthorizedToEdit.js | 2 +- plugins/aws/iam/iamUserWithoutPermissions.js | 2 +- plugins/aws/iam/maxPasswordAge.js | 2 +- plugins/aws/iam/minPasswordLength.js | 2 +- plugins/aws/iam/noUserIamPolicies.js | 2 +- plugins/aws/iam/passwordExpiration.js | 2 +- plugins/aws/iam/passwordPolicyExists.js | 2 +- plugins/aws/iam/passwordRequiresLowercase.js | 2 +- plugins/aws/iam/passwordRequiresNumbers.js | 2 +- plugins/aws/iam/passwordRequiresSymbols.js | 3 ++- plugins/aws/iam/passwordRequiresUppercase.js | 2 +- plugins/aws/iam/passwordReusePrevention.js | 2 +- plugins/aws/iam/policyAllowsToChangePassword.js | 2 +- plugins/aws/iam/rolePolicyUnusedServices.js | 2 +- plugins/aws/iam/rootAccountInUse.js | 1 - plugins/aws/iam/rootHardwareMfa.js | 3 +-- plugins/aws/iam/rootMfaEnabled.js | 2 +- plugins/aws/iam/rootSigningCertificate.js | 2 +- plugins/aws/iam/sshKeysRotated.js | 2 +- plugins/aws/iam/trustedCrossAccountRoles.js | 2 +- plugins/aws/iam/usersMfaEnabled.js | 2 +- plugins/aws/iam/usersPasswordAndKeys.js | 2 +- plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js | 2 +- plugins/aws/imagebuilder/enhancedMetadataEnabled.js | 2 +- plugins/aws/imagebuilder/imageRecipeVolumeEncrypted.js | 2 +- plugins/aws/imagebuilder/imgBuilderComponentsEncrypted.js | 2 +- plugins/aws/imagebuilder/infraConfigNotificationEnabled.js | 2 +- plugins/aws/kendra/kendraIndexEncrypted.js | 2 +- plugins/aws/kinesis/kinesisDataStreamsEncrypted.js | 2 +- plugins/aws/kinesis/kinesisEncrypted.js | 2 +- plugins/aws/kinesisvideo/videostreamDataEncrypted.js | 2 +- plugins/aws/kms/kmsAppTierCmk.js | 2 +- plugins/aws/kms/kmsDefaultKeyUsage.js | 2 +- plugins/aws/kms/kmsDuplicateGrants.js | 2 +- plugins/aws/kms/kmsGrantLeastPrivilege.js | 2 +- plugins/aws/kms/kmsKeyRotation.js | 2 +- plugins/aws/kms/kmsScheduledDeletion.js | 2 +- 174 files changed, 186 insertions(+), 180 deletions(-) diff --git a/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js b/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js index 1f4708524e..c1d74c1c62 100644 --- a/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js +++ b/plugins/aws/accessanalyzer/accessAnalyzerActiveFindings.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-work-with-findings.html', recommended_action: 'Investigate into active findings in your account and do the needful until you have zero active findings.', apis: ['AccessAnalyzer:listAnalyzers', 'AccessAnalyzer:listFindings'], - realtime_triggers: ['accessanalyzer:CreateAnalyzer','accessanalyzer:CreateArchiveRule','accessanalyzer:StartResourceScan'], + realtime_triggers: ['accessanalyzer:CreateAnalyzer','accessanalyzer:DeleteAnalyzer','accessanalyzer:CreateArchiveRule','accessanalyzer:StartResourceScan'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/accessanalyzer/accessAnalyzerEnabled.js b/plugins/aws/accessanalyzer/accessAnalyzerEnabled.js index f8edc608ae..15e241287c 100644 --- a/plugins/aws/accessanalyzer/accessAnalyzerEnabled.js +++ b/plugins/aws/accessanalyzer/accessAnalyzerEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html', recommended_action: 'Enable Access Analyzer for all regions', apis: ['AccessAnalyzer:listAnalyzers'], - realtime_triggers: ['accessanalyzer:CreateAnalyzer'], + realtime_triggers: ['accessanalyzer:CreateAnalyzer','accessanalyzer:DeleteAnalyzer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/acm/acmCertificateExpiry.js b/plugins/aws/acm/acmCertificateExpiry.js index 29efa2ef12..9f5c7d6e4d 100644 --- a/plugins/aws/acm/acmCertificateExpiry.js +++ b/plugins/aws/acm/acmCertificateExpiry.js @@ -27,7 +27,7 @@ module.exports = { default: 30 } }, - realtime_triggers: ['acm:RequestCertificate','acm:ImportCertificate'], + realtime_triggers: ['acm:RequestCertificate','acm:ImportCertificate','acm:DeleteCertificate'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/acm/acmCertificateHasTags.js b/plugins/aws/acm/acmCertificateHasTags.js index 397bd057d8..fd2c05a419 100644 --- a/plugins/aws/acm/acmCertificateHasTags.js +++ b/plugins/aws/acm/acmCertificateHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/acm/latest/userguide/tags.html', recommended_action: 'Modify ACM certificate and add tags.', apis: ['ACM:listCertificates', 'ResourceGroupsTaggingAPI:getResources'], - realtime_triggers: ['acm:RequestCertificate','acm:AddTagsToCertificate', 'acm:RemoveTagsFromCertificate'], + realtime_triggers: ['acm:RequestCertificate','acm:ImportCertificate','acm:DeleteCertificate','acm:AddTagsToCertificate', 'acm:RemoveTagsFromCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/acm/acmSingleDomainNameCertificate.js b/plugins/aws/acm/acmSingleDomainNameCertificate.js index 6e56ea80c5..1dbd22f480 100644 --- a/plugins/aws/acm/acmSingleDomainNameCertificate.js +++ b/plugins/aws/acm/acmSingleDomainNameCertificate.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html', recommended_action: 'Configure ACM managed certificates to use single name domain instead of wildcards.', apis: ['ACM:listCertificates', 'ACM:describeCertificate'], - realtime_triggers: ['acm:RequestCertificate'], + realtime_triggers: ['acm:RequestCertificate','acm:ImportCertificate','acm:DeleteCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/acm/acmValidation.js b/plugins/aws/acm/acmValidation.js index ea246e68ca..785464d88a 100644 --- a/plugins/aws/acm/acmValidation.js +++ b/plugins/aws/acm/acmValidation.js @@ -11,7 +11,7 @@ module.exports = { cs_link: 'https://cloudsploit.com/remediations/aws/acm/acm-certificate-validation', recommended_action: 'Configure ACM managed certificates to use DNS validation.', apis: ['ACM:listCertificates', 'ACM:describeCertificate'], - realtime_triggers: ['acm:RequestCertificate'], + realtime_triggers: ['acm:RequestCertificate','acm:ImportCertificate','acm:DeleteCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apiStageLevelCacheEncryption.js b/plugins/aws/apigateway/apiStageLevelCacheEncryption.js index 2c1e85aeed..0b26cc15e2 100644 --- a/plugins/aws/apigateway/apiStageLevelCacheEncryption.js +++ b/plugins/aws/apigateway/apiStageLevelCacheEncryption.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway API stages to enable encryption on cache data', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/data-protection-encryption.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['apigateway:CreateStage','apigateway:UpdateStage'], + realtime_triggers: ['apigateway:CreateRestApi','apigateway:ImportRestApi','apigateway:DeleteRestApi','apigateway:CreateStage','apigateway:UpdateStage','apigateway:DeleteStage'], run: function(cache, settings, callback) { diff --git a/plugins/aws/apigateway/apigatewayAuthorization.js b/plugins/aws/apigateway/apigatewayAuthorization.js index 01aa078557..ca241194de 100644 --- a/plugins/aws/apigateway/apigatewayAuthorization.js +++ b/plugins/aws/apigateway/apigatewayAuthorization.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway configuration and ensure that appropriate authorizers are set up for each API.', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html', apis: ['APIGateway:getRestApis', 'APIGateway:getAuthorizers'], - realtime_triggers: ['apigateway:CreateRestApi','apigateway:ImportRestApi','apigateway:CreateAuthorizer'], + realtime_triggers: ['apigateway:CreateRestApi','apigateway:DeleteRestApi','apigateway:ImportRestApi','apigateway:CreateAuthorizer','apigateway:DeleteAuthorizer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayCertificateRotation.js b/plugins/aws/apigateway/apigatewayCertificateRotation.js index edd4ce6c92..0dd5b39241 100644 --- a/plugins/aws/apigateway/apigatewayCertificateRotation.js +++ b/plugins/aws/apigateway/apigatewayCertificateRotation.js @@ -18,7 +18,7 @@ module.exports = { default: '30', } }, - realtime_triggers: ['apigateway:CreateRestApi','apigateway:GenerateClientCertificate'], + realtime_triggers: ['apigateway:CreateRestApi','apigateway:DeleteRestApi','apigateway:ImportRestApi','apigateway:CreateStage','apigateway:DeleteStage','apigateway:GenerateClientCertificate','apigateway:DeleteClientCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayClientCertificate.js b/plugins/aws/apigateway/apigatewayClientCertificate.js index 9ad86fdc34..2e10868ab1 100644 --- a/plugins/aws/apigateway/apigatewayClientCertificate.js +++ b/plugins/aws/apigateway/apigatewayClientCertificate.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Attach client certificate to API Gateway API stages', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['apigateway:CreateStage','apigateway:UpdateStage'], + realtime_triggers: ['apigateway:CreateRestApi','apigateway:DeleteRestApi','apigateway:ImportRestApi','apigateway:CreateStage','apigateway:DeleteStage','apigateway:UpdateStage'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayCloudwatchLogs.js b/plugins/aws/apigateway/apigatewayCloudwatchLogs.js index 5d07e7b299..55320eaf4e 100644 --- a/plugins/aws/apigateway/apigatewayCloudwatchLogs.js +++ b/plugins/aws/apigateway/apigatewayCloudwatchLogs.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway API stages to enable CloudWatch Logs', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['apigateway:CreateStage','apigateway:UpdateStage'], + realtime_triggers: ['apigateway:CreateStage','apigateway:UpdateStage','apigateway:DeleteStage'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayContentEncoding.js b/plugins/aws/apigateway/apigatewayContentEncoding.js index c054cc4423..1b6d8e7b72 100644 --- a/plugins/aws/apigateway/apigatewayContentEncoding.js +++ b/plugins/aws/apigateway/apigatewayContentEncoding.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable content encoding and set minimum compression size of API Gateway API response', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-gzip-compression-decompression.html', apis: ['APIGateway:getRestApis'], - realtime_triggers: ['apigateway:CreateRestApi','apigateway:UpdateRestApi'], + realtime_triggers: ['apigateway:CreateRestApi','apigateway:ImportRestApi','apigateway:UpdateRestApi','apigateway:DeleteRestApi'], run: function(cache, settings, callback) { diff --git a/plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js b/plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js index 33ac7aa18d..66a0bf0267 100644 --- a/plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js +++ b/plugins/aws/apigateway/apigatewayDefaultEndpointDisabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway to disable default execute-api endpoint.', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html', apis: ['APIGateway:getRestApis'], - realtime_triggers: ['apigateway:CreateRestApi','apigateway:UpdateRestApi'], + realtime_triggers: ['apigateway:CreateRestApi','apigateway:ImportRestApi','apigateway:UpdateRestApi','apigateway:DeleteRestApi'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayPrivateEndpoints.js b/plugins/aws/apigateway/apigatewayPrivateEndpoints.js index 25c3dca34b..da9e5a8ef8 100644 --- a/plugins/aws/apigateway/apigatewayPrivateEndpoints.js +++ b/plugins/aws/apigateway/apigatewayPrivateEndpoints.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Set API Gateway API endpoint configuration to private', link: 'https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints', apis: ['APIGateway:getRestApis'], - realtime_triggers: ['apigateway:CreateRestApi','apigateway:UpdateRestApi'], + realtime_triggers: ['apigateway:CreateRestApi','apigateway:ImportRestApi','apigateway:UpdateRestApi','apigateway:DeleteRestApi'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayResponseCaching.js b/plugins/aws/apigateway/apigatewayResponseCaching.js index a2f6fde8e2..e866be5841 100644 --- a/plugins/aws/apigateway/apigatewayResponseCaching.js +++ b/plugins/aws/apigateway/apigatewayResponseCaching.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Modify API Gateway API stages to enable API cache', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['apigateway:CreateStage','apigateway:UpdateStage'], + realtime_triggers: ['apigateway:CreateRestApi','apigateway:ImportRestApi','apigateway:DeleteRestApi','apigateway:CreateStage','apigateway:UpdateStage','apigateway:DeleteStage'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/apigatewayTracingEnabled.js b/plugins/aws/apigateway/apigatewayTracingEnabled.js index 64ed04cf0c..532496fda5 100644 --- a/plugins/aws/apigateway/apigatewayTracingEnabled.js +++ b/plugins/aws/apigateway/apigatewayTracingEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable tracing on API Gateway API stages', link: 'https://docs.aws.amazon.com/xray/latest/devguide/xray-services-apigateway.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['apigateway:CreateStage','apigateway:UpdateStage'], + realtime_triggers: ['apigateway:CreateRestApi','apigateway:ImportRestApi','apigateway:DeleteRestApi','apigateway:CreateStage','apigateway:UpdateStage','apigateway:DeleteStage'], run: function(cache, settings, callback) { diff --git a/plugins/aws/apigateway/apigatewayWafEnabled.js b/plugins/aws/apigateway/apigatewayWafEnabled.js index 8901726250..6f37d9c94b 100644 --- a/plugins/aws/apigateway/apigatewayWafEnabled.js +++ b/plugins/aws/apigateway/apigatewayWafEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Associate API Gateway API with Web Application Firewall', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['apigateway:CreateStage','wafregional:AssociateWebACL'], + realtime_triggers: ['apigateway:CreateRestApi','apigateway:ImportRestApi','apigateway:DeleteRestApi','apigateway:CreateStage','apigateway:DeleteStage','wafregional:AssociateWebACL'], run: function(cache, settings, callback) { diff --git a/plugins/aws/apigateway/customDomainTlsVersion.js b/plugins/aws/apigateway/customDomainTlsVersion.js index e379331885..1a4648ca65 100644 --- a/plugins/aws/apigateway/customDomainTlsVersion.js +++ b/plugins/aws/apigateway/customDomainTlsVersion.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify API Gateway custom domain security policy and specify new TLS version.', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html', apis: ['APIGateway:getDomainNames'], - realtime_triggers: ['apigateway:CreateDomainName','apigateway:UpdateDomainName'], + realtime_triggers: ['apigateway:CreateDomainName','apigateway:UpdateDomainName','apigateway:DeleteDomainName'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apigateway/detailedCloudWatchMetrics.js b/plugins/aws/apigateway/detailedCloudWatchMetrics.js index f84d0a3102..a808e2f061 100644 --- a/plugins/aws/apigateway/detailedCloudWatchMetrics.js +++ b/plugins/aws/apigateway/detailedCloudWatchMetrics.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Add CloudWatch role ARN to API settings and enabled detailed metrics for each stage', link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-metrics.html', apis: ['APIGateway:getRestApis', 'APIGateway:getStages'], - realtime_triggers: ['apigateway:CreateStage','apigateway:UpdateStage'], + realtime_triggers: ['apigateway:CreateRestApi','apigateway:ImportRestApi','apigateway:DeleteRestApi','apigateway:CreateStage','apigateway:UpdateStage','apigateway:DeleteStage'], run: function(cache, settings, callback) { diff --git a/plugins/aws/appflow/flowEncrypted.js b/plugins/aws/appflow/flowEncrypted.js index 969b4d1fdb..bab7ca8486 100644 --- a/plugins/aws/appflow/flowEncrypted.js +++ b/plugins/aws/appflow/flowEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['appflow:CreateFlow'], + realtime_triggers: ['appflow:CreateFlow','appflow:DeleteFlow'], run: function(cache, settings, callback) { diff --git a/plugins/aws/appmesh/appmeshTLSRequired.js b/plugins/aws/appmesh/appmeshTLSRequired.js index 5e0c0ee467..39a0adb8f8 100644 --- a/plugins/aws/appmesh/appmeshTLSRequired.js +++ b/plugins/aws/appmesh/appmeshTLSRequired.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/app-mesh/latest/APIReference/API_ListenerTls.html', recommended_action: 'Restrict AWS App Mesh virtual gateway listeners to accept only TLS enabled connections.', apis: ['AppMesh:listMeshes', 'AppMesh:listVirtualGateways', 'AppMesh:describeVirtualGateway'], - realtime_triggers: ['appmesh:CreateVirtualGateway','appmesh:UpdateVirtualGateway'], + realtime_triggers: ['appmesh:CreateMesh','appmesh:DeleteMesh','appmesh:CreateVirtualGateway','appmesh:UpdateVirtualGateway','appmesh:DeleteVirtualGateway'], run: function(cache, settings, callback) { diff --git a/plugins/aws/appmesh/appmeshVGAccessLogging.js b/plugins/aws/appmesh/appmeshVGAccessLogging.js index f9ac531ec4..36d123aa50 100644 --- a/plugins/aws/appmesh/appmeshVGAccessLogging.js +++ b/plugins/aws/appmesh/appmeshVGAccessLogging.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/app-mesh/latest/userguide/envoy-logs.html', recommended_action: 'To enable access logging, modify virtual gateway configuration settings and configure the file path to write access logs to.', apis: ['AppMesh:listMeshes', 'AppMesh:listVirtualGateways', 'AppMesh:describeVirtualGateway'], - realtime_triggers: ['appmesh:CreateVirtualGateway','appmesh:UpdateVirtualGateway'], + realtime_triggers: ['appmesh:CreateMesh','appmesh:DeleteMesh','appmesh:CreateVirtualGateway','appmesh:UpdateVirtualGateway','appmesh:DeleteVirtualGateway'], run: function(cache, settings, callback) { diff --git a/plugins/aws/appmesh/appmeshVGHealthChecks.js b/plugins/aws/appmesh/appmeshVGHealthChecks.js index 281a9121bf..92d565f2fd 100644 --- a/plugins/aws/appmesh/appmeshVGHealthChecks.js +++ b/plugins/aws/appmesh/appmeshVGHealthChecks.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_gateway_health_checks.html', recommended_action: 'Configure health check policies for the virtual gateway listeners in your App Mesh, specifying values for healthy threshold, health check interval, health check protocol, timeout period, and unhealthy threshold.', apis: ['AppMesh:listMeshes', 'AppMesh:listVirtualGateways', 'AppMesh:describeVirtualGateway'], - realtime_triggers: ['appmesh:CreateVirtualGateway','appmesh:UpdateVirtualGateway'], + realtime_triggers: ['appmesh:CreateMesh','appmesh:DeleteMesh','appmesh:CreateVirtualGateway','appmesh:UpdateVirtualGateway','appmesh:DeleteVirtualGateway'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/appmesh/restrictExternalTraffic.js b/plugins/aws/appmesh/restrictExternalTraffic.js index e72c3edeac..503e802d30 100644 --- a/plugins/aws/appmesh/restrictExternalTraffic.js +++ b/plugins/aws/appmesh/restrictExternalTraffic.js @@ -12,7 +12,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/app-mesh/latest/userguide/security.html', recommended_action: 'Deny all traffic to the external services', apis: ['AppMesh:listMeshes', 'AppMesh:describeMesh'], - realtime_triggers: ['appmesh:CreateMesh','appmesh:UpdateMesh'], + realtime_triggers: ['appmesh:CreateMesh','appmesh:DeleteMesh','appmesh:UpdateMesh'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/apprunner/serviceEncrypted.js b/plugins/aws/apprunner/serviceEncrypted.js index fdf37170cc..a5a8876aaf 100644 --- a/plugins/aws/apprunner/serviceEncrypted.js +++ b/plugins/aws/apprunner/serviceEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['apprunner:CreateService'], + realtime_triggers: ['apprunner:CreateService','apprunner:DeleteService'], run: function(cache, settings, callback) { diff --git a/plugins/aws/athena/workgroupEncrypted.js b/plugins/aws/athena/workgroupEncrypted.js index 702987c043..62aeb9a7e0 100644 --- a/plugins/aws/athena/workgroupEncrypted.js +++ b/plugins/aws/athena/workgroupEncrypted.js @@ -21,7 +21,7 @@ module.exports = { remediate: ['athena:UpdateWorkGroup'], rollback: ['athena:UpdateWorkGroup'] }, - realtime_triggers: ['athena:CreateWorkGroup', 'athena:UpdateWorkGroup'], + realtime_triggers: ['athena:CreateWorkGroup', 'athena:UpdateWorkGroup', 'athena:DeleteWorkGroup'], remediation_inputs: { encryptionOption: { name: '(Mandatory) Encryption method', diff --git a/plugins/aws/athena/workgroupEnforceConfiguration.js b/plugins/aws/athena/workgroupEnforceConfiguration.js index 714b2cbd6b..f2c86114ed 100644 --- a/plugins/aws/athena/workgroupEnforceConfiguration.js +++ b/plugins/aws/athena/workgroupEnforceConfiguration.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings.html', recommended_action: 'Disable the ability for clients to override Athena workgroup configuration options.', apis: ['Athena:listWorkGroups', 'Athena:getWorkGroup', 'STS:getCallerIdentity'], - realtime_triggers: ['athena:CreateWorkGroup', 'athena:UpdateWorkGroup'], + realtime_triggers: ['athena:CreateWorkGroup', 'athena:UpdateWorkGroup', 'athena:DeleteWorkGroup'], run: function(cache, settings, callback) { diff --git a/plugins/aws/auditmanager/auditmanagerDataEncrypted.js b/plugins/aws/auditmanager/auditmanagerDataEncrypted.js index e579d9caef..fe8963457d 100644 --- a/plugins/aws/auditmanager/auditmanagerDataEncrypted.js +++ b/plugins/aws/auditmanager/auditmanagerDataEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['auditmanager:registerAccount','auditmanager:UpdateSettings'], + realtime_triggers: ['auditmanager:registerAccount','auditmanager:UpdateSettings','auditmanager:DeregisterAccount'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/appTierAsgApprovedAmi.js b/plugins/aws/autoscaling/appTierAsgApprovedAmi.js index 3e56b1c029..4d411d7e22 100644 --- a/plugins/aws/autoscaling/appTierAsgApprovedAmi.js +++ b/plugins/aws/autoscaling/appTierAsgApprovedAmi.js @@ -24,7 +24,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['autoscaling:createLaunchConfiguration'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','autoscaling:createLaunchConfiguration','autoscaling:DeleteLaunchConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js b/plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js index 5c5e3e2333..96a60de04f 100644 --- a/plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js +++ b/plugins/aws/autoscaling/appTierAsgCloudwatchLogs.js @@ -32,7 +32,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','autoscaling:createLaunchConfiguration','autoscaling:DeleteLaunchConfiguration'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/appTierIamRole.js b/plugins/aws/autoscaling/appTierIamRole.js index c3ba123a49..002b9036c0 100644 --- a/plugins/aws/autoscaling/appTierIamRole.js +++ b/plugins/aws/autoscaling/appTierIamRole.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['autoscaling:createLaunchConfiguration'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','autoscaling:createLaunchConfiguration','autoscaling:DeleteLaunchConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgActiveNotifications.js b/plugins/aws/autoscaling/asgActiveNotifications.js index b9ea40e9ac..57e4324966 100644 --- a/plugins/aws/autoscaling/asgActiveNotifications.js +++ b/plugins/aws/autoscaling/asgActiveNotifications.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/ASGettingNotifications.html', recommended_action: 'Add a notification endpoint to the auto scaling group.', apis: ['AutoScaling:describeAutoScalingGroups', 'AutoScaling:describeNotificationConfigurations'], - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:PutNotificationConfiguration'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup','autoscaling:PutNotificationConfiguration'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/asgCooldownPeriod.js b/plugins/aws/autoscaling/asgCooldownPeriod.js index fa44a1381b..b7508ee373 100644 --- a/plugins/aws/autoscaling/asgCooldownPeriod.js +++ b/plugins/aws/autoscaling/asgCooldownPeriod.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/Cooldown.html', recommended_action: 'Implement proper cool down period for Auto Scaling groups to temporarily suspend any scaling actions.', apis: ['AutoScaling:describeAutoScalingGroups'], - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgMissingELB.js b/plugins/aws/autoscaling/asgMissingELB.js index 12a3eb1b08..dd91470d48 100644 --- a/plugins/aws/autoscaling/asgMissingELB.js +++ b/plugins/aws/autoscaling/asgMissingELB.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/attach-load-balancer-asg.html', recommended_action: 'Ensure that the Auto Scaling group load balancer has not been deleted. If so, remove it from the ASG.', apis: ['AutoScaling:describeAutoScalingGroups', 'ELB:describeLoadBalancers', 'ELBv2:describeLoadBalancers'], - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:AttachLoadBalancers','autoscaling:DetachLoadBalancers'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup','autoscaling:AttachLoadBalancers','autoscaling:DetachLoadBalancers','elb:CreateLoadBalancer','elbv2:CreateLoadBalancer','elb:DeleteLoadBalancer','elbv2:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgMissingSecurityGroups.js b/plugins/aws/autoscaling/asgMissingSecurityGroups.js index 269caba0eb..a9542d8bac 100644 --- a/plugins/aws/autoscaling/asgMissingSecurityGroups.js +++ b/plugins/aws/autoscaling/asgMissingSecurityGroups.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/GettingStartedTutorial.html', recommended_action: 'Ensure that the launch configuration security group has not been deleted. If so, remove it from launch configurations', apis: ['AutoScaling:describeLaunchConfigurations', 'EC2:describeSecurityGroups'], - realtime_triggers: ['autoscaling:CreateLaunchConfiguration'], + realtime_triggers: ['autoscaling:CreateLaunchConfiguration','autoscaling:DeleteLaunchConfiguration','ec2:CreateSecurityGroup','ec2:DeleteSecurityGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgMultiAz.js b/plugins/aws/autoscaling/asgMultiAz.js index 6a6fd6edb6..350c69508e 100644 --- a/plugins/aws/autoscaling/asgMultiAz.js +++ b/plugins/aws/autoscaling/asgMultiAz.js @@ -10,7 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/autoscaling/latest/userguide/AutoScalingGroup.html', recommended_action: 'Modify the autoscaling instance to enable scaling across multiple availability zones.', apis: ['AutoScaling:describeAutoScalingGroups'], - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/asgSuspendedProcesses.js b/plugins/aws/autoscaling/asgSuspendedProcesses.js index 179d78f489..5d7450cd63 100644 --- a/plugins/aws/autoscaling/asgSuspendedProcesses.js +++ b/plugins/aws/autoscaling/asgSuspendedProcesses.js @@ -10,10 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-suspend-resume-processes.html', recommended_action: 'Update the AutoScaling group to resume the suspended processes.', apis: ['AutoScaling:describeAutoScalingGroups'], - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:ResumeProcesses'], - - - + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:ResumeProcesses','autoscaling:DeleteAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js b/plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js index e05d058655..4ca0599dc6 100644 --- a/plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js +++ b/plugins/aws/autoscaling/asgUnusedLaunchConfiguration.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/LaunchConfiguration.html', recommended_action: 'Identify and remove any Auto Scaling Launch Configuration templates that are not associated anymore with ASGs available in the selected AWS region.', apis: ['AutoScaling:describeAutoScalingGroups', 'AutoScaling:describeLaunchConfigurations'], - realtime_triggers: ['autoscaling:CreateLaunchConfiguration','autoscaling:DeleteLaunchConfiguration'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup','autoscaling:CreateLaunchConfiguration','autoscaling:DeleteLaunchConfiguration'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/elbHealthCheckActive.js b/plugins/aws/autoscaling/elbHealthCheckActive.js index 3e2e5401a4..02c6735e2c 100644 --- a/plugins/aws/autoscaling/elbHealthCheckActive.js +++ b/plugins/aws/autoscaling/elbHealthCheckActive.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-elb-healthcheck.html', recommended_action: 'Enable ELB health check for the Auto Scaling groups.', apis: ['AutoScaling:describeAutoScalingGroups'], - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/sameAzElb.js b/plugins/aws/autoscaling/sameAzElb.js index 6f8112a622..de247466ae 100644 --- a/plugins/aws/autoscaling/sameAzElb.js +++ b/plugins/aws/autoscaling/sameAzElb.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-availability-zone.html', recommended_action: 'Update the ELB to use the same availability zones as the autoscaling group.', apis: ['AutoScaling:describeAutoScalingGroups', 'ELB:describeLoadBalancers', 'ELBv2:describeLoadBalancers'], - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','ec2:CreateNetworkInterface'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup','elb:CreateLoadBalancer','elbv2:CreateLoadBalancer','elb:DeleteLoadBalancer','elbv2:DeleteLoadBalancer'], diff --git a/plugins/aws/autoscaling/webTierAsgApprovedAmi.js b/plugins/aws/autoscaling/webTierAsgApprovedAmi.js index fef285aa3a..df8f63e9d3 100644 --- a/plugins/aws/autoscaling/webTierAsgApprovedAmi.js +++ b/plugins/aws/autoscaling/webTierAsgApprovedAmi.js @@ -24,7 +24,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['autoscaling:createLaunchConfiguration'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','autoscaling:createLaunchConfiguration','autoscaling:DeleteLaunchConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/webTierAsgAssociatedElb.js b/plugins/aws/autoscaling/webTierAsgAssociatedElb.js index bbe29bd1fa..52a6fc1fcf 100644 --- a/plugins/aws/autoscaling/webTierAsgAssociatedElb.js +++ b/plugins/aws/autoscaling/webTierAsgAssociatedElb.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:AttachLoadBalancers'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup','autoscaling:AttachLoadBalancers','autoscaling:DetachLoadBalancers'], run: function(cache, settings, callback) { diff --git a/plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js b/plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js index 6bfdecde70..6035e05efe 100644 --- a/plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js +++ b/plugins/aws/autoscaling/webTierAsgCloudwatchLogs.js @@ -32,7 +32,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','autoscaling:createLaunchConfiguration','autoscaling:DeleteLaunchConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/webTierIamRole.js b/plugins/aws/autoscaling/webTierIamRole.js index 7b786cfe5f..30b6cafe8b 100644 --- a/plugins/aws/autoscaling/webTierIamRole.js +++ b/plugins/aws/autoscaling/webTierIamRole.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['autoscaling:createLaunchConfiguration'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','autoscaling:createLaunchConfiguration','autoscaling:DeleteLaunchConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/backupDeletionProtection.js b/plugins/aws/backup/backupDeletionProtection.js index 6d1bbae594..c24533f2a7 100644 --- a/plugins/aws/backup/backupDeletionProtection.js +++ b/plugins/aws/backup/backupDeletionProtection.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Add a statement in Backup vault access policy which denies global access to action: backup:DeleteRecoveryPoint', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-vault-access-policy.html', apis: ['Backup:listBackupVaults', 'Backup:getBackupVaultAccessPolicy'], - realtime_triggers: ['backup:PutBackupVaultAccessPolicy'], + realtime_triggers: ['backup:CreateBackupVault','backup:DeleteBackupVault','backup:PutBackupVaultAccessPolicy','backup:DeleteBackupVaultAccessPolicy'], run: function(cache, settings, callback) { diff --git a/plugins/aws/backup/backupInUseForRDSSnapshots.js b/plugins/aws/backup/backupInUseForRDSSnapshots.js index c57b0b6314..01b2104806 100644 --- a/plugins/aws/backup/backupInUseForRDSSnapshots.js +++ b/plugins/aws/backup/backupInUseForRDSSnapshots.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Enable RDS database instance snapshots to improve the reliability of your backup strategy.', link: 'https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html', apis: ['RDS:describeDBSnapshots'], - realtime_triggers: ['backup:CreateBackupPlan','backup:CreateBackupSelection'], + realtime_triggers: ['backup:CreateBackupSelection','backup:DeleteBackupSelection'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/backupNotificationEnabled.js b/plugins/aws/backup/backupNotificationEnabled.js index 75a97316a6..bb641eccc2 100644 --- a/plugins/aws/backup/backupNotificationEnabled.js +++ b/plugins/aws/backup/backupNotificationEnabled.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Configure Backup vaults to sent notifications alert for failed backup job events.', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/sns-notifications.html', apis: ['Backup:listBackupVaults', 'Backup:getBackupVaultNotifications'], - realtime_triggers: ['backup:CreateBackupVault','backup:PutBackupVaultNotifications'], + realtime_triggers: ['backup:CreateBackupVault','backup:PutBackupVaultNotifications','backup:DeleteBackupVault'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/backupVaultEncrypted.js b/plugins/aws/backup/backupVaultEncrypted.js index 3550a9ad5b..7bc35e5fdd 100644 --- a/plugins/aws/backup/backupVaultEncrypted.js +++ b/plugins/aws/backup/backupVaultEncrypted.js @@ -18,7 +18,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['backup:CreateBackupVault','backup:UpdateBackupPlan'], + realtime_triggers: ['backup:CreateBackupVault','backup:DeleteBackupVault'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/backupVaultHasTags.js b/plugins/aws/backup/backupVaultHasTags.js index b17a84ca71..252195413e 100644 --- a/plugins/aws/backup/backupVaultHasTags.js +++ b/plugins/aws/backup/backupVaultHasTags.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify Backup Vault and add tags.', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-vault.html', apis: ['Backup:listBackupVaults', 'ResourceGroupsTaggingAPI:getResources'], - realtime_triggers: ['backup:CreateBackupVault','backup:TagResource','backup:UntagResource'], + realtime_triggers: ['backup:CreateBackupVault','backup:DeleteBackupVault','backup:TagResource','backup:UntagResource'], run: function(cache, settings, callback) { diff --git a/plugins/aws/backup/backupVaultPolicies.js b/plugins/aws/backup/backupVaultPolicies.js index 32733f75d8..c6796bda61 100644 --- a/plugins/aws/backup/backupVaultPolicies.js +++ b/plugins/aws/backup/backupVaultPolicies.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Ensure that all Backup Vault policies are scoped to specific services and API calls.', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-vault-access-policy.html', apis: ['Backup:listBackupVaults', 'Backup:getBackupVaultAccessPolicy', 'STS:getCallerIdentity'], - realtime_triggers: ['backup:PutBackupVaultAccessPolicy'], + realtime_triggers: ['backup:CreateBackupVault','backup:DeleteBackupVault','backup:PutBackupVaultAccessPolicy','backup:DeleteBackupVaultAccessPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/backup/compliantLifecycleConfigured.js b/plugins/aws/backup/compliantLifecycleConfigured.js index ab44848c78..bc2d6dc1da 100644 --- a/plugins/aws/backup/compliantLifecycleConfigured.js +++ b/plugins/aws/backup/compliantLifecycleConfigured.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable compliant lifecycle configuration for your Amazon Backup plans', link: 'https://docs.aws.amazon.com/aws-backup/latest/devguide/API_Lifecycle.html', apis: ['Backup:listBackupPlans', 'Backup:getBackupPlan'], - realtime_triggers: ['backup:CreateBackupPlan','backup:UpdateBackupPlan'], + realtime_triggers: ['backup:CreateBackupPlan','backup:UpdateBackupPlan','backup:DeleteBackupPlan'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/cloudformationAdminPriviliges.js b/plugins/aws/cloudformation/cloudformationAdminPriviliges.js index 52bb514f3c..9d39e28331 100644 --- a/plugins/aws/cloudformation/cloudformationAdminPriviliges.js +++ b/plugins/aws/cloudformation/cloudformationAdminPriviliges.js @@ -14,7 +14,7 @@ module.exports = { recommended_action: 'Modify IAM role attached with AWS CloudFormation stack to provide the minimal amount of access required to perform its tasks', apis: ['CloudFormation:listStacks', 'CloudFormation:describeStacks', 'IAM:listRoles', 'IAM:listAttachedRolePolicies', 'IAM:listRolePolicies', 'IAM:listPolicies', 'IAM:getPolicy', 'IAM:getPolicyVersion', 'IAM:getRolePolicy'], - realtime_triggers: ['cloudformation:CreateStack','IAM:CreatePolicyVersion','IAM:PutRolePolicy'], + realtime_triggers: ['cloudformation:CreateStack','cloudformation:DeleteStack','cloudformation:UpdateStack','iam:DeleteRole','iam:AttachRolePolicy','iam:DetachRolePolicy','iam:DeleteRolePolicy','iam:PutRolePolicy'], run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudformation/cloudformationInUse.js b/plugins/aws/cloudformation/cloudformationInUse.js index 06c8e779ba..1fb6ec2f59 100644 --- a/plugins/aws/cloudformation/cloudformationInUse.js +++ b/plugins/aws/cloudformation/cloudformationInUse.js @@ -12,7 +12,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html', recommended_action: 'Check if CloudFormation is in use or not by observing the stacks', apis: ['CloudFormation:describeStacks'], - realtime_triggers: ['cloudformation:CreateStack'], + realtime_triggers: ['cloudformation:CreateStack','cloudformation:DeleteStack'], run: function(cache, settings, callback) { var results = []; @@ -22,7 +22,6 @@ module.exports = { async.each(regions.cloudformation, function(region, rcb){ var describeStacks = helpers.addSource(cache, source, ['cloudformation', 'describeStacks', region]); - if (!describeStacks) return rcb(); if (describeStacks.err || !describeStacks.data) { diff --git a/plugins/aws/cloudformation/driftDetection.js b/plugins/aws/cloudformation/driftDetection.js index 79fee1fd18..f75c4ec064 100644 --- a/plugins/aws/cloudformation/driftDetection.js +++ b/plugins/aws/cloudformation/driftDetection.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-resolve-drift.html', recommended_action: 'Resolve CloudFormation stack drift by importing drifted resource back to the stack.', apis: ['CloudFormation:listStacks'], - realtime_triggers: ['cloudformation:CreateStack','cloudformation:UpdateStack'], + realtime_triggers: ['cloudformation:CreateStack','cloudformation:UpdateStack','cloudformation:DeleteStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/plainTextParameters.js b/plugins/aws/cloudformation/plainTextParameters.js index 426e14e8c9..185a6cbce0 100644 --- a/plugins/aws/cloudformation/plainTextParameters.js +++ b/plugins/aws/cloudformation/plainTextParameters.js @@ -18,7 +18,7 @@ module.exports = { default: 'secret,password,privatekey' } }, - realtime_triggers: ['cloudformation:CreateStack','cloudformation:UpdateStack'], + realtime_triggers: ['cloudformation:CreateStack','cloudformation:UpdateStack','cloudformation:DeleteStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/stackFailedStatus.js b/plugins/aws/cloudformation/stackFailedStatus.js index 2bfca7003a..23685df2c7 100644 --- a/plugins/aws/cloudformation/stackFailedStatus.js +++ b/plugins/aws/cloudformation/stackFailedStatus.js @@ -18,7 +18,7 @@ module.exports = { default: 0 } }, - realtime_triggers: ['cloudformation:CreateStack','cloudformation:DeleteStack'], + realtime_triggers: ['cloudformation:CreateStack','cloudformation:UpdateStack','cloudformation:DeleteStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/stackNotifications.js b/plugins/aws/cloudformation/stackNotifications.js index 60f5d6a53d..a4ab53db4a 100644 --- a/plugins/aws/cloudformation/stackNotifications.js +++ b/plugins/aws/cloudformation/stackNotifications.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-view-stack-data-resources.html', recommended_action: 'Associate an Amazon SNS topic to all CloudFormation stacks', apis: ['CloudFormation:listStacks', 'CloudFormation:describeStacks'], - realtime_triggers: ['cloudformation:CreateStack','cloudformation:UpdateStack'], + realtime_triggers: ['cloudformation:CreateStack','cloudformation:UpdateStack','cloudformation:DeleteStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudformation/stackTerminationProtection.js b/plugins/aws/cloudformation/stackTerminationProtection.js index 861be034fe..793f28eb88 100644 --- a/plugins/aws/cloudformation/stackTerminationProtection.js +++ b/plugins/aws/cloudformation/stackTerminationProtection.js @@ -21,7 +21,7 @@ module.exports = { remediate: ['cloudformation:UpdateTerminationProtection'], rollback: ['cloudformation:UpdateTerminationProtection'] }, - realtime_triggers: ['cloudformation:UpdateTerminationProtection', 'cloudformation:CreateStack'], + realtime_triggers: ['cloudformation:UpdateTerminationProtection', 'cloudformation:CreateStack','cloudformation:DeleteStack'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js b/plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js index c8e6585f87..65cb06b8fe 100644 --- a/plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js +++ b/plugins/aws/cloudfront/cloudfrontCustomOriginHttpsOnly.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html', recommended_action: 'Modify CloudFront distribution and update the Origin Protocol Policy setting to HTTPS Only.', apis: ['CloudFront:listDistributions'], - realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution'], + realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution','cloudfront:DeleteDistribution'], run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js b/plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js index 12d37042a7..a8ef8c83b4 100644 --- a/plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js +++ b/plugins/aws/cloudfront/cloudfrontFieldLevelEncryption.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html', recommended_action: 'Enable field-level encryption for CloudFront distributions.', apis: ['CloudFront:listDistributions'], - realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution'], + realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution','cloudfront:DeleteDistribution'], run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudfront/cloudfrontGeoRestriction.js b/plugins/aws/cloudfront/cloudfrontGeoRestriction.js index b70d872338..7f578c99f7 100644 --- a/plugins/aws/cloudfront/cloudfrontGeoRestriction.js +++ b/plugins/aws/cloudfront/cloudfrontGeoRestriction.js @@ -18,7 +18,8 @@ module.exports = { default: '' } }, - realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution'], + realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution','cloudfront:DeleteDistribution'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudfront/cloudfrontHttpsOnly.js b/plugins/aws/cloudfront/cloudfrontHttpsOnly.js index ed88e439c8..d78fce0636 100644 --- a/plugins/aws/cloudfront/cloudfrontHttpsOnly.js +++ b/plugins/aws/cloudfront/cloudfrontHttpsOnly.js @@ -25,7 +25,7 @@ module.exports = { remediate: ['cloudfront:UpdateDistribution'], rollback: ['cloudfront:UpdateDistribution'] }, - realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], + realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution','cloudfront:DeleteDistribution'], remediation_inputs: { cdnPolicyOption: { name: 'Viewer Protocol Policy Option', diff --git a/plugins/aws/cloudfront/cloudfrontInUse.js b/plugins/aws/cloudfront/cloudfrontInUse.js index 1754f22a51..837fc5312e 100644 --- a/plugins/aws/cloudfront/cloudfrontInUse.js +++ b/plugins/aws/cloudfront/cloudfrontInUse.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html', recommended_action: 'Create CloudFront distributions as per requirement.', apis: ['CloudFront:listDistributions'], - realtime_triggers: ['cloudfront:CreateDistribution'], + realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:DeleteDistribution'], run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudfront/cloudfrontLoggingEnabled.js b/plugins/aws/cloudfront/cloudfrontLoggingEnabled.js index d8d5d81900..ef61183cb9 100644 --- a/plugins/aws/cloudfront/cloudfrontLoggingEnabled.js +++ b/plugins/aws/cloudfront/cloudfrontLoggingEnabled.js @@ -33,7 +33,8 @@ module.exports = { } ] }, - realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], + realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution','cloudfront:DeleteDistribution'], + run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudfront/cloudfrontOriginTlsVersion.js b/plugins/aws/cloudfront/cloudfrontOriginTlsVersion.js index 85ae31de36..992efa1458 100644 --- a/plugins/aws/cloudfront/cloudfrontOriginTlsVersion.js +++ b/plugins/aws/cloudfront/cloudfrontOriginTlsVersion.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html', recommended_action: 'Modify cloudFront distribution and update the TLS version.', apis: ['CloudFront:listDistributions'], - realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], + realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution','cloudfront:DeleteDistribution'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudfront/cloudfrontTlsDeprecatedProtocols.js b/plugins/aws/cloudfront/cloudfrontTlsDeprecatedProtocols.js index 9bd14dbbc1..4ad8ac9c58 100644 --- a/plugins/aws/cloudfront/cloudfrontTlsDeprecatedProtocols.js +++ b/plugins/aws/cloudfront/cloudfrontTlsDeprecatedProtocols.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://aws.amazon.com/about-aws/whats-new/2020/07/cloudfront-tls-security-policy/', recommended_action: 'Modify cloudFront distribution and update the TLS version.', apis: ['CloudFront:listDistributions'], - realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], + realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution','cloudfront:DeleteDistribution'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudfront/cloudfrontTlsInsecureCipher.js b/plugins/aws/cloudfront/cloudfrontTlsInsecureCipher.js index 9b334acc73..198f608f52 100644 --- a/plugins/aws/cloudfront/cloudfrontTlsInsecureCipher.js +++ b/plugins/aws/cloudfront/cloudfrontTlsInsecureCipher.js @@ -9,7 +9,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html', recommended_action: 'Modify cloudFront distribution and update the TLS version.', apis: ['CloudFront:listDistributions'], - realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], + realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution','cloudfront:DeleteDistribution'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudfront/cloudfrontWafEnabled.js b/plugins/aws/cloudfront/cloudfrontWafEnabled.js index 43dd330308..9ea9a3864d 100644 --- a/plugins/aws/cloudfront/cloudfrontWafEnabled.js +++ b/plugins/aws/cloudfront/cloudfrontWafEnabled.js @@ -9,7 +9,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-cloudfront-distribution.html', recommended_action: '1. Enter the WAF service. 2. Enter Web ACLs and filter by global. 3. If no Web ACL is found, Create a new global Web ACL and in Resource type to associate with web ACL, select the CloudFront Distribution. ', apis: ['CloudFront:listDistributions'], - realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], + realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution','cloudfront:DeleteDistribution'], + run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudfront/compressObjectsAutomatically.js b/plugins/aws/cloudfront/compressObjectsAutomatically.js index 81e1be3b73..6e6041db24 100644 --- a/plugins/aws/cloudfront/compressObjectsAutomatically.js +++ b/plugins/aws/cloudfront/compressObjectsAutomatically.js @@ -10,7 +10,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/ServingCompressedFiles.html', recommended_action: 'Ensures that CloudFront is configured to automatically compress files', apis: ['CloudFront:listDistributions'], - realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], + realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution','cloudfront:DeleteDistribution'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudfront/enableOriginFailOver.js b/plugins/aws/cloudfront/enableOriginFailOver.js index 9a8c84c67f..edc4f7d145 100644 --- a/plugins/aws/cloudfront/enableOriginFailOver.js +++ b/plugins/aws/cloudfront/enableOriginFailOver.js @@ -10,7 +10,8 @@ module.exports = { link: 'https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_OriginGroupFailoverCriteria.html', recommended_action: 'Modify CloudFront distributions and configure origin group instead of a single origin', apis: ['CloudFront:listDistributions'], - realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], + realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution','cloudfront:DeleteDistribution'], + run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudfront/insecureProtocols.js b/plugins/aws/cloudfront/insecureProtocols.js index 7894889713..c61ace00bc 100644 --- a/plugins/aws/cloudfront/insecureProtocols.js +++ b/plugins/aws/cloudfront/insecureProtocols.js @@ -25,7 +25,8 @@ module.exports = { default: 'true' } }, - realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], + realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution','cloudfront:DeleteDistribution'], + run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/cloudfront/publicS3Origin.js b/plugins/aws/cloudfront/publicS3Origin.js index 51b8e54eb7..f47c2a1792 100644 --- a/plugins/aws/cloudfront/publicS3Origin.js +++ b/plugins/aws/cloudfront/publicS3Origin.js @@ -15,7 +15,8 @@ module.exports = { 'If an S3 bucket backing a CloudFront distribution does not require the end ' + 'user to access the contents through CloudFront, this policy may be violated.' }, - realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], + realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution','cloudfront:DeleteDistribution'], + run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudfront/secureOrigin.js b/plugins/aws/cloudfront/secureOrigin.js index bc28534009..786eeffd7e 100644 --- a/plugins/aws/cloudfront/secureOrigin.js +++ b/plugins/aws/cloudfront/secureOrigin.js @@ -16,7 +16,8 @@ module.exports = { 'ensures that traffic between CloudFront and any backend resource is ' + 'encrypted in transit.' }, - realtime_triggers: ['cloudfront:CreateDistribution', 'cloudfront:UpdateDistribution'], + realtime_triggers: ['cloudfront:CreateDistribution','cloudfront:UpdateDistribution','cloudfront:DeleteDistribution'], + run: function(cache, settings, callback) { diff --git a/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js b/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js index b6128bb310..0256eba455 100644 --- a/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js +++ b/plugins/aws/cloudtrail/cloudtrailBucketAccessLogging.js @@ -26,7 +26,7 @@ module.exports = { default: '', } }, - realtime_triggers: ['cloudtrail:CreateTrail', 's3:PutBucketLogging'], + realtime_triggers: ['cloudtrail:CreateTrail','cloudtrail:DeleteTrail','cloudtrail:UpdateTrail','s3:PutBucketLogging','s3:DeleteBucket'], run: function(cache, settings, callback) { var config = { @@ -53,7 +53,7 @@ module.exports = { var describeTrails = helpers.addSource(cache, source, ['cloudtrail', 'describeTrails', region]); - + if (!describeTrails) return rcb(); if (describeTrails.err || !describeTrails.data) { diff --git a/plugins/aws/cloudtrail/cloudtrailBucketDelete.js b/plugins/aws/cloudtrail/cloudtrailBucketDelete.js index 9b039d7ae5..74c17da693 100644 --- a/plugins/aws/cloudtrail/cloudtrailBucketDelete.js +++ b/plugins/aws/cloudtrail/cloudtrailBucketDelete.js @@ -24,7 +24,7 @@ module.exports = { default: '', } }, - realtime_triggers: ['cloudtrail:CreateTrail', 's3:PutBucketVersioning'], + realtime_triggers: ['cloudtrail:CreateTrail','cloudtrail:DeleteTrail','cloudtrail:UpdateTrail','s3:DeleteBucket'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js b/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js index 7baa7c2888..7800a74d0b 100644 --- a/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js +++ b/plugins/aws/cloudtrail/cloudtrailBucketPrivate.js @@ -22,7 +22,7 @@ module.exports = { } }, - realtime_triggers: ['cloudtrail:CreateTrail', 's3:PutBucketAcl'], + realtime_triggers: ['cloudtrail:CreateTrail','cloudtrail:DeleteTrail','cloudtrail:UpdateTrail','s3:PutBucketPublicAccessBlock','s3:PutBucketAcl','s3:DeleteBucket'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/cloudtrail/cloudtrailDataEvents.js b/plugins/aws/cloudtrail/cloudtrailDataEvents.js index 6ae624ba8f..a563be9262 100644 --- a/plugins/aws/cloudtrail/cloudtrailDataEvents.js +++ b/plugins/aws/cloudtrail/cloudtrailDataEvents.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update CloudTrail to enable data events.', link: 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html', apis: ['CloudTrail:describeTrails', 'CloudTrail:getEventSelectors'], - realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:PutEventSelectors'], + realtime_triggers: ['cloudtrail:CreateTrail','cloudtrail:DeleteTrail','cloudtrail:PutEventSelectors'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js b/plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js index 302e2e36b1..745138d98d 100644 --- a/plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js +++ b/plugins/aws/cloudtrail/cloudtrailDeliveryFailing.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail','cloudtrail:DeleteTrail','s3:DeleteBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailEnabled.js b/plugins/aws/cloudtrail/cloudtrailEnabled.js index 86dd181c54..9c452ac7ab 100644 --- a/plugins/aws/cloudtrail/cloudtrailEnabled.js +++ b/plugins/aws/cloudtrail/cloudtrailEnabled.js @@ -19,7 +19,7 @@ module.exports = { 'within environments containing cardholder data.', cis1: '2.1 Ensure CloudTrail is enabled in all regions' }, - realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail'], + realtime_triggers: ['cloudtrail:CreateTrail','cloudtrail:StartLogging','cloudtrail:StopLogging','cloudtrail:DeleteTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailEncryption.js b/plugins/aws/cloudtrail/cloudtrailEncryption.js index 3f361190e3..eb6b874484 100644 --- a/plugins/aws/cloudtrail/cloudtrailEncryption.js +++ b/plugins/aws/cloudtrail/cloudtrailEncryption.js @@ -32,7 +32,7 @@ module.exports = { remediate: ['cloudtrail:UpdateTrail'], rollback: ['cloudtrail:UpdateTrail'] }, - realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail','cloudtrail:DeleteTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailFileValidation.js b/plugins/aws/cloudtrail/cloudtrailFileValidation.js index 9c90e4df0c..22aa451ae6 100644 --- a/plugins/aws/cloudtrail/cloudtrailFileValidation.js +++ b/plugins/aws/cloudtrail/cloudtrailFileValidation.js @@ -15,7 +15,7 @@ module.exports = { apis_remediate: ['CloudTrail:describeTrails'], actions: {remediate: ['CloudTrail:updateTrail'], rollback: ['CloudTrail:updateTrail']}, permissions: {remediate: ['cloudtrail:UpdateTrail'], rollback: ['cloudtrail:UpdateTrail']}, - realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail','cloudtrail:DeleteTrail'], compliance: { hipaa: 'The auditing requirements of HIPAA require logs to be kept securely ' + 'in a manner that prevents tampering. CloudTrail log validation ' + diff --git a/plugins/aws/cloudtrail/cloudtrailHasTags.js b/plugins/aws/cloudtrail/cloudtrailHasTags.js index d49fcd9c43..4c6dc016cd 100644 --- a/plugins/aws/cloudtrail/cloudtrailHasTags.js +++ b/plugins/aws/cloudtrail/cloudtrailHasTags.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Modify CloudTrail trails and add tags.', link: 'https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AddTags.html', apis: ['CloudTrail:describeTrails', 'CloudTrail:listTags'], - realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:AddTags','cloudtrail:RemoveTags'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:AddTags','cloudtrail:RemoveTags','cloudtrail:DeleteTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailManagementEvents.js b/plugins/aws/cloudtrail/cloudtrailManagementEvents.js index fd4d819cd2..b49fcbfdf2 100644 --- a/plugins/aws/cloudtrail/cloudtrailManagementEvents.js +++ b/plugins/aws/cloudtrail/cloudtrailManagementEvents.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update CloudTrail to enable management events logging', link: 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html', apis: ['CloudTrail:describeTrails', 'CloudTrail:getEventSelectors'], - realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:PutEventSelectors'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:PutEventSelectors','cloudtrail:DeleteTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js b/plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js index 4abef4c341..b9761dd36b 100644 --- a/plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js +++ b/plugins/aws/cloudtrail/cloudtrailNotificationsEnabled.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Make sure that CloudTrail trails are using active SNS topics and that SNS topics have not been deleted after trail creation.', link: 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html', apis: ['CloudTrail:describeTrails', 'SNS:listTopics', 'SNS:getTopicAttributes'], - realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail','cloudtrail:DeleteTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailObjectLock.js b/plugins/aws/cloudtrail/cloudtrailObjectLock.js index 0358dd2f9a..ede0e809e8 100644 --- a/plugins/aws/cloudtrail/cloudtrailObjectLock.js +++ b/plugins/aws/cloudtrail/cloudtrailObjectLock.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Edit trail to use a bucket with object locking enabled.', link: 'https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-managing.html', apis: ['CloudTrail:describeTrails', 'S3:getObjectLockConfiguration', 'S3:listBuckets'], - realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail','cloudtrail:DeleteTrail','s3:DeleteBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailS3Bucket.js b/plugins/aws/cloudtrail/cloudtrailS3Bucket.js index 242fcf1310..98b74d705d 100644 --- a/plugins/aws/cloudtrail/cloudtrailS3Bucket.js +++ b/plugins/aws/cloudtrail/cloudtrailS3Bucket.js @@ -24,7 +24,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail','cloudtrail:DeleteTrail','s3:DeleteBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/cloudtrailToCloudwatch.js b/plugins/aws/cloudtrail/cloudtrailToCloudwatch.js index 7b18cd2625..c6ac399902 100644 --- a/plugins/aws/cloudtrail/cloudtrailToCloudwatch.js +++ b/plugins/aws/cloudtrail/cloudtrailToCloudwatch.js @@ -13,7 +13,7 @@ module.exports = { compliance: { cis1: '2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs' }, - realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail'], + realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail','cloudtrail:DeleteTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudtrail/globalLoggingDuplicated.js b/plugins/aws/cloudtrail/globalLoggingDuplicated.js index 240006d350..7c111942ae 100644 --- a/plugins/aws/cloudtrail/globalLoggingDuplicated.js +++ b/plugins/aws/cloudtrail/globalLoggingDuplicated.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Update CloudTrail trails to log global services events enabled for only one trail', link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html', apis: ['CloudTrail:describeTrails'], - realtime_triggers: ['cloudtrail:CreateTrail', 'cloudtrail:UpdateTrail'], + realtime_triggers: ['cloudtrail:CreateTrail','cloudtrail:DeleteTrail'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js b/plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js index 6b0bb90b30..9dd494d96b 100644 --- a/plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js +++ b/plugins/aws/cloudwatch/vpcFlowLogsMetricAlarm.js @@ -21,7 +21,7 @@ module.exports = { default: 'vpc_flow_logs' } }, - realtime_triggers: ['cloudwatchlogs:PutMetricFilter', 'cloudwatch:PutMetricAlarm'], + realtime_triggers: ['cloudwatchlogs:PutMetricFilter','cloudwatchlogs:DeleteMetricFilter', 'cloudwatch:PutMetricAlarm','cloudwatch:DeleteAlarms'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudwatchlogs/logGroupsEncrypted.js b/plugins/aws/cloudwatchlogs/logGroupsEncrypted.js index 8616cd2dd8..f552f18694 100644 --- a/plugins/aws/cloudwatchlogs/logGroupsEncrypted.js +++ b/plugins/aws/cloudwatchlogs/logGroupsEncrypted.js @@ -26,7 +26,7 @@ module.exports = { default: 'Aqua-CSPM-Token-Rotator-Function,-CreateCSPMKeyFunction-,-TriggerDiscoveryFunction-,-GenerateVolumeScanningEx-,-GenerateCSPMExternalIdFu-' } }, - realtime_triggers: ['cloudwatchlogs:CreateLogGroup', 'cloudwatchlogs:AssociateKmsKey'], + realtime_triggers: ['cloudwatchlogs:CreateLogGroup','cloudwatchlogs:DeleteLogGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cloudwatchlogs/logRetentionPeriod.js b/plugins/aws/cloudwatchlogs/logRetentionPeriod.js index bf70f12e09..0e498baa01 100644 --- a/plugins/aws/cloudwatchlogs/logRetentionPeriod.js +++ b/plugins/aws/cloudwatchlogs/logRetentionPeriod.js @@ -18,7 +18,7 @@ module.exports = { default: '90' } }, - realtime_triggers: ['cloudwatchlogs:CreateLogGroup', 'cloudwatchlogs:PutRetentionPolicy'], + realtime_triggers: ['cloudwatchlogs:CreateLogGroup', 'cloudwatchlogs:PutRetentionPolicy','cloudwatchlogs:DeleteLogGroup'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/cloudwatchlogs/monitoringMetrics.js b/plugins/aws/cloudwatchlogs/monitoringMetrics.js index 6a0459ca91..495fd27862 100644 --- a/plugins/aws/cloudwatchlogs/monitoringMetrics.js +++ b/plugins/aws/cloudwatchlogs/monitoringMetrics.js @@ -76,7 +76,8 @@ module.exports = { compliance: { cis1: '3.0 Monitoring metrics are enabled' }, - realtime_triggers: ['cloudwatchlogs:CreateLogGroup', 'cloudwatchlogs:PutMetricFilter'], + realtime_triggers: ['cloudtrail:CreateTrail','cloudtrail:UpdateTrail','cloudtrail:DeleteTrail', 'cloudwatchlogs:PutMetricFilter','cloudwatchlogs:DeleteMetricFilter'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codebuild/codebuildValidSourceProviders.js b/plugins/aws/codebuild/codebuildValidSourceProviders.js index bf2adb0207..e9f4c97ec5 100644 --- a/plugins/aws/codebuild/codebuildValidSourceProviders.js +++ b/plugins/aws/codebuild/codebuildValidSourceProviders.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['codebuild:CreateProject', 'codebuild:UpdateProject'], + realtime_triggers: ['codebuild:CreateProject', 'codebuild:UpdateProject','codebuild:DeleteProject'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codebuild/projectArtifactsEncrypted.js b/plugins/aws/codebuild/projectArtifactsEncrypted.js index 9bd77f6d3e..e74eb77a74 100644 --- a/plugins/aws/codebuild/projectArtifactsEncrypted.js +++ b/plugins/aws/codebuild/projectArtifactsEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['codebuild:CreateProject', 'codebuild:UpdateProject'], + realtime_triggers: ['codebuild:CreateProject', 'codebuild:UpdateProject','codebuild:DeleteProject'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js b/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js index 3f54de255a..652afe2c33 100644 --- a/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js +++ b/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['codepipeline:CreatePipeline', 'codepipeline:UpdatePipeline'], + realtime_triggers: ['codepipeline:CreatePipeline','codepipeline:DeletePipeline'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/codestar/codestarValidRepoProviders.js b/plugins/aws/codestar/codestarValidRepoProviders.js index 2d83c67837..dd9139cf51 100644 --- a/plugins/aws/codestar/codestarValidRepoProviders.js +++ b/plugins/aws/codestar/codestarValidRepoProviders.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['codestar:CreateProject','codestar:UpdateProject'], + realtime_triggers: ['codestar:CreateProject','codestar:DeleteProject'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cognito/cognitoHasWafEnabled.js b/plugins/aws/cognito/cognitoHasWafEnabled.js index 787b92399f..17fd4349a1 100644 --- a/plugins/aws/cognito/cognitoHasWafEnabled.js +++ b/plugins/aws/cognito/cognitoHasWafEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html', recommended_action: '1. Enter the Cognito service. 2. Enter user pools and enable WAF from properties.', apis: ['CognitoIdentityServiceProvider:listUserPools', 'WAFV2:getWebACLForCognitoUserPool', 'STS:getCallerIdentity'], - realtime_triggers: ['cognitoidentityserviceprovider:CreateUserPool','cognitoidentityserviceprovider:UpdateUserPool'], + realtime_triggers: ['cognitoidentityserviceprovider:CreateUserPool','cognitoidentityserviceprovider:DeleteUserPool','wafv2:AssociateWebACL','wafv2:DisassociateWebACL'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/cognito/cognitoMFAEnabled.js b/plugins/aws/cognito/cognitoMFAEnabled.js index 01e542ef64..ae45f36ee1 100644 --- a/plugins/aws/cognito/cognitoMFAEnabled.js +++ b/plugins/aws/cognito/cognitoMFAEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html', recommended_action: '1. Enter the Cognito service. 2. Enter user pools and enable MFA from sign in experience.', apis: ['CognitoIdentityServiceProvider:listUserPools', 'CognitoIdentityServiceProvider:describeUserPool', 'STS:getCallerIdentity'], - realtime_triggers: ['CognitoIdentityServiceProvider:CreateUserPool','CognitoIdentityServiceProvider:UpdateUserPool'], + realtime_triggers: ['CognitoIdentityServiceProvider:CreateUserPool','CognitoIdentityServiceProvider:SetUserPoolMfaConfig','cognitoidentityserviceprovider:DeleteUserPool'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/comprehend/outputResultEncryption.js b/plugins/aws/comprehend/outputResultEncryption.js index 5d4cfc5cf7..9b99f93b55 100644 --- a/plugins/aws/comprehend/outputResultEncryption.js +++ b/plugins/aws/comprehend/outputResultEncryption.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Enable output result encryption for the Comprehend job', apis: ['Comprehend:listEntitiesDetectionJobs', 'Comprehend:listDominantLanguageDetectionJobs', 'Comprehend:listTopicsDetectionJobs', 'Comprehend:listDocumentClassificationJobs', 'Comprehend:listKeyPhrasesDetectionJobs', 'Comprehend:listSentimentDetectionJobs'], - realtime_triggers: ['comprehend:StartEntitiesDetectionJob'], + realtime_triggers: ['comprehend:StartEntitiesDetectionJob','comprehend:StartTopicsDetectionJob','comprehend:StartSentimentDetectionJob','comprehend:StartKeyPhrasesDetectionJob','comprehend:StartDominantLanguageDetectionJob'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/comprehend/volumeEncryption.js b/plugins/aws/comprehend/volumeEncryption.js index af65b6661c..d2bc661b63 100644 --- a/plugins/aws/comprehend/volumeEncryption.js +++ b/plugins/aws/comprehend/volumeEncryption.js @@ -11,7 +11,8 @@ module.exports = { recommended_action: 'Enable volume encryption for the Comprehend job', apis: ['Comprehend:listEntitiesDetectionJobs', 'Comprehend:listDominantLanguageDetectionJobs', 'Comprehend:listTopicsDetectionJobs', 'Comprehend:listDocumentClassificationJobs', 'Comprehend:listKeyPhrasesDetectionJobs', 'Comprehend:listSentimentDetectionJobs'], - realtime_triggers: ['comprehend:StartEntitiesDetectionJob'], + realtime_triggers: ['comprehend:StartEntitiesDetectionJob','comprehend:StartTopicsDetectionJob','comprehend:StartSentimentDetectionJob','comprehend:StartKeyPhrasesDetectionJob','comprehend:StartDominantLanguageDetectionJob'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/asgOptimized.js b/plugins/aws/computeoptimizer/asgOptimized.js index 578c0bc68e..27ecc589fb 100644 --- a/plugins/aws/computeoptimizer/asgOptimized.js +++ b/plugins/aws/computeoptimizer/asgOptimized.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-asg-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for Auto Scaling groups.', apis: ['ComputeOptimizer:getRecommendationSummaries'], - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','autoscaling:StartInstanceRefresh'], + realtime_triggers: ['ComputeOptimizer:UpdateEnrollmentStatus','autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','autoscaling:StartInstanceRefresh','autoscaling:DeleteAutoScalingGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/ebsVolumesOptimized.js b/plugins/aws/computeoptimizer/ebsVolumesOptimized.js index ada1bd5fea..c979a54842 100644 --- a/plugins/aws/computeoptimizer/ebsVolumesOptimized.js +++ b/plugins/aws/computeoptimizer/ebsVolumesOptimized.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-ebs-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for EBS volumes.', apis: ['ComputeOptimizer:getRecommendationSummaries'], - realtime_triggers: ['ec2:CreateVolume','ec2:ModifyVolume'], + realtime_triggers: ['ComputeOptimizer:UpdateEnrollmentStatus','ec2:CreateVolume','ec2:ModifyVolume','ec2:deleteVolume'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/ec2InstancesOptimized.js b/plugins/aws/computeoptimizer/ec2InstancesOptimized.js index 9149117d64..35846d6dcb 100644 --- a/plugins/aws/computeoptimizer/ec2InstancesOptimized.js +++ b/plugins/aws/computeoptimizer/ec2InstancesOptimized.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-ec2-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for EC2 instances.', apis: ['ComputeOptimizer:getRecommendationSummaries'], - realtime_triggers: ['ec2:RunInstances','ec2:ModifyInstanceAttribute','ec2:StartInstances'], + realtime_triggers: ['ComputeOptimizer:UpdateEnrollmentStatus','ec2:RunInstances','ec2:TerminateInstances','ec2:ModifyInstanceAttribute','ec2:StartInstances','ec2:stopInstances'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js b/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js index c4cfcdff02..f04facc489 100644 --- a/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js +++ b/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-lambda-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for Lambda functions.', apis: ['ComputeOptimizer:getRecommendationSummaries'], - realtime_triggers: ['lambda:CreateFunction','lambda:UpdateFunctionConfiguration'], + realtime_triggers: ['ComputeOptimizer:UpdateEnrollmentStatus','lambda:CreateFunction','lambda:UpdateFunctionConfiguration','lambda:deleteFunction'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/configComplaintRules.js b/plugins/aws/configservice/configComplaintRules.js index d4e79bf912..54693c881d 100644 --- a/plugins/aws/configservice/configComplaintRules.js +++ b/plugins/aws/configservice/configComplaintRules.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Enable the AWS Config Service rules for compliance checks and close security gaps.', link: 'https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html', apis: ['ConfigService:describeConfigRules', 'ConfigService:getComplianceDetailsByConfigRule'], - realtime_triggers: ['configservice:StartConfigurationRecorder','configservice:PutConfigRule'], + realtime_triggers: ['configservice:PutConfigurationRecorder','configservice:PutConfigRule','configservice:DeleteConfigRule'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/configDeliveryFailing.js b/plugins/aws/configservice/configDeliveryFailing.js index a2b3dfdd58..dffd8e2acd 100644 --- a/plugins/aws/configservice/configDeliveryFailing.js +++ b/plugins/aws/configservice/configDeliveryFailing.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Configure AWS Config log files to be delivered without any failures to designated S3 bucket.', link: 'https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html', apis: ['ConfigService:describeConfigurationRecorderStatus'], - realtime_triggers: ['configservice:StartConfigurationRecorder','configservice:PutDeliveryChannel'], + realtime_triggers: ['configservice:PutConfigurationRecorder'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/configServiceEnabled.js b/plugins/aws/configservice/configServiceEnabled.js index 5d99d92383..2219f92d3f 100644 --- a/plugins/aws/configservice/configServiceEnabled.js +++ b/plugins/aws/configservice/configServiceEnabled.js @@ -17,7 +17,7 @@ module.exports = { 'could introduce security risks.', cis1: '2.5 Ensure AWS Config is enabled in all regions' }, - realtime_triggers: ['configservice:StartConfigurationRecorder','configservice:StopConfigurationRecorder'], + realtime_triggers: ['configservice:PutConfigurationRecorder','configservice:StartConfigurationRecorder','configservice:StopConfigurationRecorder'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/configServiceMissingBucket.js b/plugins/aws/configservice/configServiceMissingBucket.js index 9bcfbf963c..a1e108142c 100644 --- a/plugins/aws/configservice/configServiceMissingBucket.js +++ b/plugins/aws/configservice/configServiceMissingBucket.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Ensure that Amazon Config service is referencing an active S3 bucket in order to save configuration information.', link: 'https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html', apis: ['S3:listBuckets', 'ConfigService:describeDeliveryChannels', 'S3:headBucket'], - realtime_triggers: ['configservice:StartConfigurationRecorder','configservice:PutDeliveryChannel'], + realtime_triggers: ['configservice:PutConfigurationRecorder','s3:DeleteBucket'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/configservice/servicesInUse.js b/plugins/aws/configservice/servicesInUse.js index 1875b122c5..edc0f7c66f 100644 --- a/plugins/aws/configservice/servicesInUse.js +++ b/plugins/aws/configservice/servicesInUse.js @@ -25,7 +25,7 @@ module.exports = { default:'' }, }, - realtime_triggers: ['configservice:StartConfigurationRecorder','configservice:StartConfigRulesEvaluation'], + realtime_triggers: ['configservice:PutConfigurationRecorder','configservice:StartConfigurationRecorder','configservice:StopConfigurationRecorder'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js b/plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js index 5662a15fa4..f11900d87d 100644 --- a/plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js +++ b/plugins/aws/devopsguru/devOpsGuruNotificationEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Add a notification channel to DevOps Guru', link: 'https://docs.aws.amazon.com/devops-guru/latest/userguide/setting-up.html', apis: ['DevOpsGuru:listNotificationChannels'], - realtime_triggers: ['devopsguru:AddNotificationChannel'], + realtime_triggers: ['devopsguru:AddNotificationChannel','devopsguru:RemoveNotificationChannel'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dms/autoMinorVersionUpgrade.js b/plugins/aws/dms/autoMinorVersionUpgrade.js index b92a54b943..6c2e903491 100644 --- a/plugins/aws/dms/autoMinorVersionUpgrade.js +++ b/plugins/aws/dms/autoMinorVersionUpgrade.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable Auto Minor Version Upgrade feature in order to automatically receive minor engine upgrades for improved performance and security', link: 'https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.Modifying.html', apis: ['DMS:describeReplicationInstances'], - realtime_triggers: ['dms:CreateReplicationInstance','dms:ModifyReplicationInstance'], + realtime_triggers: ['dms:CreateReplicationInstance','dms:ModifyReplicationInstance','dms:DeleteReplicationInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dms/dmsEncryptionEnabled.js b/plugins/aws/dms/dmsEncryptionEnabled.js index a73ce7d5b8..ea316ed081 100644 --- a/plugins/aws/dms/dmsEncryptionEnabled.js +++ b/plugins/aws/dms/dmsEncryptionEnabled.js @@ -29,7 +29,7 @@ module.exports = { default: false } }, - realtime_triggers: ['dms:CreateReplicationInstance'], + realtime_triggers: ['dms:CreateReplicationInstance','dms:DeleteReplicationInstance'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/dms/dmsMultiAZFeatureEnabled.js b/plugins/aws/dms/dmsMultiAZFeatureEnabled.js index 96c3b1e77a..c295efc55c 100644 --- a/plugins/aws/dms/dmsMultiAZFeatureEnabled.js +++ b/plugins/aws/dms/dmsMultiAZFeatureEnabled.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Enable Multi-AZ deployment feature in order to get high availability and failover support', link: 'https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.html', apis: ['DMS:describeReplicationInstances'], - realtime_triggers: ['dms:CreateReplicationInstance','dms:ModifyReplicationInstance'], + realtime_triggers: ['dms:CreateReplicationInstance','dms:ModifyReplicationInstance','dms:DeleteReplicationInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dms/dmsPubliclyAccessibleInstances.js b/plugins/aws/dms/dmsPubliclyAccessibleInstances.js index ea2889484d..e187e42d1d 100644 --- a/plugins/aws/dms/dmsPubliclyAccessibleInstances.js +++ b/plugins/aws/dms/dmsPubliclyAccessibleInstances.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Ensure that DMS replication instances have only private IP address and not public IP address', link: 'https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.PublicPrivate.html', apis: ['DMS:describeReplicationInstances'], - realtime_triggers: ['dms:CreateReplicationInstance'], + realtime_triggers: ['dms:CreateReplicationInstance','dms:DeleteReplicationInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/documentDB/docdbClusterBackupRetention.js b/plugins/aws/documentDB/docdbClusterBackupRetention.js index 27b8b323cc..a0b34f9193 100644 --- a/plugins/aws/documentDB/docdbClusterBackupRetention.js +++ b/plugins/aws/documentDB/docdbClusterBackupRetention.js @@ -18,7 +18,7 @@ module.exports = { default: 7 } }, - realtime_triggers: ['docdb:CreateDBCluster','docdb:ModifyDBCluster'], + realtime_triggers: ['docdb:CreateDBCluster','docdb:ModifyDBCluster','docdb:DeleteDBCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/documentDB/docdbClusterEncrypted.js b/plugins/aws/documentDB/docdbClusterEncrypted.js index 9c7ddada5a..ece2b66cf5 100644 --- a/plugins/aws/documentDB/docdbClusterEncrypted.js +++ b/plugins/aws/documentDB/docdbClusterEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk', } }, - realtime_triggers: ['docdb:CreateDBCluster','docdb:CreateDBInstance'], + realtime_triggers: ['docdb:CreateDBCluster','docdb:CreateDBInstance','docdb:DeleteDBCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/daxClusterEncryption.js b/plugins/aws/dynamodb/daxClusterEncryption.js index 18e525ce92..e1edcde26e 100644 --- a/plugins/aws/dynamodb/daxClusterEncryption.js +++ b/plugins/aws/dynamodb/daxClusterEncryption.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionAtRest.html', recommended_action: 'Enable encryption for DAX cluster.', apis: ['DAX:describeClusters'], - realtime_triggers: ['dax:CreateCluster'], + realtime_triggers: ['dax:CreateCluster','dax:DeleteCluster'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/dynamoContinuousBackups.js b/plugins/aws/dynamodb/dynamoContinuousBackups.js index 419af7d2ae..e6040c58fd 100644 --- a/plugins/aws/dynamodb/dynamoContinuousBackups.js +++ b/plugins/aws/dynamodb/dynamoContinuousBackups.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/new-amazon-dynamodb-continuous-backups-and-point-in-time-recovery-pitr/', recommended_action: 'Enable Continuous Backups and Point-In-Time Recovery (PITR) features.', apis: ['DynamoDB:listTables', 'DynamoDB:describeContinuousBackups', 'STS:getCallerIdentity'], - realtime_triggers: ['dynamodb:CreateTable','dynamodb:UpdateContinuousBackups'], + realtime_triggers: ['dynamodb:CreateTable','dynamodb:UpdateContinuousBackups','dynamodb:DeleteTable'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/dynamoKmsEncryption.js b/plugins/aws/dynamodb/dynamoKmsEncryption.js index 69f4169c9d..15ef5e2692 100644 --- a/plugins/aws/dynamodb/dynamoKmsEncryption.js +++ b/plugins/aws/dynamodb/dynamoKmsEncryption.js @@ -29,7 +29,7 @@ module.exports = { required: false } }, - realtime_triggers: ['dynamodb:UpdateTable', 'dynamodb:CreateTable'], + realtime_triggers: ['dynamodb:CreateTable','dynamodb:UpdateTable','dynamodb:DeleteTable'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/dynamoTableBackupExists.js b/plugins/aws/dynamodb/dynamoTableBackupExists.js index 008178c2fc..8c15b1c876 100644 --- a/plugins/aws/dynamodb/dynamoTableBackupExists.js +++ b/plugins/aws/dynamodb/dynamoTableBackupExists.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/BackupRestore.html', recommended_action: 'Create on-demand backups for DynamoDB tables.', apis: ['DynamoDB:listTables', 'DynamoDB:listBackups', 'STS:getCallerIdentity'], - realtime_triggers: ['dynamodb:CreateTable','dynamodb:CreateBackup'], + realtime_triggers: ['dynamodb:CreateTable','backup:StartBackupJob','backup:DeleteRecoveryPoint','dynamodb:DeleteTable'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/dynamodb/dynamoTableHasTags.js b/plugins/aws/dynamodb/dynamoTableHasTags.js index 8c80f6721f..c1dc10edcf 100644 --- a/plugins/aws/dynamodb/dynamoTableHasTags.js +++ b/plugins/aws/dynamodb/dynamoTableHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Tagging.html', recommended_action: 'Modify DynamoDB table and add tags.', apis: ['DynamoDB:listTables', 'ResourceGroupsTaggingAPI:getResources', 'STS:getCallerIdentity'], - realtime_triggers: ['dynamodb:CreateTable','dynamodb:TagResource','dynamodb:UntagResource'], + realtime_triggers: ['dynamodb:CreateTable','dynamodb:TagResource','dynamodb:UntagResource','dynamodb:DeleteTable'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/accessKeysExtra.js b/plugins/aws/iam/accessKeysExtra.js index 1a608f92ca..bdb27a4bef 100644 --- a/plugins/aws/iam/accessKeysExtra.js +++ b/plugins/aws/iam/accessKeysExtra.js @@ -27,7 +27,7 @@ module.exports = { } ] }, - realtime_triggers: ['iam:CreateAccessKey','iam:DeleteAccessKey'], + realtime_triggers: ['iam:CreateAccessKey','iam:UpdateAccessKey','iam:DeleteAccessKey'], run: function(cache, settings, callback) { diff --git a/plugins/aws/iam/accessKeysLastUsed.js b/plugins/aws/iam/accessKeysLastUsed.js index f6eaae5d59..29f06bc999 100644 --- a/plugins/aws/iam/accessKeysLastUsed.js +++ b/plugins/aws/iam/accessKeysLastUsed.js @@ -41,7 +41,7 @@ module.exports = { } ] }, - realtime_triggers: ['iam:DeleteAccessKey'], + realtime_triggers: ['iam:CreateAccessKey','iam:DeleteAccessKey'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/canaryKeysUsed.js b/plugins/aws/iam/canaryKeysUsed.js index 2fd695d320..58e23ee8e0 100644 --- a/plugins/aws/iam/canaryKeysUsed.js +++ b/plugins/aws/iam/canaryKeysUsed.js @@ -32,7 +32,7 @@ module.exports = { } ] }, - realtime_triggers: ['iam:CreateUser'], + realtime_triggers: ['iam:CreateUser','iam:DeleteUser'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/certificateExpiry.js b/plugins/aws/iam/certificateExpiry.js index b7600eadc7..c76f383359 100644 --- a/plugins/aws/iam/certificateExpiry.js +++ b/plugins/aws/iam/certificateExpiry.js @@ -35,7 +35,7 @@ module.exports = { } ] }, - realtime_triggers: ['iam:UploadServerCertificate','elb:SetLoadBalancerListenerSSLCertificate'], + realtime_triggers: ['iam:UploadServerCertificate','iam:DeleteServerCertificate','elb:SetLoadBalancerListenerSSLCertificate'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/crossAccountMfaExtIdAccess.js b/plugins/aws/iam/crossAccountMfaExtIdAccess.js index 8ec7584af9..2bdfc438e2 100644 --- a/plugins/aws/iam/crossAccountMfaExtIdAccess.js +++ b/plugins/aws/iam/crossAccountMfaExtIdAccess.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/mfa-protection-for-cross-account-access/', recommended_action: 'Update the IAM role to either require MFA or use an external ID.', apis: ['IAM:listRoles', 'STS:getCallerIdentity'], - realtime_triggers: ['iam:CreateRole','iam:UpdateAssumeRolePolicy'], + realtime_triggers: ['iam:CreateRole','iam:UpdateAssumeRolePolicy','iam:DeleteRole'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/emptyGroups.js b/plugins/aws/iam/emptyGroups.js index 81efd27449..0ca9213ce3 100644 --- a/plugins/aws/iam/emptyGroups.js +++ b/plugins/aws/iam/emptyGroups.js @@ -22,7 +22,7 @@ module.exports = { } ] }, - realtime_triggers: ['iam:CreateGroup','iam:DeleteGroup'], + realtime_triggers: ['iam:CreateGroup','iam:AddUserToGroup','iam:RemoveUserFromGroup','iam:DeleteGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/groupInlinePolicies.js b/plugins/aws/iam/groupInlinePolicies.js index c10c4f1e79..b7de7a41ed 100644 --- a/plugins/aws/iam/groupInlinePolicies.js +++ b/plugins/aws/iam/groupInlinePolicies.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html', recommended_action: 'Remove inline policies attached to groups', apis: ['IAM:listGroups', 'IAM:listGroupPolicies'], - realtime_triggers: ['iam:CreatePolicy','iam:DeleteGroupPolicy'], + realtime_triggers: ['iam:CreateGroup','iam:PutGroupPolicy','iam:DeleteGroupPolicy','iam:DeleteGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamMasterManagerRoles.js b/plugins/aws/iam/iamMasterManagerRoles.js index ca8a47b786..81ad30fbe1 100644 --- a/plugins/aws/iam/iamMasterManagerRoles.js +++ b/plugins/aws/iam/iamMasterManagerRoles.js @@ -129,7 +129,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['iam:CreateRole'], + realtime_triggers: ['iam:CreateRole','iam:DeleteRole'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamPoliciesPresent.js b/plugins/aws/iam/iamPoliciesPresent.js index 72c24fe62d..7337725937 100644 --- a/plugins/aws/iam/iamPoliciesPresent.js +++ b/plugins/aws/iam/iamPoliciesPresent.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['iam:CreatePolicy','iam:CreatePolicyVersion','iam:PutRolePolicy','iam:UpdateAssumeRolePolicy'], + realtime_triggers: ['iam:CreateRole','iam:DeleteRole','iam:AttachRolePolicy','iam:DetachRolePolicy','iam:PutRolePolicy','iam:DeleteRolePolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamRoleHasTags.js b/plugins/aws/iam/iamRoleHasTags.js index 6e94f3b66e..d51dc4bcc3 100644 --- a/plugins/aws/iam/iamRoleHasTags.js +++ b/plugins/aws/iam/iamRoleHasTags.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html', recommended_action: 'Modify Roles to add tags.', apis: ['IAM:listRoles', 'IAM:getRole'], - realtime_triggers: ['iam:CreateRole','iam:TagRole','iam:UntagRole'], + realtime_triggers: ['iam:CreateRole','iam:TagRole','iam:UntagRole','iam:DeleteRole'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamRolePolicies.js b/plugins/aws/iam/iamRolePolicies.js index 88a05fe370..b1492a0f8a 100644 --- a/plugins/aws/iam/iamRolePolicies.js +++ b/plugins/aws/iam/iamRolePolicies.js @@ -82,7 +82,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['iam:CreatePolicy','iam:CreatePolicyVersion','iam:PutRolePolicy','iam:UpdateAssumeRolePolicy'], + realtime_triggers: ['iam:CreateRole','iam:DeleteRole','iam:AttachRolePolicy','iam:DetachRolePolicy','iam:PutRolePolicy','iam:DeleteRolePolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamSupportPolicy.js b/plugins/aws/iam/iamSupportPolicy.js index 19c80d72fc..704e525c3c 100644 --- a/plugins/aws/iam/iamSupportPolicy.js +++ b/plugins/aws/iam/iamSupportPolicy.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html', recommended_action: 'Ensure that an IAM role has permission to access support center.', apis: ['IAM:listPolicies'], - realtime_triggers: ['iam:CreatePolicy','iam:CreatePolicyVersion'], + realtime_triggers: ['iam:CreateRole','iam:DeleteRole','iam:AttachRolePolicy', 'iam:DetachRolePolicy','iam:CreateUser','iam:DeleteUser','iam:AttachUserPolicy','iam:DetachUserPolicy','iam:CreateGroup','iam:DeleteGroup','iam:AttachGroupPolicy','iam:DetachGroupPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserAdmins.js b/plugins/aws/iam/iamUserAdmins.js index 83f4745a5b..ad347e489d 100644 --- a/plugins/aws/iam/iamUserAdmins.js +++ b/plugins/aws/iam/iamUserAdmins.js @@ -33,7 +33,7 @@ module.exports = { default: 2 } }, - realtime_triggers: ['iam:AddUserToGroup','iam:RemoveUserFromGroup','iam:AttachGroupPolicy','iam:DetachGroupPolicy','iam:AttachUserPolicy','iam:DetachUserPolicy','iam:PutUserPolicy'], + realtime_triggers: ['iam:CreateUser','iam:DeleteUser','iam:AttachUserPolicy','iam:DetachUserPolicy','iam:PutUserPolicy','iam:DeleteUserPolicy','iam:PutGroupPolicy','iam:DeleteGroupPolicy','iam:CreateGroup','iam:DeleteGroup','iam:AddUserToGroup','iam:RemoveUserFromGroup','iam:AttachGroupPolicy','iam:DetachGroupPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/iamUserHasTags.js b/plugins/aws/iam/iamUserHasTags.js index 5cb5c84171..fa69769f39 100644 --- a/plugins/aws/iam/iamUserHasTags.js +++ b/plugins/aws/iam/iamUserHasTags.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags_users.html', recommended_action: 'Modify IAM User and add tags', apis: ['IAM:listUsers', 'IAM:getUser'], - realtime_triggers: ['iam:CreateUser','iam:TagUser','iam:UntagUser'], + realtime_triggers: ['iam:CreateUser','iam:DeleteUser','iam:TagUser','iam:UntagUser'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserNameRegex.js b/plugins/aws/iam/iamUserNameRegex.js index 6e4e1296c1..8e9733a5b8 100644 --- a/plugins/aws/iam/iamUserNameRegex.js +++ b/plugins/aws/iam/iamUserNameRegex.js @@ -30,7 +30,7 @@ module.exports = { } ] }, - realtime_triggers: ['iam:CreateUser','iam:DeleteUser','iam:UpdateUser'], + realtime_triggers: ['iam:CreateUser','iam:DeleteUser'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserPresent.js b/plugins/aws/iam/iamUserPresent.js index 8b25967d3f..97b22502e5 100644 --- a/plugins/aws/iam/iamUserPresent.js +++ b/plugins/aws/iam/iamUserPresent.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html', recommended_action: 'Create IAM user(s) and use them to access AWS services and resources.', apis: ['IAM:listUsers'], - realtime_triggers: ['iam:CreateUser'], + realtime_triggers: ['iam:CreateUser','iam:DeleteUser'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/iamUserUnauthorizedToEdit.js b/plugins/aws/iam/iamUserUnauthorizedToEdit.js index 27093a62e5..f539630786 100644 --- a/plugins/aws/iam/iamUserUnauthorizedToEdit.js +++ b/plugins/aws/iam/iamUserUnauthorizedToEdit.js @@ -45,7 +45,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['iam:AddUserToGroup','iam:RemoveUserFromGroup','iam:AttachGroupPolicy','iam:DetachGroupPolicy','iam:AttachUserPolicy','iam:DetachUserPolicy','iam:PutUserPolicy'], + realtime_triggers: ['iam:CreateUser','iam:DeleteUser','iam:AttachUserPolicy','iam:DetachUserPolicy','iam:PutUserPolicy','iam:DeleteUserPolicy','iam:PutGroupPolicy','iam:DeleteGroupPolicy','iam:CreateGroup','iam:DeleteGroup','iam:AddUserToGroup','iam:RemoveUserFromGroup','iam:AttachGroupPolicy','iam:DetachGroupPolicy'], run: function(cache, settings, callback) { var whitelisted_users = settings.iam_authorized_user_arns || this.settings.iam_authorized_user_arns.default; diff --git a/plugins/aws/iam/iamUserWithoutPermissions.js b/plugins/aws/iam/iamUserWithoutPermissions.js index 8b1c7e87f5..48d5965731 100644 --- a/plugins/aws/iam/iamUserWithoutPermissions.js +++ b/plugins/aws/iam/iamUserWithoutPermissions.js @@ -11,7 +11,7 @@ module.exports = { recommended_action: 'Modify IAM user and attach new permissions or delete the user.', apis: ['IAM:listUsers', 'IAM:listUserPolicies', 'IAM:listAttachedUserPolicies', 'IAM:getPolicyVersion' ,'IAM:listGroupsForUser', 'IAM:listGroups', 'IAM:listGroupPolicies', 'IAM:listAttachedGroupPolicies'], - realtime_triggers: ['iam:AddUserToGroup','iam:RemoveUserFromGroup','iam:AttachGroupPolicy','iam:DetachGroupPolicy','iam:AttachUserPolicy','iam:DetachUserPolicy','iam:PutUserPolicy'], + realtime_triggers: ['iam:CreateUser','iam:DeleteUser','iam:AttachUserPolicy','iam:DetachUserPolicy','iam:PutUserPolicy','iam:DeleteUserPolicy','iam:PutGroupPolicy','iam:DeleteGroupPolicy','iam:CreateGroup','iam:DeleteGroup','iam:AddUserToGroup','iam:RemoveUserFromGroup','iam:AttachGroupPolicy','iam:DetachGroupPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/maxPasswordAge.js b/plugins/aws/iam/maxPasswordAge.js index 74e36a6c70..b5d17e7f03 100644 --- a/plugins/aws/iam/maxPasswordAge.js +++ b/plugins/aws/iam/maxPasswordAge.js @@ -58,7 +58,7 @@ module.exports = { } ] }, - realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy','iam:DeleteAccountPasswordPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/minPasswordLength.js b/plugins/aws/iam/minPasswordLength.js index c04143dc79..06477b061f 100644 --- a/plugins/aws/iam/minPasswordLength.js +++ b/plugins/aws/iam/minPasswordLength.js @@ -59,7 +59,7 @@ module.exports = { } ] }, - realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy','iam:DeleteAccountPasswordPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/noUserIamPolicies.js b/plugins/aws/iam/noUserIamPolicies.js index c1b90e0d13..fe6259bbd1 100644 --- a/plugins/aws/iam/noUserIamPolicies.js +++ b/plugins/aws/iam/noUserIamPolicies.js @@ -13,7 +13,7 @@ module.exports = { compliance: { cis1: '1.16 Ensure IAM policies are attached only to groups or roles' }, - realtime_triggers: ['iam:AttachUserPolicy','iam:DetachUserPolicy'], + realtime_triggers: ['iam:CreateUser','iam:DeleteUser','iam:AttachUserPolicy','iam:DetachUserPolicy','iam:PutUserPolicy','iam:DeleteUserPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordExpiration.js b/plugins/aws/iam/passwordExpiration.js index c0fe596656..cfc2795295 100644 --- a/plugins/aws/iam/passwordExpiration.js +++ b/plugins/aws/iam/passwordExpiration.js @@ -39,7 +39,7 @@ module.exports = { } ] }, - realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy','iam:DeleteAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordPolicyExists.js b/plugins/aws/iam/passwordPolicyExists.js index 4b883abc27..e869f802ee 100644 --- a/plugins/aws/iam/passwordPolicyExists.js +++ b/plugins/aws/iam/passwordPolicyExists.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html', recommended_action: 'Create a password policy under account settings in IAM', apis: ['IAM:getAccountPasswordPolicy'], - realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy','iam:DeleteAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordRequiresLowercase.js b/plugins/aws/iam/passwordRequiresLowercase.js index ee4a74440a..5943cca37f 100644 --- a/plugins/aws/iam/passwordRequiresLowercase.js +++ b/plugins/aws/iam/passwordRequiresLowercase.js @@ -27,7 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.6 Ensure IAM password policy require at least one lowercase letter' }, - realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy','iam:DeleteAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordRequiresNumbers.js b/plugins/aws/iam/passwordRequiresNumbers.js index a846f25dbc..8a0cf5cdb8 100644 --- a/plugins/aws/iam/passwordRequiresNumbers.js +++ b/plugins/aws/iam/passwordRequiresNumbers.js @@ -27,7 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.8 Ensure IAM password policy require at least one number' }, - realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy','iam:DeleteAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordRequiresSymbols.js b/plugins/aws/iam/passwordRequiresSymbols.js index 0a9953f9a0..a162603ff0 100644 --- a/plugins/aws/iam/passwordRequiresSymbols.js +++ b/plugins/aws/iam/passwordRequiresSymbols.js @@ -27,7 +27,8 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.7 Ensure IAM password policy require at least one symbol' }, - realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy','iam:DeleteAccountPasswordPolicy'], + run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordRequiresUppercase.js b/plugins/aws/iam/passwordRequiresUppercase.js index c1667854d2..07aea43b15 100644 --- a/plugins/aws/iam/passwordRequiresUppercase.js +++ b/plugins/aws/iam/passwordRequiresUppercase.js @@ -27,7 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.5 Ensure IAM password policy requires at least one uppercase letter' }, - realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy','iam:DeleteAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/passwordReusePrevention.js b/plugins/aws/iam/passwordReusePrevention.js index d6301d43cc..7e546e994c 100644 --- a/plugins/aws/iam/passwordReusePrevention.js +++ b/plugins/aws/iam/passwordReusePrevention.js @@ -47,7 +47,7 @@ module.exports = { default: 24 } }, - realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy','iam:DeleteAccountPasswordPolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/policyAllowsToChangePassword.js b/plugins/aws/iam/policyAllowsToChangePassword.js index b307b9f68b..89376de13b 100644 --- a/plugins/aws/iam/policyAllowsToChangePassword.js +++ b/plugins/aws/iam/policyAllowsToChangePassword.js @@ -27,7 +27,7 @@ module.exports = { 'requirements enforces this policy.', cis1: '1.6 Ensure IAM password policy allows users to change their passwords' }, - realtime_triggers: ['iam:UpdateAccountPasswordPolicy'], + realtime_triggers: ['iam:UpdateAccountPasswordPolicy','iam:DeleteAccountPasswordPolicy'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/rolePolicyUnusedServices.js b/plugins/aws/iam/rolePolicyUnusedServices.js index 89fc8c8511..d5645400c8 100644 --- a/plugins/aws/iam/rolePolicyUnusedServices.js +++ b/plugins/aws/iam/rolePolicyUnusedServices.js @@ -94,7 +94,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['iam:CreatePolicy','iam:UpdatePolicy','iam:PutRolePolicy'], + realtime_triggers: ['iam:CreateRole','iam:DeleteRole','iam:AttachRolePolicy','iam:DetachRolePolicy','iam:PutRolePolicy','iam:DetachRolePolicy'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/rootAccountInUse.js b/plugins/aws/iam/rootAccountInUse.js index 15ba607330..d980f62496 100644 --- a/plugins/aws/iam/rootAccountInUse.js +++ b/plugins/aws/iam/rootAccountInUse.js @@ -27,7 +27,6 @@ module.exports = { default: 15 } }, - realtime_triggers: ['iam:CreateUser'], run: function(cache, settings, callback) { this._run(cache, settings, callback, new Date()); diff --git a/plugins/aws/iam/rootHardwareMfa.js b/plugins/aws/iam/rootHardwareMfa.js index 22a9da6ed9..f09d381318 100644 --- a/plugins/aws/iam/rootHardwareMfa.js +++ b/plugins/aws/iam/rootHardwareMfa.js @@ -9,7 +9,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html', recommended_action: 'Enable a hardware MFA device for the root account and disable any virtual devices', apis: ['IAM:listVirtualMFADevices', 'IAM:getAccountSummary'], - realtime_triggers: ['iam:EnableMFADevice','iam:DeactivateMFADevice'], + realtime_triggers: ['iam:CreateVirtualMFADevice','iam:DeleteVirtualMFADevice'], run: function(cache, settings, callback) { var results = []; @@ -29,7 +29,6 @@ module.exports = { var listVirtualMFADevices = helpers.addSource(cache, source, ['iam', 'listVirtualMFADevices', region]); - if (!listVirtualMFADevices || listVirtualMFADevices.err || !listVirtualMFADevices.data) { diff --git a/plugins/aws/iam/rootMfaEnabled.js b/plugins/aws/iam/rootMfaEnabled.js index ce10730b53..0f4234cf55 100644 --- a/plugins/aws/iam/rootMfaEnabled.js +++ b/plugins/aws/iam/rootMfaEnabled.js @@ -15,7 +15,7 @@ module.exports = { 'a safe location for use as backup for named IAM users.', cis1: '1.13 Ensure MFA is enabled for the "root" account' }, - realtime_triggers: ['iam:EnableMFADevice','iam:DeactivateMFADevice'], + realtime_triggers: ['iam:CreateVirtualMFADevice','iam:DeleteVirtualMFADevice'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/rootSigningCertificate.js b/plugins/aws/iam/rootSigningCertificate.js index 7d748d88e9..fbda0782a7 100644 --- a/plugins/aws/iam/rootSigningCertificate.js +++ b/plugins/aws/iam/rootSigningCertificate.js @@ -15,7 +15,7 @@ module.exports = { 'since it is not tied to a specific user. The root signing keys ' + 'should not be used.' }, - realtime_triggers: ['iam:DeleteSigningCertificate'], + realtime_triggers: ['iam:DeleteSigningCertificate','iam:UploadSigningCertificate'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/sshKeysRotated.js b/plugins/aws/iam/sshKeysRotated.js index 4c3a2930e8..c90dca4dcb 100644 --- a/plugins/aws/iam/sshKeysRotated.js +++ b/plugins/aws/iam/sshKeysRotated.js @@ -23,7 +23,7 @@ module.exports = { default: 180 } }, - realtime_triggers: ['iam:UploadSSHPublicKey'], + realtime_triggers: ['iam:UploadSSHPublicKey','iam:DeleteSSHPublicKey'], run: function(cache, settings, callback) { var config = { diff --git a/plugins/aws/iam/trustedCrossAccountRoles.js b/plugins/aws/iam/trustedCrossAccountRoles.js index 22f6455c1b..c6ff032a69 100644 --- a/plugins/aws/iam/trustedCrossAccountRoles.js +++ b/plugins/aws/iam/trustedCrossAccountRoles.js @@ -30,7 +30,7 @@ module.exports = { default: 'false' } }, - realtime_triggers: ['iam:CreateRole','iam:UpdateAssumeRolePolicy','iam:DeleteRole'], + realtime_triggers: ['iam:CreateRole','iam:DeleteRole'], run: function(cache, settings, callback) { var config= { diff --git a/plugins/aws/iam/usersMfaEnabled.js b/plugins/aws/iam/usersMfaEnabled.js index dd7a9edeba..ef963a9817 100644 --- a/plugins/aws/iam/usersMfaEnabled.js +++ b/plugins/aws/iam/usersMfaEnabled.js @@ -31,7 +31,7 @@ module.exports = { } ] }, - realtime_triggers: ['iam:EnableMFADevice','iam:DeactivateMFADevice'], + realtime_triggers: ['iam:CreateVirtualMFADevice','iam:DeleteVirtualMFADevice'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/usersPasswordAndKeys.js b/plugins/aws/iam/usersPasswordAndKeys.js index a736d1ee4b..8e2d558cfe 100644 --- a/plugins/aws/iam/usersPasswordAndKeys.js +++ b/plugins/aws/iam/usersPasswordAndKeys.js @@ -18,7 +18,7 @@ module.exports = { default: '^.*$' } }, - realtime_triggers: ['iam:CreateAccessKey','iam:DeleteAccessKey'], + realtime_triggers: ['iam:CreateLoginProfile','iam:DeleteLoginProfile','iam:CreateAccessKey','iam:DeleteAccessKey'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js b/plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js index 53ea04c39a..cd1d3ef694 100644 --- a/plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js +++ b/plugins/aws/imagebuilder/dockerfileTemplateEncrypted.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['imagebuilder:CreateContainerRecipe'], + realtime_triggers: ['imagebuilder:CreateContainerRecipe','imagebuilder:DeleteContainerRecipe'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/imagebuilder/enhancedMetadataEnabled.js b/plugins/aws/imagebuilder/enhancedMetadataEnabled.js index f29c088a91..e8eb93f0bc 100644 --- a/plugins/aws/imagebuilder/enhancedMetadataEnabled.js +++ b/plugins/aws/imagebuilder/enhancedMetadataEnabled.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/imagebuilder/latest/userguide/start-build-image-pipeline.html', recommended_action: 'Enable enhanced metadata collection for image pipeline.', apis: ['Imagebuilder:listImagePipelines'], - realtime_triggers: ['imagebuilder:CreateImagePipeline','imagebuilder:UpdateImagePipeline'], + realtime_triggers: ['imagebuilder:CreateImagePipeline','imagebuilder:UpdateImagePipeline','imagebuilder:DeleteImagePipeline'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/imagebuilder/imageRecipeVolumeEncrypted.js b/plugins/aws/imagebuilder/imageRecipeVolumeEncrypted.js index 1adf301224..f0676ca7b5 100644 --- a/plugins/aws/imagebuilder/imageRecipeVolumeEncrypted.js +++ b/plugins/aws/imagebuilder/imageRecipeVolumeEncrypted.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['Imagebuilder:CreateImageRecipe'], + realtime_triggers: ['Imagebuilder:CreateImageRecipe','Imagebuilder:DeleteImageRecipe'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/imagebuilder/imgBuilderComponentsEncrypted.js b/plugins/aws/imagebuilder/imgBuilderComponentsEncrypted.js index 5a7321912c..20f5e23b4d 100644 --- a/plugins/aws/imagebuilder/imgBuilderComponentsEncrypted.js +++ b/plugins/aws/imagebuilder/imgBuilderComponentsEncrypted.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['Imagebuilder:CreateComponent'], + realtime_triggers: ['Imagebuilder:CreateComponent','Imagebuilder:DeleteComponent'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js b/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js index 17d5cd2af8..ceb7310083 100644 --- a/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js +++ b/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/imagebuilder/latest/userguide/manage-infra-config.html', recommended_action: 'Enable SNS notification in EC2 Image Builder infrastructure configurations to get notified of any changes in the service.', apis: ['Imagebuilder:listInfrastructureConfigurations', 'Imagebuilder:getInfrastructureConfiguration'], - realtime_triggers: ['Imagebuilder:CreateInfrastructureConfiguration','Imagebuilder:UpdateInfrastructureConfiguration'], + realtime_triggers: ['Imagebuilder:CreateInfrastructureConfiguration','Imagebuilder:UpdateInfrastructureConfiguration','Imagebuilder:DeleteInfrastructureConfiguration'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kendra/kendraIndexEncrypted.js b/plugins/aws/kendra/kendraIndexEncrypted.js index 32b93d2f27..7af4e61fc7 100644 --- a/plugins/aws/kendra/kendraIndexEncrypted.js +++ b/plugins/aws/kendra/kendraIndexEncrypted.js @@ -18,7 +18,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['kendra:CreateIndex','kendra:UpdateIndex'], + realtime_triggers: ['kendra:CreateIndex','kendra:UpdateIndex','kendra:DeleteIndex'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js b/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js index 9e7b13bfed..7eddba6e5a 100644 --- a/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js +++ b/plugins/aws/kinesis/kinesisDataStreamsEncrypted.js @@ -20,7 +20,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['kinesis:CreateStream','kinesis:StartStreamEncryption'], + realtime_triggers: ['kinesis:CreateStream','kinesis:StartStreamEncryption','kinesis:StopStreamEncryption','kinesis:DeleteStream'], run: function(cache, settings, callback) { diff --git a/plugins/aws/kinesis/kinesisEncrypted.js b/plugins/aws/kinesis/kinesisEncrypted.js index fd86f6d90c..230b5582c5 100644 --- a/plugins/aws/kinesis/kinesisEncrypted.js +++ b/plugins/aws/kinesis/kinesisEncrypted.js @@ -36,7 +36,7 @@ module.exports = { remediate: ['kinesis:StartStreamEncryption'], rollback: ['kinesis:StopStreamEncryption'] }, - realtime_triggers: ['kinesis:CreateStream', 'kinesis:StopStreamEncryption'], + realtime_triggers: ['kinesis:CreateStream','kinesis:StartStreamEncryption','kinesis:StopStreamEncryption','kinesis:DeleteStream'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kinesisvideo/videostreamDataEncrypted.js b/plugins/aws/kinesisvideo/videostreamDataEncrypted.js index c5b1ca5d90..68decf82f8 100644 --- a/plugins/aws/kinesisvideo/videostreamDataEncrypted.js +++ b/plugins/aws/kinesisvideo/videostreamDataEncrypted.js @@ -19,7 +19,7 @@ module.exports = { default: 'awscmk' } }, - realtime_triggers: ['kinesisvideo:CreateStream', 'kinesisvideo:UpdateStream'], + realtime_triggers: ['kinesisvideo:CreateStream', 'kinesisvideo:DeleteStream'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsAppTierCmk.js b/plugins/aws/kms/kmsAppTierCmk.js index 8836fba5a0..7ece15b306 100644 --- a/plugins/aws/kms/kmsAppTierCmk.js +++ b/plugins/aws/kms/kmsAppTierCmk.js @@ -18,7 +18,7 @@ module.exports = { default: '' }, }, - realtime_triggers: ['kms:CreateKey','kms:TagResource'], + realtime_triggers: ['kms:CreateKey'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsDefaultKeyUsage.js b/plugins/aws/kms/kmsDefaultKeyUsage.js index 043345f775..47ef1a2d27 100644 --- a/plugins/aws/kms/kmsDefaultKeyUsage.js +++ b/plugins/aws/kms/kmsDefaultKeyUsage.js @@ -20,7 +20,7 @@ module.exports = { 'passwords, it is still strongly encouraged to use a ' + 'customer-provided CMK rather than the default KMS key.' }, - realtime_triggers: ['cloudtrail:CreateTrail','cloudtrail:UpdateTrail','ec2:CreateVolume','elastictranscoder:UpdatePipeline','elastictranscoder:CreatePipeline','rds:CreateDBInstance','rds:ModifyDBInstance','redshift:CreateCluster','redshift:ModifyCluster','s3:CreateBucket','s3:PutBucketEncryption','ses:CreateReceiptRule','ses:UpdateReceiptRule','workspaces:CreateWorkspaces','lamda:UpdateFunctionConfiguration','lamda:CreateFunction','cloudwatchlogs:CreateLogGroup','cloudwatchlogs:AssociateKmsKey','efs:CreateFileSystem'], + realtime_triggers: ['cloudtrail:CreateTrail','cloudtrail:UpdateTrail','cloudtrail:DeleteTrail','ec2:CreateVolume','ec2:DeleteVolume','elastictranscoder:UpdatePipeline','elastictranscoder:CreatePipeline','elastictranscoder:DeletePipeline','rds:CreateDBInstance','rds:ModifyDBInstance','rds:DeleteDBInstance','redshift:CreateCluster','redshift:ModifyCluster','redshift:DeleteCluster','s3:CreateBucket','s3:DeleteBucket','s3:PutBucketEncryption','ses:CreateReceiptRule','ses:DeleteReceiptRule','ses:UpdateReceiptRule','workspaces:CreateWorkspaces','workspaces:TerminateWorkspaces','lambda:UpdateFunctionConfiguration','lambda:CreateFunction','lambda:DeleteFunction','cloudwatchlogs:CreateLogGroup','cloudwatchlogs:DeleteLogGroup','cloudwatchlogs:AssociateKmsKey','efs:CreateFileSystem',':efs:DeleteFileSystem'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsDuplicateGrants.js b/plugins/aws/kms/kmsDuplicateGrants.js index 034e9ce456..4926b7b093 100644 --- a/plugins/aws/kms/kmsDuplicateGrants.js +++ b/plugins/aws/kms/kmsDuplicateGrants.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Delete duplicate grants for AWS KMS keys', link: 'https://docs.aws.amazon.com/kms/latest/developerguide/grants.html', apis: ['KMS:listKeys', 'KMS:listGrants', 'KMS:describeKey'], - realtime_triggers: ['kms:CreateKey','kms:RevokeGrant'], + realtime_triggers: ['kms:CreateKey','kms:RevokeGrant','kms:CreateGrant'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsGrantLeastPrivilege.js b/plugins/aws/kms/kmsGrantLeastPrivilege.js index b73190e98d..079c5ad5b3 100644 --- a/plugins/aws/kms/kmsGrantLeastPrivilege.js +++ b/plugins/aws/kms/kmsGrantLeastPrivilege.js @@ -9,7 +9,7 @@ module.exports = { recommended_action: 'Create KMS grants with minimum permission required', link: 'https://docs.aws.amazon.com/kms/latest/developerguide/grants.html', apis: ['KMS:listKeys', 'KMS:listGrants', 'KMS:describeKey'], - realtime_triggers: ['kms:CreateKey','kms:CreateGrant'], + realtime_triggers: ['kms:CreateKey','kms:RevokeGrant','kms:CreateGrant'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsKeyRotation.js b/plugins/aws/kms/kmsKeyRotation.js index 00305796df..2760e9e4ae 100644 --- a/plugins/aws/kms/kmsKeyRotation.js +++ b/plugins/aws/kms/kmsKeyRotation.js @@ -25,7 +25,7 @@ module.exports = { default: 'aqua-cspm' } }, - realtime_triggers: ['kms:CreateKey','kms:EnableKeyRotation'], + realtime_triggers: ['kms:CreateKey','kms:EnableKeyRotation','kms:DisableKeyRotation','kms:ScheduleKeyDeletion','kms:CancelKeyDeletion'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/kms/kmsScheduledDeletion.js b/plugins/aws/kms/kmsScheduledDeletion.js index 5f6589822d..23d7ed2373 100644 --- a/plugins/aws/kms/kmsScheduledDeletion.js +++ b/plugins/aws/kms/kmsScheduledDeletion.js @@ -22,7 +22,7 @@ module.exports = { } ] }, - realtime_triggers: ['kms:ScheduleKeyDeletion','kms:CancelKeyDeletion'], + realtime_triggers: ['kms:CreateKey','kms:ScheduleKeyDeletion','kms:CancelKeyDeletion'], run: function(cache, settings, callback) { var results = []; From ab36543af487119b8605f95b0e833cd1f06f68f1 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 15 Nov 2023 14:25:27 +0500 Subject: [PATCH 036/498] syncing with saas --- .../aws/ses/getIdentityDkimAttributes.js | 46 +- collectors/azure/collector.js | 8 +- .../azure/fileService/listSharesSegmented.js | 60 +- exports.js | 1 - helpers/aws/functions.js | 80 +- helpers/aws/regions.js | 2 +- helpers/azure/api.js | 52 +- helpers/azure/functions.js | 24 +- helpers/azure/locations.js | 5 +- helpers/azure/resources.js | 10 + helpers/google/api.js | 3 +- helpers/google/index.js | 18 +- helpers/shared.js | 4 + .../aws/appmesh/appmeshTLSRequired.spec.js | 2 +- plugins/aws/ec2/defaultVpcInUse.spec.js | 850 ++++++++++++++++++ plugins/aws/ec2/ec2MetadataOptions.js | 6 +- plugins/aws/ec2/openAllPortsProtocols.js | 5 +- .../aws/ec2/openAllPortsProtocolsEgress.js | 9 +- plugins/aws/ec2/openCIFS.js | 8 + plugins/aws/ec2/openCIFS.spec.js | 9 + plugins/aws/ec2/openCassandraClient.js | 8 + plugins/aws/ec2/openCassandraClient.spec.js | 9 + plugins/aws/ec2/openCassandraInternode.js | 8 + .../aws/ec2/openCassandraInternode.spec.js | 9 + plugins/aws/ec2/openCassandraMonitoring.js | 8 + .../aws/ec2/openCassandraMonitoring.spec.js | 9 + plugins/aws/ec2/openCassandraThrift.js | 10 +- plugins/aws/ec2/openCassandraThrift.spec.js | 9 + plugins/aws/ec2/openCustomPorts.js | 8 + plugins/aws/ec2/openCustomPorts.spec.js | 9 + plugins/aws/ec2/openDNS.js | 8 + plugins/aws/ec2/openDNS.spec.js | 9 + plugins/aws/ec2/openDocker.js | 8 + plugins/aws/ec2/openDocker.spec.js | 9 + plugins/aws/ec2/openElasticsearch.js | 8 + plugins/aws/ec2/openElasticsearch.spec.js | 9 + plugins/aws/ec2/openFTP.js | 8 + plugins/aws/ec2/openFTP.spec.js | 8 + plugins/aws/ec2/openHTTP.js | 26 +- plugins/aws/ec2/openHTTP.spec.js | 53 +- plugins/aws/ec2/openHTTPS.js | 26 +- plugins/aws/ec2/openHTTPS.spec.js | 53 +- plugins/aws/ec2/openHadoopNameNode.js | 8 + plugins/aws/ec2/openHadoopNameNode.spec.js | 9 + plugins/aws/ec2/openHadoopNameNodeWebUI.js | 8 + .../aws/ec2/openHadoopNameNodeWebUI.spec.js | 9 + plugins/aws/ec2/openInternalWeb.js | 8 + plugins/aws/ec2/openInternalWeb.spec.js | 9 + plugins/aws/ec2/openKibana.js | 8 + plugins/aws/ec2/openKibana.spec.js | 9 + plugins/aws/ec2/openLDAP.js | 8 + plugins/aws/ec2/openLDAP.spec.js | 9 + plugins/aws/ec2/openLDAPS.js | 8 + plugins/aws/ec2/openLDAPS.spec.js | 9 + plugins/aws/ec2/openMemcached.js | 8 + plugins/aws/ec2/openMemcached.spec.js | 9 + plugins/aws/ec2/openMongoDB.js | 9 + plugins/aws/ec2/openMongoDB.spec.js | 9 + plugins/aws/ec2/openMySQL.js | 8 + plugins/aws/ec2/openMySQL.spec.js | 9 + plugins/aws/ec2/openNetBIOS.js | 8 + plugins/aws/ec2/openNetBIOS.spec.js | 9 + plugins/aws/ec2/openOracle.js | 9 +- plugins/aws/ec2/openOracle.spec.js | 9 + .../aws/ec2/openOracleAutoDataWarehouse.js | 8 + .../ec2/openOracleAutoDataWarehouse.spec.js | 9 + plugins/aws/ec2/openPostgreSQL.js | 8 + plugins/aws/ec2/openPostgreSQL.spec.js | 9 + plugins/aws/ec2/openRDP.js | 8 + plugins/aws/ec2/openRDP.spec.js | 9 + plugins/aws/ec2/openRPC.js | 8 + plugins/aws/ec2/openRPC.spec.js | 9 + plugins/aws/ec2/openRedis.js | 8 + plugins/aws/ec2/openRedis.spec.js | 9 + plugins/aws/ec2/openSMBoTCP.js | 10 +- plugins/aws/ec2/openSMBoTCP.spec.js | 9 + plugins/aws/ec2/openSMTP.js | 8 + plugins/aws/ec2/openSMTP.spec.js | 9 + plugins/aws/ec2/openSNMP.js | 8 + plugins/aws/ec2/openSNMP.spec.js | 9 + plugins/aws/ec2/openSQLServer.js | 8 + plugins/aws/ec2/openSQLServer.spec.js | 8 + plugins/aws/ec2/openSSH.js | 8 + plugins/aws/ec2/openSSH.spec.js | 9 + plugins/aws/ec2/openSalt.js | 8 + plugins/aws/ec2/openSalt.spec.js | 9 + plugins/aws/ec2/openTelnet.js | 8 + plugins/aws/ec2/openTelnet.spec.js | 9 + plugins/aws/ec2/openVNCClient.js | 8 + plugins/aws/ec2/openVNCClient.spec.js | 9 + plugins/aws/ec2/openVNCServer.js | 8 + plugins/aws/ec2/openVNCServer.spec.js | 9 + plugins/aws/ec2/publicIpAddress.js | 4 +- .../elasticacheInstanceGeneration.js | 2 +- plugins/aws/iam/iamUserWithoutPermissions.js | 3 +- plugins/aws/lambda/lambdaOldRuntimes.js | 7 + plugins/aws/s3/bucketEnforceEncryption.js | 4 +- plugins/aws/s3/objectLevelReadEventLogging.js | 16 +- .../aws/s3/objectLevelWriteEventLogging.js | 15 +- plugins/aws/s3/s3BucketHasTags.js | 42 +- plugins/aws/s3/s3BucketHasTags.spec.js | 14 +- plugins/aws/s3/s3Encryption.js | 2 +- plugins/aws/sns/snsTopicNoHttpPolicy.js | 40 +- plugins/aws/sns/snsValidSubscribers.js | 2 +- plugins/aws/sqs/sqsEncryptionEnabled.js | 4 +- plugins/aws/ssm/ssmSessionDuration.js | 4 +- plugins/azure/appservice/clientCertEnabled.js | 9 +- .../appservice/clientCertEnabled.spec.js | 26 +- .../fileservice/fileServiceAllAccessAcl.js | 5 +- .../fileServiceAllAccessAcl.spec.js | 3 +- .../mysqlserver/mysqlFlexibleServersMinTls.js | 1 + .../mysqlFlexibleServersMinTls.spec.js | 24 +- .../networkWatcherEnabled.js | 5 +- .../networkWatcherEnabled.spec.js | 70 +- .../azureServicesAccessDisabled.js | 8 +- .../securityContactAdditionalEmail.js | 6 +- .../virtualnetworks/virtualNetworkPeering.js | 2 +- .../virtualNetworkPeering.spec.js | 2 +- .../deleteExpiredDeployments.js | 2 +- .../google/iam/serviceAccountKeyRotation.js | 2 +- plugins/oracle/networking/lbNoInstances.js | 2 + 121 files changed, 2049 insertions(+), 219 deletions(-) create mode 100644 plugins/aws/ec2/defaultVpcInUse.spec.js diff --git a/collectors/aws/ses/getIdentityDkimAttributes.js b/collectors/aws/ses/getIdentityDkimAttributes.js index 587f5c6a11..ee188d4273 100644 --- a/collectors/aws/ses/getIdentityDkimAttributes.js +++ b/collectors/aws/ses/getIdentityDkimAttributes.js @@ -3,14 +3,46 @@ var helpers = require(__dirname + '/../../../helpers/aws'); module.exports = function(AWSConfig, collection, retries, callback) { var ses = new AWS.SES(AWSConfig); + collection.ses.getIdentityDkimAttributes[AWSConfig.region] = {}; - helpers.makeCustomCollectorCall(ses, 'getIdentityDkimAttributes', {Identities: collection.ses.listIdentities[AWSConfig.region].data}, retries, null, null, null, function(err, data) { - if (err) { - collection.ses.getIdentityDkimAttributes[AWSConfig.region].err = err; + var identities = collection.ses.listIdentities[AWSConfig.region].data; + var identityChunks = chunkArray(identities, 100); + var allDkimAttributes = []; + var processIdentityChunk = function(chunkIndex) { + if (chunkIndex >= identityChunks.length) { + collection.ses.getIdentityDkimAttributes[AWSConfig.region].data = { + DkimAttributes: allDkimAttributes + }; + callback(); + return; } - collection.ses.getIdentityDkimAttributes[AWSConfig.region].data = data; + var chunk = identityChunks[chunkIndex]; + var params = { + Identities: chunk, + }; - callback(); - }); -}; \ No newline at end of file + setTimeout(function() { + helpers.makeCustomCollectorCall(ses, 'getIdentityDkimAttributes', params, retries, null, null, null, function(err, data) { + if (err) { + collection.ses.getIdentityDkimAttributes[AWSConfig.region].err = err; + } else if (data && data.DkimAttributes) { + allDkimAttributes = { + ...allDkimAttributes, + ...data.DkimAttributes + }; + } + processIdentityChunk(chunkIndex + 1); + }); + }, 1000); + }; + + processIdentityChunk(0); +}; +function chunkArray(arr, chunkSize) { + var result = []; + for (var i = 0; i < arr.length; i += chunkSize) { + result.push(arr.slice(i, i + chunkSize)); + } + return result; +} diff --git a/collectors/azure/collector.js b/collectors/azure/collector.js index 4d1df48cae..ef1c30d0b2 100644 --- a/collectors/azure/collector.js +++ b/collectors/azure/collector.js @@ -44,7 +44,7 @@ function parseCollection(path, obj) { } } -var collect = function(AzureConfig, settings, callback) { +let collect = function(AzureConfig, settings, callback) { // Used to gather info only if (settings.gather) { return callback(null, calls, postcalls, tertiarycalls, specialcalls); @@ -92,10 +92,12 @@ var collect = function(AzureConfig, settings, callback) { }); }; - var processCall = function(obj, cb, localData) { - var localUrl = obj.nextUrl || obj.url.replace(/\{subscriptionId\}/g, AzureConfig.SubscriptionID); + let processCall = function(obj, cb, localData) { + let localUrl = obj.nextUrl || obj.url.replace(/\{subscriptionId\}/g, AzureConfig.SubscriptionID); if (obj.rateLimit) { setTimeout(function() { + console.log('timeout check'); + console.log(`url: ${localUrl} obj: ${JSON.stringify(obj)} localData: ${JSON.stringify(localData)}`); makeCall(localUrl, obj, cb, localData); }, obj.rateLimit); } else { diff --git a/collectors/azure/fileService/listSharesSegmented.js b/collectors/azure/fileService/listSharesSegmented.js index 8f43b68e45..8c951a5856 100644 --- a/collectors/azure/fileService/listSharesSegmented.js +++ b/collectors/azure/fileService/listSharesSegmented.js @@ -1,10 +1,9 @@ var async = require('async'); +var azureStorage = require('@azure/storage-file-share'); module.exports = function(collection, reliesOn, callback) { if (!reliesOn['storageAccounts.listKeys']) return callback(); - var azureStorage = require('azure-storage'); - if (!collection['fileService']['listSharesSegmented']) collection['fileService']['listSharesSegmented'] = {}; if (!collection['fileService']['getShareAcl']) collection['fileService']['getShareAcl'] = {}; @@ -13,39 +12,42 @@ module.exports = function(collection, reliesOn, callback) { collection['fileService']['listSharesSegmented'][region] = {}; collection['fileService']['getShareAcl'][region] = {}; - async.eachOfLimit(regionObj, 5, function(subObj, resourceId, sCb) { + async.eachOfLimit(regionObj, 5, async function(subObj, resourceId, sCb) { collection['fileService']['listSharesSegmented'][region][resourceId] = {}; if (subObj && subObj.data && subObj.data.keys && subObj.data.keys[0] && subObj.data.keys[0].value) { // Extract storage account name from resourceId - var storageAccountName = resourceId.substring(resourceId.lastIndexOf('/') + 1); - var storageService = new azureStorage['FileService'](storageAccountName, subObj.data.keys[0].value); - - storageService.listSharesSegmented(null, function(serviceErr, serviceResults) { - if (serviceErr || !serviceResults) { - collection['fileService']['listSharesSegmented'][region][resourceId].err = (serviceErr || 'No data returned'); - sCb(); - } else { - collection['fileService']['listSharesSegmented'][region][resourceId].data = serviceResults.entries; - - // Add ACLs - async.eachLimit(serviceResults.entries, 10, function(entryObj, entryCb) { - var entryId = `${resourceId}/fileService/${entryObj.name}`; - collection['fileService']['getShareAcl'][region][entryId] = {}; - - storageService.getShareAcl(entryObj.name, function(getErr, getData) { - if (getErr || !getData) { - collection['fileService']['getShareAcl'][region][entryId].err = (getErr || 'No data returned'); - } else { - collection['fileService']['getShareAcl'][region][entryId].data = getData; - } - entryCb(); + const shareItemList = []; + try { + const storageAccountName = resourceId.substring(resourceId.lastIndexOf('/') + 1); + const connectionString = `DefaultEndpointsProtocol=https;AccountName=${storageAccountName};AccountKey=${subObj.data.keys[0].value};EndpointSuffix=core.windows.net`; + const storageService = azureStorage.ShareServiceClient.fromConnectionString(connectionString); + const iterator = storageService.listShares(); + let item = await iterator.next(); + + while (!item.done) { + let fileShare = item.value.name; + var entryId = `${resourceId}/fileService/${fileShare}`; + shareItemList.push({ name: fileShare, id: entryId}); + collection['fileService']['getShareAcl'][region][entryId] = {}; + const shareClient = storageService.getShareClient(fileShare); + shareClient.getAccessPolicy() + .then(result => { + collection['fileService']['getShareAcl'][region][entryId].data = result; + }) + .catch(err => { + collection['fileService']['getShareAcl'][region][entryId].err = err; }); - }, function() { - sCb(); - }); + item = await iterator.next(); } - }); + } catch (exception) { + collection['fileService']['listSharesSegmented'][region][resourceId].err = exception.message; + } + if (shareItemList.length) { + collection['fileService']['listSharesSegmented'][region][resourceId].data = shareItemList; + } else { + collection['fileService']['listSharesSegmented'][region][resourceId].data = []; + } } else { sCb(); } diff --git a/exports.js b/exports.js index 591e428aab..53c1523d03 100644 --- a/exports.js +++ b/exports.js @@ -750,7 +750,6 @@ module.exports = { 'bastionHostExists' : require(__dirname + '/plugins/azure/bastion/bastionHostExists.js'), 'logProfileArchiveData' : require(__dirname + '/plugins/azure/monitor/logProfileArchiveData.js'), - 'logProfileRetentionPolicy' : require(__dirname + '/plugins/azure/monitor/logProfileRetentionPolicy.js'), 'monitorLogsEnabled' : require(__dirname + '/plugins/azure/monitor/monitorLogsEnabled.js'), 'diagnosticsCapturedCategories' : require(__dirname + '/plugins/azure/monitor/diagnosticsCapturedCategories.js'), 'diagnosticsSettingsEnabled' : require(__dirname + '/plugins/azure/monitor/diagnosticsSettingsEnabled.js'), diff --git a/helpers/aws/functions.js b/helpers/aws/functions.js index f0657c7075..ae756832c4 100644 --- a/helpers/aws/functions.js +++ b/helpers/aws/functions.js @@ -151,9 +151,11 @@ function findOpenPorts(groups, ports, service, region, results, cache, config, c } } - if (config.ec2_skip_unused_groups && groups[g].GroupId && !usedGroups.includes(groups[g].GroupId)) { + if (config.ec2_skip_unused_groups && groups[g].GroupId && (!usedGroups || !usedGroups.includes(groups[g].GroupId))) { addResult(results, 1, `Security Group: ${groups[g].GroupId} is not in use`, region, resource); + } else if (config.check_network_interface) { + checkNetworkInterface(groups[g].GroupId,groups[g].GroupName, resultsString, region, results, resource, cache); } else { addResult(results, 2, resultsString, region, resource); @@ -176,6 +178,43 @@ function findOpenPorts(groups, ports, service, region, results, cache, config, c return; } +function checkNetworkInterface(groupId, groupName, resultsString, region, results, resource, cache) { + const describeNetworkInterfaces = helpers.addSource(cache, {}, + ['ec2', 'describeNetworkInterfaces', region]); + + if (!describeNetworkInterfaces || describeNetworkInterfaces.err || !describeNetworkInterfaces.data) { + helpers.addResult(results, 3, + 'Unable to query for network interfaces: ' + helpers.addError(describeNetworkInterfaces), region); + return; + } + let hasOpenSecurityGroup = false; + let networksWithSecurityGroup = []; + for (var network of describeNetworkInterfaces.data) { + for (const group of network.Groups) { + if (groupId === group.GroupId) { + networksWithSecurityGroup.push(network); + hasOpenSecurityGroup = true; + break; + } + } + } + if (hasOpenSecurityGroup) { + let hasPublicIp = false; + for (var eni of networksWithSecurityGroup) { + if (eni.Association && eni.Association.PublicIp) { + hasPublicIp = true; + break; + } + } + if (hasPublicIp) { + addResult(results, 2, `Security Group ${groupId}(${groupName}) is associated with an ENI that is publicly exposed`, region, resource); + } else { + addResult(results, 0, `Security Group ${groupId} (${groupName}) is only exposed internally`, region, resource); + } + } else { + addResult(results, 2, resultsString, region, resource); + } +} function normalizePolicyDocument(doc) { /* Convert a policy document for IAM into a normalized object that can be used @@ -1021,6 +1060,17 @@ var logError = function(service, call, region, err, errorsLocal, apiCallErrorsLo } }; +function checkConditions(startsWithBuckets, notStartsWithBuckets, endsWithBuckets, notEndsWithBuckets, bucketName) { + const startsWithCondition = startsWithBuckets.length > 0 ? startsWithBuckets.some(startsWith => bucketName.startsWith(startsWith)): false; + const notStartsWithCondition = notStartsWithBuckets.length > 0 ? !notStartsWithBuckets.some(notStartsWith => bucketName.startsWith(notStartsWith)): false; + const endsWithCondition = endsWithBuckets.length > 0 ? endsWithBuckets.some(endsWith => bucketName.endsWith(endsWith)): false; + const notEndsWithCondition = notEndsWithBuckets.length > 0 ? !notEndsWithBuckets.some(notEndsWith => bucketName.endsWith(notEndsWith)): false; + + return { + startsWithCondition, notStartsWithCondition, endsWithCondition, notEndsWithCondition + }; +} + var collectRateError = function(err, rateError) { let isError = false; @@ -1033,6 +1083,29 @@ var collectRateError = function(err, rateError) { return isError; }; +function processFieldSelectors(fieldSelectors,buckets ,startsWithBuckets,notEndsWithBuckets,endsWithBuckets, notStartsWithBuckets) { + fieldSelectors.forEach(f => { + if (f.Field === 'resources.ARN') { + if (f.Equals && f.Equals.length) { + const bucketName = f.Equals[0].split(':::')[1].split('/')[0]; + buckets.push(bucketName); + } + if (f.StartsWith && f.StartsWith.length) { + startsWithBuckets.push(...f.StartsWith); + } + if (f.EndsWith && f.EndsWith.length) { + endsWithBuckets.push(...f.EndsWith); + } + if (f.NotStartsWith && f.NotStartsWith.length) { + notStartsWithBuckets.push(...f.NotStartsWith); + } + if (f.NotEndsWith && f.NotEndsWith.length) { + notEndsWithBuckets.push(...f.NotEndsWith); + } + } + }); + return { buckets, startsWithBuckets, endsWithBuckets, notStartsWithBuckets, notEndsWithBuckets }; +} var checkTags = function(cache, resourceName, resourceList, region, results, settings={}) { const allResources = helpers.addSource(cache, {}, @@ -1094,5 +1167,8 @@ module.exports = { debugApiCalls: debugApiCalls, logError: logError, collectRateError: collectRateError, - checkTags: checkTags + checkTags: checkTags, + checkConditions: checkConditions, + processFieldSelectors: processFieldSelectors, + checkNetworkInterface: checkNetworkInterface, }; \ No newline at end of file diff --git a/helpers/aws/regions.js b/helpers/aws/regions.js index fbd2447141..eba8049cdb 100644 --- a/helpers/aws/regions.js +++ b/helpers/aws/regions.js @@ -147,7 +147,7 @@ module.exports = { 'eu-west-2', 'eu-west-3', 'eu-north-1', 'eu-south-1', 'ap-northeast-1', 'ap-northeast-2', 'ap-southeast-1', 'ap-southeast-2', 'ap-south-1', 'sa-east-1', 'ap-east-1', 'me-south-1', 'af-south-1', 'ap-south-2','ap-southeast-3', 'ap-northeast-3', 'eu-central-2', 'me-central-1'], - kendra: ['us-east-1', 'us-east-2', 'us-west-2', 'ap-southeast-1', 'ap-southeast-2', 'ca-central-1', 'eu-west-1', 'ap-northeast-1', 'ap-south-1 '], + kendra: ['us-east-1', 'us-east-2', 'us-west-2', 'ap-southeast-1', 'ap-southeast-2', 'ca-central-1', 'eu-west-1', 'ap-northeast-1', 'ap-south-1'], proton: ['us-east-1', 'us-east-2', 'us-west-2', 'ap-northeast-1', 'eu-west-1', 'eu-west-2', 'eu-central-1', 'ca-central-1', 'ap-southeast-2', 'ap-southeast-1', 'ap-northeast-2'], customerprofiles: ['us-east-1', 'us-west-2', 'eu-west-2', 'ca-central-1', 'eu-central-1', diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0d3a9fbf07..0c44596e9d 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -143,6 +143,15 @@ var serviceMap = { BridgeResourceNameIdentifier: 'name', BridgeExecutionService: 'Table Service', BridgeCollectionService: 'tableservice', DataIdentifier: 'data', }, + 'File Service': + { + enabled: true, isSingleSource: true, InvAsset: 'fileService', InvService: 'fileService', + InvResourceCategory: 'storage', InvResourceType: 'file_service', BridgeServiceName: 'fileservice', + BridgePluginCategoryName: 'File Service', BridgeProvider: 'Azure', BridgeCall: 'listSharesSegmented', + BridgeArnIdentifier: '', BridgeIdTemplate: '', BridgeResourceType: 'fileService', + BridgeResourceNameIdentifier: 'name', BridgeExecutionService: 'File Service', + BridgeCollectionService: 'fileservice', DataIdentifier: 'data', + }, 'SQL Databases': { enabled: true, isSingleSource: true, InvAsset: 'database', InvService: 'sql', @@ -446,10 +455,48 @@ var calls = { listEventHub: { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.EventHub/namespaces?api-version=2022-10-01-preview' } + }, + // For CIEM + aad: { + listRoleAssignments: { + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01' + }, + listDenyAssignments: { + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01' + } + }, + // For CIEM + groups: { + list: { + url: 'https://graph.microsoft.com/v1.0/groups', + graph: true + } + }, + // For CIEM + servicePrincipals: { + list: { + url: 'https://graph.microsoft.com/v1.0/servicePrincipals', + graph: true + } } }; var postcalls = { + //For CIEM + aad: { + getGroupMembers: { + reliesOnPath: 'groups.list', + properties: ['id'], + url: 'https://graph.microsoft.com/v1.0/groups/{id}/members', + graph: true + }, + sendIntegration: { + enabled: true, + integrationReliesOn: { + serviceName: ['roleDefinitions','users','groups','servicePrincipals'] + } + } + }, recoveryServiceVaults: { getRecoveryServiceVault: { reliesOnPath: 'recoveryServiceVaults.listBySubscriptionId', @@ -950,10 +997,7 @@ var specialcalls = { reliesOnPath: ['storageAccounts.listKeys'], rateLimit: 3000 }, - listSharesSegmentedNew: { - reliesOnPath: ['storageAccounts.listKeys'], - rateLimit: 3000 - } + sendIntegration: serviceMap['File Service'] }, blobService: { listContainersSegmented: { diff --git a/helpers/azure/functions.js b/helpers/azure/functions.js index ea5c11c22a..0a40c0a0e1 100644 --- a/helpers/azure/functions.js +++ b/helpers/azure/functions.js @@ -2,7 +2,7 @@ var shared = require(__dirname + '/../shared.js'); var auth = require(__dirname + '/auth.js'); var async = require('async'); -const defualyPolicyAssignments = { +const defualtPolicyAssignments = { adaptiveApplicationControlsMonitoringEffect: 'AuditIfNotExists', diskEncryptionMonitoringEffect: 'AuditIfNotExists', endpointProtectionMonitoringEffect: 'AuditIfNotExists', @@ -178,8 +178,8 @@ function checkPolicyAssignment(policyAssignments, param, text, results, location const policyAssignment = policyAssignments.data.find((policyAssignment) => { return (policyAssignment && - policyAssignment.displayName && - policyAssignment.displayName.toLowerCase().includes('asc default')); + policyAssignment.displayName && + policyAssignment.displayName.toLowerCase().includes('asc default')); }); if (!policyAssignment) { @@ -191,18 +191,16 @@ function checkPolicyAssignment(policyAssignments, param, text, results, location // This check is required to handle a defect in the Azure API that causes // unmodified ASC policies to return an empty object for parameters: {} // https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMSZCA4 - if (policyAssignment.parameters && - !Object.keys(policyAssignment.parameters).length) { - addResult(results, 0, - 'There ASC Default Policy Assignment includes all plugins', location, - policyAssignment.id); - return; - } - const policyAssignmentStatus = (policyAssignment.parameters && policyAssignment.parameters[param] && policyAssignment.parameters[param].value) || - defualyPolicyAssignments[param] || ''; + // The api used returns empty parameters in case of all the default values, + var policyAssignmentStatus = ''; + if (policyAssignment.parameters && Object.keys(policyAssignment.parameters).length) { + policyAssignmentStatus = (policyAssignment.parameters && policyAssignment.parameters[param] && policyAssignment.parameters[param].value) || defualtPolicyAssignments[param] || ''; + } else { + policyAssignmentStatus = defualtPolicyAssignments[param] + } - if (!policyAssignmentStatus.length) { + if (!policyAssignmentStatus || !policyAssignmentStatus.length) { addResult(results, 0, text + ' is no supported', location, policyAssignment.id); } else if (policyAssignmentStatus == 'AuditIfNotExists' || policyAssignmentStatus == 'Audit') { diff --git a/helpers/azure/locations.js b/helpers/azure/locations.js index f0223c061e..46dd902f36 100644 --- a/helpers/azure/locations.js +++ b/helpers/azure/locations.js @@ -51,7 +51,7 @@ var locations = [ 'brazilsoutheast', // (South America) Brazil Southeast 'canadacentral', // (Canada) Canada Central 'canadaeast', // (Canada) Canada East - 'qatarcentral', // (Middle East) Qatar + 'qatarcentral', // (Middle East) Qatar 'polandcentral', // (Europe) Poland Central ]; @@ -96,6 +96,9 @@ module.exports = { redisCaches: locations, pricings: ['global'], roleDefinitions: ['global'], + aad: ['global'], + groups: ['global'], + servicePrincipals: ['global'], autoscaleSettings: locations, resourceGroups: locations, policyDefinitions: locations, diff --git a/helpers/azure/resources.js b/helpers/azure/resources.js index a70d3ccfeb..bc0486c46c 100644 --- a/helpers/azure/resources.js +++ b/helpers/azure/resources.js @@ -147,6 +147,16 @@ module.exports = { roleDefinitions: { list: 'id' }, + aad: { + listRoleAssignments: 'id', + listDenyAssignments: 'id' + }, + groups: { + list: 'id' + }, + servicePrincipals: { + list: 'id' + }, securityContacts: { list: 'id' }, diff --git a/helpers/google/api.js b/helpers/google/api.js index d5316c0467..c66af69f5a 100644 --- a/helpers/google/api.js +++ b/helpers/google/api.js @@ -552,7 +552,8 @@ var calls = { url: 'https://dns.googleapis.com/dns/v1/projects/{projectId}/managedZones/{id}/rrsets', reliesOnService: ['managedZones'], reliesOnCall: ['list'], - properties: ['id'] + properties: ['id'], + pagination: true } }, accessApproval: { diff --git a/helpers/google/index.js b/helpers/google/index.js index 92cfc12c8f..8862db0722 100644 --- a/helpers/google/index.js +++ b/helpers/google/index.js @@ -15,7 +15,7 @@ var authenticate = async function(GoogleConfig) { email: GoogleConfig.client_email, key: GoogleConfig.private_key, scopes: ['https://www.googleapis.com/auth/cloud-platform'], - }); + }); return client; }; @@ -78,7 +78,7 @@ var processCall = function(GoogleConfig, collection, settings, regions, call, se var run = function(GoogleConfig, collection, settings, service, callObj, callKey, region, regionCb, client, myEngine) { - + if (settings.skip_regions && settings.skip_regions.indexOf(region) > -1) return regionCb(); var LocalGoogleConfig = JSON.parse(JSON.stringify(GoogleConfig)); @@ -95,13 +95,13 @@ var run = function(GoogleConfig, collection, settings, service, callObj, callKey params : {} }; - var records; + var records; if (myEngine) { if (!collection[service][myEngine][callKey][region]) { collection[service][myEngine][callKey][region] = {}; collection[service][myEngine][callKey][region].data = []; } - + if (callObj.reliesOnService) { if (!callObj.reliesOnService.length) { return regionCb(); @@ -150,8 +150,8 @@ var run = function(GoogleConfig, collection, settings, service, callObj, callKey for (reliedService in callObj.reliesOnService) { if (callObj.reliesOnService[reliedService] && !collection[callObj.reliesOnService[reliedService]]) { return regionCb(); - } - + } + if (callObj.reliesOnService[reliedService] && (!collection[callObj.reliesOnService[reliedService]] || !collection[callObj.reliesOnService[reliedService]][callObj.reliesOnCall[reliedService]] || @@ -304,7 +304,7 @@ var execute = async function(LocalGoogleConfig, collection, service, callObj, ca if (myEngine) collection[service][myEngine][callKey][region] = resultItems; else collection[service][callKey][region] = resultItems; } - if (data.data && data.data.nextPageToken && (!callObj.maxLimit + if (data.data && callObj.pagination && data.data.nextPageToken && (!callObj.maxLimit || (callObj.maxLimit && collectionItems.data && collectionItems.data.length < callObj.maxLimit))) { makeApiCall(client, url, executorCb, data.data.nextPageToken, { pagination: callObj.pagination, paginationKey: callObj.paginationKey, reqParams: callObj.reqParams }); } else { @@ -317,7 +317,7 @@ var execute = async function(LocalGoogleConfig, collection, service, callObj, ca } } }; - + if (callObj.url || callObj.urlToCall) { let url = callObj.urlToCall ? callObj.urlToCall : callObj.url; url = url.replace('{projectId}', LocalGoogleConfig.project); @@ -393,7 +393,7 @@ function makeApiCall(client, originalUrl, callCb, nextToken, config) { }); }, function(err, data){ callCb(err, data); - }); + }); } function setData(collection, dataToAdd, postCall, parent, serviceInfo) { diff --git a/helpers/shared.js b/helpers/shared.js index e13f8e1e47..988c40dbda 100644 --- a/helpers/shared.js +++ b/helpers/shared.js @@ -20,6 +20,10 @@ var processIntegration = function(serviceName, settings, collection, calls, post let localSettings = {}; localSettings = settings; + if (settings.govcloud) { + localEvent.awsOrGov = 'aws-us-gov'; + } + localEvent.collection = {}; localEvent.previousCollection = {}; diff --git a/plugins/aws/appmesh/appmeshTLSRequired.spec.js b/plugins/aws/appmesh/appmeshTLSRequired.spec.js index 2ba4678c74..9226c001e8 100644 --- a/plugins/aws/appmesh/appmeshTLSRequired.spec.js +++ b/plugins/aws/appmesh/appmeshTLSRequired.spec.js @@ -204,7 +204,7 @@ const createNullCache = () => { describe('appmeshTLSRequired', function () { describe('run', function () { - it('should PASS if App Mesh vitual gateway listeners restrict TLS enabled connections', function (done) { + it('should PASS if App Mesh virtual gateway listeners restrict TLS enabled connections', function (done) { const cache = createCache([listMeshes[0]], [listVirtualGateways[0]], describeVirtualGateway[0]); appmeshTLSRequired.run(cache, { }, (err, results) => { expect(results.length).to.equal(1); diff --git a/plugins/aws/ec2/defaultVpcInUse.spec.js b/plugins/aws/ec2/defaultVpcInUse.spec.js new file mode 100644 index 0000000000..782c47a87f --- /dev/null +++ b/plugins/aws/ec2/defaultVpcInUse.spec.js @@ -0,0 +1,850 @@ +var expect = require('chai').expect; +const defaultVpcInUse = require('./defaultVpcInUse'); + +const describeVpcs =[ + { + "CidrBlock": "10.0.0.0/16", + "DhcpOptionsId": "dopt-02f23068a9f47e67e", + "State": "available", + "VpcId": "vpc-0d04138d1a5d1ddba", + "OwnerId": "101363889637", + "InstanceTenancy": "default", + "CidrBlockAssociationSet": [ + { + "AssociationId": "vpc-cidr-assoc-03102f76bafa1b6c9", + "CidrBlock": "10.0.0.0/16", + "CidrBlockState": { + "State": "associated" + } + } + ], + "IsDefault": false, + "Tags": [ + { + "Key": "Name", + "Value": "dev-vpc" + } + ] + }, + { + "CidrBlock": "10.0.0.0/16", + "DhcpOptionsId": "dopt-02f23068a9f47e67e", + "State": "available", + "VpcId": "vpc-123", + "OwnerId": "101363889637", + "InstanceTenancy": "default", + "CidrBlockAssociationSet": [ + { + "AssociationId": "vpc-cidr-assoc-0195ffaae48916244", + "CidrBlock": "10.0.0.0/16", + "CidrBlockState": { + "State": "associated" + } + } + ], + "IsDefault": true, + "Tags": [] + } +]; + +const describeInstances = [ + { + "Groups": [], + "Instances": [ + { + "AmiLaunchIndex": 0, + "ImageId": "ami-02354e95b39ca8dec", + "InstanceId": "i-03afb9daa31f31bb0", + "InstanceType": "t2.micro", + "KeyName": "auto-scaling-test-instance", + "LaunchTime": "2020-08-31T23:52:43.000Z", + "Monitoring": { + "State": "disabled" + }, + "Placement": { + "AvailabilityZone": "us-east-1e", + "GroupName": "", + "Tenancy": "default" + }, + "PrivateDnsName": "ip-172-31-54-187.ec2.internal", + "PrivateIpAddress": "172.31.54.187", + "ProductCodes": [], + "PublicDnsName": "", + "State": { + "Code": 80, + "Name": "stopped" + }, + "StateTransitionReason": "User initiated (2020-09-01 03:39:08 GMT)", + "SubnetId": "subnet-6a8b635b", + "VpcId": "vpc-99de2fe4", + "Architecture": "x86_64", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "AttachTime": "2020-08-25T02:21:49.000Z", + "DeleteOnTermination": true, + "Status": "attached", + "VolumeId": "vol-025b523c155020b10" + } + } + ], + "ClientToken": "", + "EbsOptimized": false, + "EnaSupport": true, + "Hypervisor": "xen", + "IamInstanceProfile": { + "Arn": "arn:aws:iam::111122223333:instance-profile/AmazonSSMRoleForInstancesQuickSetup", + "Id": "AIPAYE32SRU53G7VOI2UM" + }, + "NetworkInterfaces": [ + { + "Attachment": { + "AttachTime": "2020-08-25T02:21:48.000Z", + "AttachmentId": "eni-attach-077c0f4c969c20b4c", + "DeleteOnTermination": true, + "DeviceIndex": 0, + "Status": "attached" + }, + "Description": "", + "Groups": [ + { + "GroupName": "launch-wizard-4", + "GroupId": "sg-0174d5e394e23015e" + } + ], + "Ipv6Addresses": [], + "MacAddress": "06:22:7f:a4:48:f3", + "NetworkInterfaceId": "eni-0a53de7b449ed51e0", + "OwnerId": "111122223333", + "PrivateDnsName": "ip-172-31-54-187.ec2.internal", + "PrivateIpAddress": "172.31.54.187", + "PrivateIpAddresses": [ + { + "Primary": true, + "PrivateDnsName": "ip-172-31-54-187.ec2.internal", + "PrivateIpAddress": "172.31.54.187" + } + ], + "SourceDestCheck": true, + "Status": "in-use", + "SubnetId": "subnet-6a8b635b", + "VpcId": "vpc-99de2fe4", + "InterfaceType": "interface" + } + ], + "RootDeviceName": "/dev/xvda", + "RootDeviceType": "ebs", + "SecurityGroups": [ + { + "GroupName": "launch-wizard-4", + "GroupId": "sg-0174d5e394e23015e" + } + ], + "SourceDestCheck": true, + "StateReason": { + "Code": "Client.UserInitiatedShutdown", + "Message": "Client.UserInitiatedShutdown: User initiated shutdown" + }, + "Tags": [ + { + "Key": "Name", + "Value": "sploit-959-test-instance" + } + ], + "VirtualizationType": "hvm", + "CpuOptions": { + "CoreCount": 1, + "ThreadsPerCore": 1 + }, + "CapacityReservationSpecification": { + "CapacityReservationPreference": "open" + }, + "HibernationOptions": { + "Configured": false + }, + "MetadataOptions": { + "State": "applied", + "HttpTokens": "optional", + "HttpPutResponseHopLimit": 1, + "HttpEndpoint": "enabled" + } + } + ], + "OwnerId": "111122223333", + "ReservationId": "r-073e1215b28407ada" + }, + { + "Groups": [], + "Instances": [ + { + "AmiLaunchIndex": 0, + "ImageId": "ami-02354e95b39ca8dec", + "InstanceId": "i-03afb9daa31f31bb0", + "InstanceType": "t2.micro", + "KeyName": "auto-scaling-test-instance", + "LaunchTime": "2020-08-31T23:52:43.000Z", + "Monitoring": { + "State": "disabled" + }, + "Placement": { + "AvailabilityZone": "us-east-1e", + "GroupName": "", + "Tenancy": "default" + }, + "PrivateDnsName": "ip-172-31-54-187.ec2.internal", + "PrivateIpAddress": "172.31.54.187", + "ProductCodes": [], + "PublicDnsName": "", + "State": { + "Code": 80, + "Name": "stopped" + }, + "StateTransitionReason": "User initiated (2020-09-01 03:39:08 GMT)", + "SubnetId": "subnet-6a8b635b", + "VpcId": "vpc-123", + "Architecture": "x86_64", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "AttachTime": "2020-08-25T02:21:49.000Z", + "DeleteOnTermination": true, + "Status": "attached", + "VolumeId": "vol-025b523c155020b10" + } + } + ], + "ClientToken": "", + "EbsOptimized": false, + "EnaSupport": true, + "Hypervisor": "xen", + "IamInstanceProfile": { + "Arn": "arn:aws:iam::111122223333:instance-profile/AmazonSSMRoleForInstancesQuickSetup", + "Id": "AIPAYE32SRU53G7VOI2UM" + }, + "NetworkInterfaces": [ + { + "Attachment": { + "AttachTime": "2020-08-25T02:21:48.000Z", + "AttachmentId": "eni-attach-077c0f4c969c20b4c", + "DeleteOnTermination": true, + "DeviceIndex": 0, + "Status": "attached" + }, + "Description": "", + "Groups": [ + { + "GroupName": "launch-wizard-4", + "GroupId": "sg-0174d5e394e23015e" + } + ], + "Ipv6Addresses": [], + "MacAddress": "06:22:7f:a4:48:f3", + "NetworkInterfaceId": "eni-0a53de7b449ed51e0", + "OwnerId": "111122223333", + "PrivateDnsName": "ip-172-31-54-187.ec2.internal", + "PrivateIpAddress": "172.31.54.187", + "PrivateIpAddresses": [ + { + "Primary": true, + "PrivateDnsName": "ip-172-31-54-187.ec2.internal", + "PrivateIpAddress": "172.31.54.187" + } + ], + "SourceDestCheck": true, + "Status": "in-use", + "SubnetId": "subnet-6a8b635b", + "VpcId": "vpc-123", + "InterfaceType": "interface" + } + ], + "RootDeviceName": "/dev/xvda", + "RootDeviceType": "ebs", + "SecurityGroups": [ + { + "GroupName": "launch-wizard-4", + "GroupId": "sg-0174d5e394e23015e" + } + ], + "SourceDestCheck": true, + "StateReason": { + "Code": "Client.UserInitiatedShutdown", + "Message": "Client.UserInitiatedShutdown: User initiated shutdown" + }, + "Tags": [], + "VirtualizationType": "hvm", + "CpuOptions": { + "CoreCount": 1, + "ThreadsPerCore": 1 + }, + "CapacityReservationSpecification": { + "CapacityReservationPreference": "open" + }, + "HibernationOptions": { + "Configured": false + }, + "MetadataOptions": { + "State": "applied", + "HttpTokens": "optional", + "HttpPutResponseHopLimit": 1, + "HttpEndpoint": "enabled" + } + } + ], + "OwnerId": "111122223333", + "ReservationId": "r-073e1215b28407ada" + } +]; + +const describeLoadBalancers = [ + { + "LoadBalancerName": "test-84", + "DNSName": "test-84-1988801627.us-east-1.elb.amazonaws.com", + "CanonicalHostedZoneName": "test-84-1988801627.us-east-1.elb.amazonaws.com", + "CanonicalHostedZoneNameID": "Z35SXDOTRQ7X7K", + "ListenerDescriptions": [ + { + "Listener": { + "Protocol": "HTTPS", + "LoadBalancerPort": 443, + "InstanceProtocol": "HTTPS", + "InstancePort": 443, + "SSLCertificateId": "arn:aws:iam::111122223333:server-certificate/ExampleCertificate" + }, + "PolicyNames": [ + "AWSConsole-SSLNegotiationPolicy-test-84-2-1601842068416" + ] + } + ], + "Policies": { + "AppCookieStickinessPolicies": [], + "LBCookieStickinessPolicies": [], + "OtherPolicies": [] + }, + "BackendServerDescriptions": [], + "AvailabilityZones": [ + "us-east-1f", + "us-east-1e", + "us-east-1d", + "us-east-1c", + "us-east-1b", + "us-east-1a" + ], + "Subnets": [ + "subnet-06aa0f60", + "subnet-673a9a46", + "subnet-6a8b635b", + "subnet-aac6b3e7", + "subnet-c21b84cc", + "subnet-e83690b7" + ], + "VPCId": "vpc-99de2fe4", + "Instances": [ + { + "InstanceId": "i-093267d7a579c4bee", + "InstanceType": "t2.micro", + "AvailabilityZone": "us-east-1a", + "LifecycleState": "InService", + "HealthStatus": "Healthy", + "LaunchTemplate": { + "LaunchTemplateId": "lt-0f1f6b356027abc86", + "LaunchTemplateName": "auto-scaling-template", + "Version": "1" + }, + "ProtectedFromScaleIn": false + } + ], + "HealthCheck": { + "Target": "HTTP:80/index.html", + "Interval": 30, + "Timeout": 5, + "UnhealthyThreshold": 2, + "HealthyThreshold": 10 + }, + "SourceSecurityGroup": { + "OwnerAlias": "111122223333", + "GroupName": "default" + }, + "SecurityGroups": [ + "sg-aa941691" + ], + "CreatedTime": "2020-10-01T17:50:43.330Z", + "Scheme": "internet-facing" + }, + { + "LoadBalancerName": "test-82", + "DNSName": "test-82-1988801627.us-east-1.elb.amazonaws.com", + "CanonicalHostedZoneName": "test-84-1988801627.us-east-1.elb.amazonaws.com", + "CanonicalHostedZoneNameID": "Z35SXDOTRQ7X7K", + "ListenerDescriptions": [ + { + "Listener": { + "Protocol": "HTTPS", + "LoadBalancerPort": 443, + "InstanceProtocol": "HTTPS", + "InstancePort": 443, + "SSLCertificateId": "arn:aws:iam::111122223333:server-certificate/ExampleCertificate" + }, + "PolicyNames": [ + "AWSConsole-SSLNegotiationPolicy-test-84-2-1601842068416" + ] + } + ], + "Policies": { + "AppCookieStickinessPolicies": [], + "LBCookieStickinessPolicies": [], + "OtherPolicies": [] + }, + "BackendServerDescriptions": [], + "AvailabilityZones": [ + "us-east-1f", + "us-east-1e", + "us-east-1d", + "us-east-1c", + "us-east-1b", + "us-east-1a" + ], + "Subnets": [ + "subnet-06aa0f60", + "subnet-673a9a46", + "subnet-6a8b635b", + "subnet-aac6b3e7", + "subnet-c21b84cc", + "subnet-e83690b7" + ], + "VPCId": "vpc-123", + "Instances": [ + { + "InstanceId": "i-093267d7a579c4bee", + "InstanceType": "t2.micro", + "AvailabilityZone": "us-east-1a", + "LifecycleState": "InService", + "HealthStatus": "Healthy", + "LaunchTemplate": { + "LaunchTemplateId": "lt-0f1f6b356027abc86", + "LaunchTemplateName": "auto-scaling-template", + "Version": "1" + }, + "ProtectedFromScaleIn": false + } + ], + "HealthCheck": { + "Target": "HTTP:80/index.html", + "Interval": 30, + "Timeout": 5, + "UnhealthyThreshold": 2, + "HealthyThreshold": 10 + }, + "SourceSecurityGroup": { + "OwnerAlias": "111122223333", + "GroupName": "default" + }, + "SecurityGroups": [ + "sg-aa941691" + ], + "CreatedTime": "2020-10-01T17:50:43.330Z", + "Scheme": "internet-facing" + } +]; + +const listFunctions = [ + { + "FunctionName": "test-lambda", + "FunctionArn": "arn:aws:lambda:us-east-1:000011112222:function:test-lambda", + "Runtime": "nodejs12.x", + "Role": "arn:aws:iam::000011112222:role/lambda-role", + "Handler": "index.handler", + "VpcConfig": { + "SubnetIds": [ + "subnet-6a8b635b", + "subnet-c21b84cc" + ], + "SecurityGroupIds": [ + "sg-001639e564442dfec" + ], + "VpcId": "vpc-99de2fe4" + }, + }, + { + "FunctionName": "testing-123", + "FunctionArn": "arn:aws:lambda:us-east-1:000011112222:function:testing-123", + "Runtime": "nodejs4.3", + "Role": "arn:aws:iam::000011112222:role/service-role/testing-123-role-7t7oo29b", + "Handler": "index.handler", + "VpcConfig":{ + "VpcId": "vpc-123" + } + } +]; + +const describeDBInstances = [ + { + DBInstanceIdentifier: 'test-1', + DBInstanceClass: 'db.t3.micro', + Engine: 'postgres', + DBInstanceStatus: 'available', + MasterUsername: 'postgres', + Endpoint: { + Address: 'test-1.cscif9l5pu36.us-east-1.rds.amazonaws.com', + Port: 5432, + HostedZoneId: 'Z2R2ITUGPM61AM' + }, + AvailabilityZone: 'us-east-1a', + DBSubnetGroup: { + DBSubnetGroupName: 'default-vpc-112223344', + DBSubnetGroupDescription: 'Created from the Neptune Management Console', + VpcId: 'vpc-112223344', + SubnetGroupStatus: 'Complete', + Subnets: [Array], + SupportedNetworkTypes: [] + }, + PreferredMaintenanceWindow: 'mon:07:45-mon:08:15', + PendingModifiedValues: {}, + StorageEncrypted: true, + DBInstanceArn: 'arn:aws:rds:us-east-1:5566441122:db:test-1', + TagList: [], + DBInstanceAutomatedBackupsReplications: [], + CustomerOwnedIpEnabled: false, + ActivityStreamStatus: 'stopped', + BackupTarget: 'region', + NetworkType: 'IPV4' + }, + { + DBInstanceIdentifier: 'test2-1', + DBInstanceClass: 'db.t3.micro', + Engine: 'postgres', + DBInstanceStatus: 'available', + MasterUsername: 'postgres', + Endpoint: { + Address: 'test2-1.cscif9l5pu36.us-east-1.rds.amazonaws.com', + Port: 5432, + HostedZoneId: 'Z2R2ITUGPM61AM' + }, + AvailabilityZone: 'us-east-1a', + DBSubnetGroup: { + DBSubnetGroupName: 'default-vpc-123', + DBSubnetGroupDescription: 'Created from the Neptune Management Console', + VpcId: 'vpc-123', + SubnetGroupStatus: 'Complete', + Subnets: [Array], + SupportedNetworkTypes: [] + }, + PreferredMaintenanceWindow: 'mon:07:45-mon:08:15', + PendingModifiedValues: {}, + StorageEncrypted: true, + DBInstanceArn: 'arn:aws:rds:us-east-1:5566441122:db:test2-1', + TagList: [{key: "Key", value: "value"}], + DBInstanceAutomatedBackupsReplications: [], + CustomerOwnedIpEnabled: false, + ActivityStreamStatus: 'stopped', + BackupTarget: 'region', + NetworkType: 'IPV4' + }, +]; +const describeClusters = [ + { + "ClusterIdentifier": "redshift-cluster-1", + "NodeType": "dc2.large", + "ClusterStatus": "available", + "ClusterAvailabilityStatus": "Available", + "MasterUsername": "customuser", + "DBName": "dev", + "Endpoint": { + "Address": "redshift-cluster-1.cks44thktt7l.us-east-1.redshift.amazonaws.com", + "Port": 5555 + }, + "ClusterCreateTime": "2020-11-25T00:37:51.472000+00:00", + "AutomatedSnapshotRetentionPeriod": 1, + "ManualSnapshotRetentionPeriod": -1, + "ClusterSecurityGroups": [], + "VpcSecurityGroups": [ + { + "VpcSecurityGroupId": "sg-aa941691", + "Status": "active" + } + ], + "ClusterParameterGroups": [ + { + "ParameterGroupName": "default.redshift-1.0", + "ParameterApplyStatus": "in-sync" + } + ], + "ClusterSubnetGroupName": "default", + "VpcId": "vpc-99de2fe4", + "AvailabilityZone": "us-east-1c", + "PreferredMaintenanceWindow": "sun:00:00-sun:00:30", + "PendingModifiedValues": {}, + "ClusterVersion": "1.0", + "AllowVersionUpgrade": true, + "NumberOfNodes": 1, + "PubliclyAccessible": false, + "Encrypted": false, + "ClusterPublicKey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfPK8qflrCru2M5kL3A7i0tIj+FAPOVLdrDm7vPwhAWBNKQlfqmt4+a8ob+Ql7Hrlu+pu8eYdFFjzcmRtsI9m3onlbQ6jIKiW6WwsqYvPSucPq/78rFYGcxrGc213OL2XF1xZnZTpGleeH/BH1q/7hTiwYVmZ17k3ZL320jRUTFm2WEvcQoDWu8DderPPjllJ7Zz/JtJx1x3XM5kP9e4zSSWaUfAG3kKKxDeHbNUAq5JRk/yYA8iel1I7qIbl6NZpDgOOgLI9fUmICwH0u740PEDVoSrh2qFepQgMnRg1sPgdvoPFaSIpiQzNwUNqQiZhNstZDWu73Fjyqzv9m7ZxH Amazon-Redshift\n", + "ClusterNodes": [ + { + "NodeRole": "SHARED", + "PrivateIPAddress": "172.31.22.110", + "PublicIPAddress": "52.73.49.144" + } + ], + "ClusterRevisionNumber": "21262", + "Tags": [], + "EnhancedVpcRouting": false, + "IamRoles": [], + "MaintenanceTrackName": "current", + "DeferredMaintenanceWindows": [], + "NextMaintenanceWindowStartTime": "2020-11-29T00:00:00+00:00", + "ClusterNamespaceArn": "arn:aws:redshift:us-east-1:111122223333:namespace:f862b236-268d-4e86-afd3-ef91e96a97c4" + }, + { + "ClusterIdentifier": "redshift-cluster-2", + "NodeType": "dc2.large", + "ClusterStatus": "available", + "ClusterAvailabilityStatus": "Available", + "MasterUsername": "awsuser", + "DBName": "dev", + "Endpoint": { + "Address": "redshift-cluster-1.cks44thktt7l.us-east-1.redshift.amazonaws.com", + "Port": 5439 + }, + + "ClusterCreateTime": "2020-11-25T00:37:51.472000+00:00", + "AutomatedSnapshotRetentionPeriod": 0, + "ManualSnapshotRetentionPeriod": -1, + "ClusterSecurityGroups": [], + "VpcSecurityGroups": [ + { + "VpcSecurityGroupId": "sg-aa941691", + "Status": "active" + } + ], + "ClusterParameterGroups": [ + { + "ParameterGroupName": "default.redshift-1.0", + "ParameterApplyStatus": "in-sync" + } + ], + "ClusterSubnetGroupName": "default", + "VpcId":"vpc-123", + "AvailabilityZone": "us-east-1c", + "PreferredMaintenanceWindow": "sun:00:00-sun:00:30", + "PendingModifiedValues": {}, + "ClusterVersion": "1.0", + "AllowVersionUpgrade": true, + "NumberOfNodes": 1, + "PubliclyAccessible": false, + "Encrypted": false, + "ClusterPublicKey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfPK8qflrCru2M5kL3A7i0tIj+FAPOVLdrDm7vPwhAWBNKQlfqmt4+a8ob+Ql7Hrlu+pu8eYdFFjzcmRtsI9m3onlbQ6jIKiW6WwsqYvPSucPq/78rFYGcxrGc213OL2XF1xZnZTpGleeH/BH1q/7hTiwYVmZ17k3ZL320jRUTFm2WEvcQoDWu8DderPPjllJ7Zz/JtJx1x3XM5kP9e4zSSWaUfAG3kKKxDeHbNUAq5JRk/yYA8iel1I7qIbl6NZpDgOOgLI9fUmICwH0u740PEDVoSrh2qFepQgMnRg1sPgdvoPFaSIpiQzNwUNqQiZhNstZDWu73Fjyqzv9m7ZxH Amazon-Redshift\n", + "ClusterNodes": [ + { + "NodeRole": "SHARED", + "PrivateIPAddress": "172.31.22.110", + "PublicIPAddress": "52.73.49.144" + } + ], + "ClusterRevisionNumber": "21262", + "Tags": [], + "EnhancedVpcRouting": false, + "IamRoles": [], + "MaintenanceTrackName": "current", + "DeferredMaintenanceWindows": [], + "NextMaintenanceWindowStartTime": "2020-11-29T00:00:00+00:00", + "ClusterNamespaceArn": "arn:aws:redshift:us-east-1:111122223333:namespace:f862b236-268d-4e86-afd3-ef91e96a97c4" + } +]; + +const createCache =(vpcs,instances,loadbalancers,listfunctions,dbinstance,cluster) => +{ + return { + ec2:{ + describeVpcs:{ + 'us-east-1':{ + data:vpcs + } + }, + describeInstances: { + 'us-east-1':{ + data:instances + } + } + }, + elb:{ + describeLoadBalancers: { + 'us-east-1':{ + data:loadbalancers + } + } + }, + lambda:{ + listFunctions: { + 'us-east-1':{ + data:listfunctions + } + } + }, + rds:{ + describeDBInstances: { + 'us-east-1':{ + data:dbinstance + } + } + }, + redshift:{ + describeClusters: { + 'us-east-1': { + data: cluster + } + } + } + } +} + + +const createNullCache =(vpcs,instances,loadbalancers,listfunctions,dbinstance,cluster) => +{ + return { + ec2:{ + describeVpcs:{ + 'us-east-1': null + }, + describeInstances: { + 'us-east-1': null + } + }, + elb:{ + describeLoadBalancers: { + 'us-east-1': null + } + }, + lambda:{ + listFunctions: { + 'us-east-1': null + } + }, + rds:{ + describeDBInstances: { + 'us-east-1':null + } + }, + redshift:{ + describeClusters: { + 'us-east-1': null + } + } + } +} + +const createErrorCache =(vpcs,instances,loadbalancers,listfunctions,dbinstance,cluster) => +{ + return { + ec2:{ + describeVpcs:{ + 'us-east-1':{ + err:{ + message: 'error describing VPC' + } + } + }, + describeInstances: { + 'us-east-1':{ + err:{ + message: 'error describing instance' + } + } + } + }, + elb:{ + describeLoadBalancers: { + 'us-east-1':{ + err:{ + message: 'error describing loadbalancer' + } + } + } + }, + lambda:{ + listFunctions: { + 'us-east-1':{ + err:{ + message: 'error listing functions' + } + } + } + }, + rds:{ + describeDBInstances: { + 'us-east-1':{ + err:{ + message: 'error describing dbinstance' + } + } + } + }, + redshift:{ + describeClusters: { + 'us-east-1': { + err:{ + message: 'error describing cluster' + } + } + } + } + } +} + + +describe('defaultVpcInUse', function () { + describe('run', function () { + it('should PASS if no vpc found', function (done) { + const cache = createCache([],[],[],[],[]); + defaultVpcInUse.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No VPCs present'); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + + it('should PASS if default vpc is not in use ', function (done) { + const cache = createCache(describeVpcs,[describeInstances[0]],[describeDBInstances[0]],[listFunctions[0]],[describeClusters[0]],[describeLoadBalancers[0]]); + defaultVpcInUse.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Default VPC is not in use'); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + + it('should FAIL if default vpc is in use ', function (done) { + const cache = createCache(describeVpcs,[describeInstances[1]],[describeDBInstances[1]],[listFunctions[1]],[describeClusters[1]],[describeLoadBalancers[1]]); + defaultVpcInUse.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Default VPC is in use'); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + + it('should UNKNOWN if error occur while describe VPC or EC2 Instance or db Instance or list function or cluster or elb ', function (done) { + const cache= createErrorCache(); + defaultVpcInUse.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + + it('should not return any results if unable to fetch VPC or EC2 Instance or db Instance or list function or cluster or elb', function (done) { + const cache = createNullCache(); + defaultVpcInUse.run(cache, {}, (err, results) => { + expect(results.length).to.equal(0); + done(); + }); + }); + }); +}); diff --git a/plugins/aws/ec2/ec2MetadataOptions.js b/plugins/aws/ec2/ec2MetadataOptions.js index b65a607ec2..e59e6bcefe 100644 --- a/plugins/aws/ec2/ec2MetadataOptions.js +++ b/plugins/aws/ec2/ec2MetadataOptions.js @@ -36,7 +36,7 @@ module.exports = { for (var reservation of describeInstances.data) { var accountId = reservation.OwnerId; for (var instance of reservation.Instances) { - var arn = `arn::${awsOrGov}:ec2:` + region + ':' + accountId + ':instance/' + instance.InstanceId; + var arn = `arn:${awsOrGov}:ec2:` + region + ':' + accountId + ':instance/' + instance.InstanceId; if (!instance.MetadataOptions) { helpers.addResult(results, 3, 'Unable to get instance metadata options', region, arn); @@ -72,8 +72,8 @@ module.exports = { for (var kArn of instancesInsecure) { helpers.addResult(results, 2, 'Instance has instance metadata endpoint enabled and does not require HttpTokens', region, kArn); } - } - + } + return rcb(); }, function(){ callback(null, results, source); diff --git a/plugins/aws/ec2/openAllPortsProtocols.js b/plugins/aws/ec2/openAllPortsProtocols.js index 3a8b14661b..5d03950029 100644 --- a/plugins/aws/ec2/openAllPortsProtocols.js +++ b/plugins/aws/ec2/openAllPortsProtocols.js @@ -34,7 +34,7 @@ module.exports = { }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); - + var results = []; var source = {}; var regions = helpers.regions(settings); @@ -105,7 +105,8 @@ module.exports = { } if (strings.length) { - if (config.ec2_skip_unused_groups && groups[g].GroupId && !usedGroups.includes(groups[g].GroupId)) { + if (config.ec2_skip_unused_groups && groups[g].GroupId && usedGroups && + usedGroups.length && !usedGroups.includes(groups[g].GroupId)) { helpers.addResult(results, 1, `Security Group: ${groups[g].GroupId} is not in use`, region, resource); } else { diff --git a/plugins/aws/ec2/openAllPortsProtocolsEgress.js b/plugins/aws/ec2/openAllPortsProtocolsEgress.js index 9ebbc0efdc..6b9d4e9e8b 100644 --- a/plugins/aws/ec2/openAllPortsProtocolsEgress.js +++ b/plugins/aws/ec2/openAllPortsProtocolsEgress.js @@ -24,7 +24,7 @@ module.exports = { }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); - + var results = []; var source = {}; var regions = helpers.regions(settings); @@ -85,7 +85,8 @@ module.exports = { } } if (strings.length) { - if (config.ec2_skip_unused_groups && group.GroupId && !usedGroups.includes(group.GroupId)) { + if (config.ec2_skip_unused_groups && group.GroupId && usedGroups && + usedGroups.length && !usedGroups.includes(group.GroupId)) { helpers.addResult(results, 1, `Security Group: ${group.GroupId} is not in use`, region, resource); } else { @@ -94,14 +95,14 @@ module.exports = { ' (' + group.GroupName + ') has ' + strings.join(' and '), region, resource); - } + } } else { helpers.addResult(results, 0, `Security group: ${group.GroupId} (${group.GroupName}) does not have all ports or protocols open to the public`, region, resource); } } - + rcb(); }, function(){ callback(null, results, source); diff --git a/plugins/aws/ec2/openCIFS.js b/plugins/aws/ec2/openCIFS.js index 1035af5155..9fd732fa4a 100644 --- a/plugins/aws/ec2/openCIFS.js +++ b/plugins/aws/ec2/openCIFS.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openCIFS.spec.js b/plugins/aws/ec2/openCIFS.spec.js index e6e92b8fa5..5acf3ee44c 100644 --- a/plugins/aws/ec2/openCIFS.spec.js +++ b/plugins/aws/ec2/openCIFS.spec.js @@ -254,5 +254,14 @@ describe('openCIFS', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[0]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openCIFS.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openCassandraClient.js b/plugins/aws/ec2/openCassandraClient.js index 4b530796aa..a0cff6f671 100644 --- a/plugins/aws/ec2/openCassandraClient.js +++ b/plugins/aws/ec2/openCassandraClient.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openCassandraClient.spec.js b/plugins/aws/ec2/openCassandraClient.spec.js index f887813889..aa2b75777a 100644 --- a/plugins/aws/ec2/openCassandraClient.spec.js +++ b/plugins/aws/ec2/openCassandraClient.spec.js @@ -307,5 +307,14 @@ describe('openCassandraClient', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openCassandraClient.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openCassandraInternode.js b/plugins/aws/ec2/openCassandraInternode.js index 59f0d70f07..341277d60c 100644 --- a/plugins/aws/ec2/openCassandraInternode.js +++ b/plugins/aws/ec2/openCassandraInternode.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openCassandraInternode.spec.js b/plugins/aws/ec2/openCassandraInternode.spec.js index ca35b360e7..3f0116b4ca 100644 --- a/plugins/aws/ec2/openCassandraInternode.spec.js +++ b/plugins/aws/ec2/openCassandraInternode.spec.js @@ -307,5 +307,14 @@ describe('openCassandraInternode', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openCassandraInternode.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openCassandraMonitoring.js b/plugins/aws/ec2/openCassandraMonitoring.js index caad3c13ff..1398fbe365 100644 --- a/plugins/aws/ec2/openCassandraMonitoring.js +++ b/plugins/aws/ec2/openCassandraMonitoring.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openCassandraMonitoring.spec.js b/plugins/aws/ec2/openCassandraMonitoring.spec.js index d1e04be975..d6cc86d86f 100644 --- a/plugins/aws/ec2/openCassandraMonitoring.spec.js +++ b/plugins/aws/ec2/openCassandraMonitoring.spec.js @@ -307,5 +307,14 @@ describe('openCassandraMonitoring', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openCassandraMonitoring.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openCassandraThrift.js b/plugins/aws/ec2/openCassandraThrift.js index 7568978ea7..7998b22b16 100644 --- a/plugins/aws/ec2/openCassandraThrift.js +++ b/plugins/aws/ec2/openCassandraThrift.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,10 +54,12 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); - + config.check_network_interface = (config.check_network_interface == 'true'); + var results = []; var source = {}; var regions = helpers.regions(settings); diff --git a/plugins/aws/ec2/openCassandraThrift.spec.js b/plugins/aws/ec2/openCassandraThrift.spec.js index edab809cdb..465fabd1f2 100644 --- a/plugins/aws/ec2/openCassandraThrift.spec.js +++ b/plugins/aws/ec2/openCassandraThrift.spec.js @@ -307,5 +307,14 @@ describe('openCassandraThrift', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openCassandraThrift.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openCustomPorts.js b/plugins/aws/ec2/openCustomPorts.js index 516476b8a0..c8bc83fafe 100644 --- a/plugins/aws/ec2/openCustomPorts.js +++ b/plugins/aws/ec2/openCustomPorts.js @@ -22,15 +22,23 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openCustomPorts.spec.js b/plugins/aws/ec2/openCustomPorts.spec.js index 4ae26b43ab..d47c293276 100644 --- a/plugins/aws/ec2/openCustomPorts.spec.js +++ b/plugins/aws/ec2/openCustomPorts.spec.js @@ -337,5 +337,14 @@ describe('openCustomPorts', function () { done(); }); }); + + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openCustomPorts.run(cache, {check_network_interface:'true', restricted_open_ports: 'tcp:22'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); }); }); \ No newline at end of file diff --git a/plugins/aws/ec2/openDNS.js b/plugins/aws/ec2/openDNS.js index 287d069c90..e0a623e1a1 100644 --- a/plugins/aws/ec2/openDNS.js +++ b/plugins/aws/ec2/openDNS.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openDNS.spec.js b/plugins/aws/ec2/openDNS.spec.js index 18a3a38f69..9f8a39b85a 100644 --- a/plugins/aws/ec2/openDNS.spec.js +++ b/plugins/aws/ec2/openDNS.spec.js @@ -307,5 +307,14 @@ describe('openDNS', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openDNS.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openDocker.js b/plugins/aws/ec2/openDocker.js index 6c04aaac87..8b032315b4 100644 --- a/plugins/aws/ec2/openDocker.js +++ b/plugins/aws/ec2/openDocker.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openDocker.spec.js b/plugins/aws/ec2/openDocker.spec.js index 962f639dc3..7bece8b97b 100644 --- a/plugins/aws/ec2/openDocker.spec.js +++ b/plugins/aws/ec2/openDocker.spec.js @@ -307,5 +307,14 @@ describe('openDocker', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[0]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openDocker.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openElasticsearch.js b/plugins/aws/ec2/openElasticsearch.js index 6881060aaa..1f73b733a7 100644 --- a/plugins/aws/ec2/openElasticsearch.js +++ b/plugins/aws/ec2/openElasticsearch.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openElasticsearch.spec.js b/plugins/aws/ec2/openElasticsearch.spec.js index e114e79401..d3144ad9a8 100644 --- a/plugins/aws/ec2/openElasticsearch.spec.js +++ b/plugins/aws/ec2/openElasticsearch.spec.js @@ -306,5 +306,14 @@ describe('openElasticsearch', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openElasticsearch.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openFTP.js b/plugins/aws/ec2/openFTP.js index 745eac2fda..fc4accb282 100644 --- a/plugins/aws/ec2/openFTP.js +++ b/plugins/aws/ec2/openFTP.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openFTP.spec.js b/plugins/aws/ec2/openFTP.spec.js index 9449caca6e..e79fab7e2e 100644 --- a/plugins/aws/ec2/openFTP.spec.js +++ b/plugins/aws/ec2/openFTP.spec.js @@ -307,5 +307,13 @@ describe('openFTP', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openFTP.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); }); }); diff --git a/plugins/aws/ec2/openHTTP.js b/plugins/aws/ec2/openHTTP.js index 0daaa139d7..1602137304 100644 --- a/plugins/aws/ec2/openHTTP.js +++ b/plugins/aws/ec2/openHTTP.js @@ -9,7 +9,21 @@ module.exports = { more_info: 'While some ports are required to be open to the public to function properly, more sensitive services such as HTTP should be restricted to known IP addresses.', link: 'http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html', recommended_action: 'Restrict TCP port 80 to known IP addresses', - apis: ['EC2:describeSecurityGroups'], + apis: ['EC2:describeSecurityGroups','EC2:describeNetworkInterfaces'], + settings: { + ec2_skip_unused_groups: { + name: 'EC2 Skip Unused Groups', + description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', + regex: '^(true|false)$', + default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', + } + }, run: function(cache, settings, callback) { @@ -17,6 +31,14 @@ module.exports = { var source = {}; var regions = helpers.regions(settings); + var config = { + ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, + }; + + config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); + var ports = { 'tcp': [80] }; @@ -39,8 +61,8 @@ module.exports = { helpers.addResult(results, 0, 'No security groups present', region); return rcb(); } + helpers.findOpenPorts(describeSecurityGroups.data, ports, service, region, results, cache, config, rcb, settings); - helpers.findOpenPorts(describeSecurityGroups.data, ports, service, region, results, cache, rcb, settings); rcb(); }, function(){ diff --git a/plugins/aws/ec2/openHTTP.spec.js b/plugins/aws/ec2/openHTTP.spec.js index f2e790dc55..3d1d423ac7 100644 --- a/plugins/aws/ec2/openHTTP.spec.js +++ b/plugins/aws/ec2/openHTTP.spec.js @@ -119,6 +119,46 @@ const describeSecurityGroups = [ } ]; +const describeNetworkInterfaces = [ + { + "AvailabilityZone": "us-east-1b", + "Description": "RDSNetworkInterface", + "Groups": [ + { + "GroupName": "default", + "GroupId": "sg-aa941691" + }, + { + "GroupName": "HTTP-Access", + "GroupId": "sg-02e2c70cd463dca29" + }, + ], + "InterfaceType": "interface", + "Ipv6Addresses": [], + "MacAddress": "12:95:7b:ae:63:91", + "NetworkInterfaceId": "eni-0681cbf0930452492", + "OwnerId": "111122223333", + "PrivateDnsName": "ip-172-31-93-52.ec2.internal", + "PrivateIpAddress": "172.31.93.52", + "PrivateIpAddresses": [ + { + "Primary": true, + "PrivateDnsName": "ip-172-31-93-52.ec2.internal", + "PrivateIpAddress": "172.31.93.52" + } + ], + "Ipv4Prefixes": [], + "Ipv6Prefixes": [], + "RequesterId": "amazon-rds", + "RequesterManaged": true, + "SourceDestCheck": true, + "Status": "available", + "SubnetId": "subnet-673a9a46", + "TagSet": [], + "VpcId": "vpc-99de2fe4" + }, +] + const createCache = (securityGroups, networkInterfaces, functions, securityGroupsErr, networkInterfacesErr, functionsErr) => { return { ec2:{ @@ -167,7 +207,7 @@ const createNullCache = () => { describe('openHTTP', function () { describe('run', function () { it('should PASS if no public open ports found', function (done) { - const cache = createCache([describeSecurityGroups[0]]); + const cache = createCache([describeSecurityGroups[0]], [describeNetworkInterfaces[0]]); openHTTP.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); @@ -176,7 +216,7 @@ describe('openHTTP', function () { }); it('should FAIL if security group has HTTP TCP port open to public', function (done) { - const cache = createCache([describeSecurityGroups[1]]); + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]]); openHTTP.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); @@ -210,6 +250,15 @@ describe('openHTTP', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]] ); + openHTTP.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openHTTPS.js b/plugins/aws/ec2/openHTTPS.js index cdca0788d2..a99041692c 100644 --- a/plugins/aws/ec2/openHTTPS.js +++ b/plugins/aws/ec2/openHTTPS.js @@ -9,13 +9,35 @@ module.exports = { more_info: 'While some ports are required to be open to the public to function properly, more sensitive services such as HTTPS should be restricted to known IP addresses.', link: 'http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html', recommended_action: 'Restrict TCP port 443 to known IP addresses.', - apis: ['EC2:describeSecurityGroups'], + apis: ['EC2:describeSecurityGroups','EC2:describeNetworkInterfaces'], + settings: { + ec2_skip_unused_groups: { + name: 'EC2 Skip Unused Groups', + description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', + regex: '^(true|false)$', + default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', + } + }, run: function(cache, settings, callback) { var results = []; var source = {}; var regions = helpers.regions(settings); + var config = { + ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, + }; + + config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); + var ports = { 'tcp': [443] }; @@ -39,7 +61,7 @@ module.exports = { return rcb(); } - helpers.findOpenPorts(describeSecurityGroups.data, ports, service, region, results, cache, rcb, settings); + helpers.findOpenPorts(describeSecurityGroups.data, ports, service, region, results, cache, config, rcb, settings); rcb(); }, function(){ diff --git a/plugins/aws/ec2/openHTTPS.spec.js b/plugins/aws/ec2/openHTTPS.spec.js index ee6a417c4d..0292ef9f9f 100644 --- a/plugins/aws/ec2/openHTTPS.spec.js +++ b/plugins/aws/ec2/openHTTPS.spec.js @@ -119,6 +119,46 @@ const describeSecurityGroups = [ } ]; +const describeNetworkInterfaces = [ + { + "AvailabilityZone": "us-east-1b", + "Description": "RDSNetworkInterface", + "Groups": [ + { + "GroupName": "default", + "GroupId": "sg-aa941691" + }, + { + "GroupName": "HTTP-Access", + "GroupId": "sg-02e2c70cd463dca29" + }, + ], + "InterfaceType": "interface", + "Ipv6Addresses": [], + "MacAddress": "12:95:7b:ae:63:91", + "NetworkInterfaceId": "eni-0681cbf0930452492", + "OwnerId": "111122223333", + "PrivateDnsName": "ip-172-31-93-52.ec2.internal", + "PrivateIpAddress": "172.31.93.52", + "PrivateIpAddresses": [ + { + "Primary": true, + "PrivateDnsName": "ip-172-31-93-52.ec2.internal", + "PrivateIpAddress": "172.31.93.52" + } + ], + "Ipv4Prefixes": [], + "Ipv6Prefixes": [], + "RequesterId": "amazon-rds", + "RequesterManaged": true, + "SourceDestCheck": true, + "Status": "available", + "SubnetId": "subnet-673a9a46", + "TagSet": [], + "VpcId": "vpc-99de2fe4" + }, +] + const createCache = (securityGroups, networkInterfaces, functions, securityGroupsErr, networkInterfacesErr, functionsErr) => { return { ec2:{ @@ -167,7 +207,7 @@ const createNullCache = () => { describe('openHTTPS', function () { describe('run', function () { it('should PASS if no public open ports found', function (done) { - const cache = createCache([describeSecurityGroups[0]]); + const cache = createCache([describeSecurityGroups[0]], [describeNetworkInterfaces[0]]); openHTTPS.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); @@ -177,7 +217,7 @@ describe('openHTTPS', function () { }); it('should FAIL if security group has HTTPS TCP port open to public', function (done) { - const cache = createCache([describeSecurityGroups[1]]); + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]]); openHTTPS.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); @@ -216,6 +256,15 @@ describe('openHTTPS', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]]); + openHTTPS.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openHadoopNameNode.js b/plugins/aws/ec2/openHadoopNameNode.js index 25ee4e6357..cad6649952 100644 --- a/plugins/aws/ec2/openHadoopNameNode.js +++ b/plugins/aws/ec2/openHadoopNameNode.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openHadoopNameNode.spec.js b/plugins/aws/ec2/openHadoopNameNode.spec.js index 49d3407bc8..dd4a04759a 100644 --- a/plugins/aws/ec2/openHadoopNameNode.spec.js +++ b/plugins/aws/ec2/openHadoopNameNode.spec.js @@ -306,5 +306,14 @@ describe('openHadoopNameNode', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openHadoopNameNode.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openHadoopNameNodeWebUI.js b/plugins/aws/ec2/openHadoopNameNodeWebUI.js index 75609a94e2..d954a9bcd2 100644 --- a/plugins/aws/ec2/openHadoopNameNodeWebUI.js +++ b/plugins/aws/ec2/openHadoopNameNodeWebUI.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openHadoopNameNodeWebUI.spec.js b/plugins/aws/ec2/openHadoopNameNodeWebUI.spec.js index a3997b2505..4fccf892a7 100644 --- a/plugins/aws/ec2/openHadoopNameNodeWebUI.spec.js +++ b/plugins/aws/ec2/openHadoopNameNodeWebUI.spec.js @@ -307,5 +307,14 @@ describe('openHadoopNameNodeWebUI', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openHadoopNameNodeWebUI.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openInternalWeb.js b/plugins/aws/ec2/openInternalWeb.js index 9d5cd2a1a6..1676d53308 100644 --- a/plugins/aws/ec2/openInternalWeb.js +++ b/plugins/aws/ec2/openInternalWeb.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openInternalWeb.spec.js b/plugins/aws/ec2/openInternalWeb.spec.js index 1d57bbe9a0..03dc229d33 100644 --- a/plugins/aws/ec2/openInternalWeb.spec.js +++ b/plugins/aws/ec2/openInternalWeb.spec.js @@ -306,5 +306,14 @@ describe('openInternalWeb', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openInternalWeb.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openKibana.js b/plugins/aws/ec2/openKibana.js index 2120a941dc..5fffca40cf 100644 --- a/plugins/aws/ec2/openKibana.js +++ b/plugins/aws/ec2/openKibana.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openKibana.spec.js b/plugins/aws/ec2/openKibana.spec.js index 429dad533e..22aaf76f5d 100644 --- a/plugins/aws/ec2/openKibana.spec.js +++ b/plugins/aws/ec2/openKibana.spec.js @@ -306,5 +306,14 @@ describe('openKibana', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openKibana.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openLDAP.js b/plugins/aws/ec2/openLDAP.js index 82e57d6626..d965e0d440 100644 --- a/plugins/aws/ec2/openLDAP.js +++ b/plugins/aws/ec2/openLDAP.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openLDAP.spec.js b/plugins/aws/ec2/openLDAP.spec.js index 861a92a58e..b46e66ceea 100644 --- a/plugins/aws/ec2/openLDAP.spec.js +++ b/plugins/aws/ec2/openLDAP.spec.js @@ -306,6 +306,15 @@ describe('openLDAP', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openLDAP.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openLDAPS.js b/plugins/aws/ec2/openLDAPS.js index 62e76da3f0..0e68093ae3 100644 --- a/plugins/aws/ec2/openLDAPS.js +++ b/plugins/aws/ec2/openLDAPS.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openLDAPS.spec.js b/plugins/aws/ec2/openLDAPS.spec.js index e0e0b71f6d..6d90ec6daf 100644 --- a/plugins/aws/ec2/openLDAPS.spec.js +++ b/plugins/aws/ec2/openLDAPS.spec.js @@ -306,6 +306,15 @@ describe('openLDAPS', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openLDAPS.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openMemcached.js b/plugins/aws/ec2/openMemcached.js index 765a9082b3..ef35e4df8f 100644 --- a/plugins/aws/ec2/openMemcached.js +++ b/plugins/aws/ec2/openMemcached.js @@ -22,6 +22,12 @@ module.exports = { description: 'When set to true, pass all the security groups associated with clusters that are in private subnet', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -55,10 +61,12 @@ module.exports = { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, ignore_groups_with_private_clusters: settings.ignore_groups_with_private_clusters|| this.settings.ignore_groups_with_private_clusters.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); config.ignore_groups_with_private_clusters = (config.ignore_groups_with_private_clusters == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openMemcached.spec.js b/plugins/aws/ec2/openMemcached.spec.js index 4df94cec4a..7e6b96f571 100644 --- a/plugins/aws/ec2/openMemcached.spec.js +++ b/plugins/aws/ec2/openMemcached.spec.js @@ -307,5 +307,14 @@ describe('openMemcached', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openMemcached.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openMongoDB.js b/plugins/aws/ec2/openMongoDB.js index 96e118ed90..53a0fc9b07 100644 --- a/plugins/aws/ec2/openMongoDB.js +++ b/plugins/aws/ec2/openMongoDB.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; @@ -81,6 +89,7 @@ module.exports = { helpers.findOpenPorts(describeSecurityGroups.data, ports, service, region, results, cache, config, rcb, settings); + rcb(); }, function(){ callback(null, results, source); diff --git a/plugins/aws/ec2/openMongoDB.spec.js b/plugins/aws/ec2/openMongoDB.spec.js index 77ff48a8b5..e32efb7360 100644 --- a/plugins/aws/ec2/openMongoDB.spec.js +++ b/plugins/aws/ec2/openMongoDB.spec.js @@ -307,5 +307,14 @@ describe('openMongoDB', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openMongoDB.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openMySQL.js b/plugins/aws/ec2/openMySQL.js index 5d48afbfea..79780b4d42 100644 --- a/plugins/aws/ec2/openMySQL.js +++ b/plugins/aws/ec2/openMySQL.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openMySQL.spec.js b/plugins/aws/ec2/openMySQL.spec.js index a49d3550ca..7850e4e897 100644 --- a/plugins/aws/ec2/openMySQL.spec.js +++ b/plugins/aws/ec2/openMySQL.spec.js @@ -307,5 +307,14 @@ describe('openMySQL', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openMySQL.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openNetBIOS.js b/plugins/aws/ec2/openNetBIOS.js index 7ba67ef585..441191c140 100644 --- a/plugins/aws/ec2/openNetBIOS.js +++ b/plugins/aws/ec2/openNetBIOS.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openNetBIOS.spec.js b/plugins/aws/ec2/openNetBIOS.spec.js index d1023d66b1..767278675b 100644 --- a/plugins/aws/ec2/openNetBIOS.spec.js +++ b/plugins/aws/ec2/openNetBIOS.spec.js @@ -306,5 +306,14 @@ describe('openNetBIOS', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openNetBIOS.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openOracle.js b/plugins/aws/ec2/openOracle.js index bab732254a..68c211c36d 100644 --- a/plugins/aws/ec2/openOracle.js +++ b/plugins/aws/ec2/openOracle.js @@ -18,6 +18,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -50,9 +56,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; @@ -83,7 +91,6 @@ module.exports = { helpers.findOpenPorts(describeSecurityGroups.data, ports, service, region, results, cache, config, rcb, settings); - rcb(); }, function(){ callback(null, results, source); diff --git a/plugins/aws/ec2/openOracle.spec.js b/plugins/aws/ec2/openOracle.spec.js index ff7b497fe9..132e085840 100644 --- a/plugins/aws/ec2/openOracle.spec.js +++ b/plugins/aws/ec2/openOracle.spec.js @@ -306,5 +306,14 @@ describe('openOracle', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openOracle.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openOracleAutoDataWarehouse.js b/plugins/aws/ec2/openOracleAutoDataWarehouse.js index 908bcb7dcf..a4a6dba307 100644 --- a/plugins/aws/ec2/openOracleAutoDataWarehouse.js +++ b/plugins/aws/ec2/openOracleAutoDataWarehouse.js @@ -18,6 +18,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -50,9 +56,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openOracleAutoDataWarehouse.spec.js b/plugins/aws/ec2/openOracleAutoDataWarehouse.spec.js index 00f22b7a1e..5e30fea806 100644 --- a/plugins/aws/ec2/openOracleAutoDataWarehouse.spec.js +++ b/plugins/aws/ec2/openOracleAutoDataWarehouse.spec.js @@ -305,5 +305,14 @@ describe('openOracleAutoDataWarehouse', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openOracleAutoDataWarehouse.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openPostgreSQL.js b/plugins/aws/ec2/openPostgreSQL.js index a9091637c2..701f0a7d79 100644 --- a/plugins/aws/ec2/openPostgreSQL.js +++ b/plugins/aws/ec2/openPostgreSQL.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openPostgreSQL.spec.js b/plugins/aws/ec2/openPostgreSQL.spec.js index 85a088a011..c7b115880b 100644 --- a/plugins/aws/ec2/openPostgreSQL.spec.js +++ b/plugins/aws/ec2/openPostgreSQL.spec.js @@ -306,5 +306,14 @@ describe('openPostgreSQL', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openPostgreSQL.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openRDP.js b/plugins/aws/ec2/openRDP.js index ca053d112f..cc431a1141 100644 --- a/plugins/aws/ec2/openRDP.js +++ b/plugins/aws/ec2/openRDP.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, compliance: { @@ -51,9 +57,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openRDP.spec.js b/plugins/aws/ec2/openRDP.spec.js index 9b127bccf0..1ed0b058ea 100644 --- a/plugins/aws/ec2/openRDP.spec.js +++ b/plugins/aws/ec2/openRDP.spec.js @@ -307,5 +307,14 @@ describe('openRDP', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openRDP.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openRPC.js b/plugins/aws/ec2/openRPC.js index 754d878646..bf64cc168a 100644 --- a/plugins/aws/ec2/openRPC.js +++ b/plugins/aws/ec2/openRPC.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openRPC.spec.js b/plugins/aws/ec2/openRPC.spec.js index 7e3f12ea71..fcef651e02 100644 --- a/plugins/aws/ec2/openRPC.spec.js +++ b/plugins/aws/ec2/openRPC.spec.js @@ -307,5 +307,14 @@ describe('openRPC', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openRPC.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openRedis.js b/plugins/aws/ec2/openRedis.js index ab87f16cdf..d3a4c581ad 100644 --- a/plugins/aws/ec2/openRedis.js +++ b/plugins/aws/ec2/openRedis.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openRedis.spec.js b/plugins/aws/ec2/openRedis.spec.js index 65cbeec99c..834c6d30b2 100644 --- a/plugins/aws/ec2/openRedis.spec.js +++ b/plugins/aws/ec2/openRedis.spec.js @@ -307,5 +307,14 @@ describe('openRedis', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openRedis.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openSMBoTCP.js b/plugins/aws/ec2/openSMBoTCP.js index 0e91775f06..27432ac8db 100644 --- a/plugins/aws/ec2/openSMBoTCP.js +++ b/plugins/aws/ec2/openSMBoTCP.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -47,10 +53,12 @@ module.exports = { run: function(cache, settings, callback) { var config = { - ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups + ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openSMBoTCP.spec.js b/plugins/aws/ec2/openSMBoTCP.spec.js index 5ae2890159..95e8ffee0f 100644 --- a/plugins/aws/ec2/openSMBoTCP.spec.js +++ b/plugins/aws/ec2/openSMBoTCP.spec.js @@ -308,5 +308,14 @@ describe('openSMBoTCP', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openSMBoTCP.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openSMTP.js b/plugins/aws/ec2/openSMTP.js index 01b3bdb79e..a46439fa7c 100644 --- a/plugins/aws/ec2/openSMTP.js +++ b/plugins/aws/ec2/openSMTP.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openSMTP.spec.js b/plugins/aws/ec2/openSMTP.spec.js index b7d763a1d6..b73ccd3e54 100644 --- a/plugins/aws/ec2/openSMTP.spec.js +++ b/plugins/aws/ec2/openSMTP.spec.js @@ -307,5 +307,14 @@ describe('openSMTP', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openSMTP.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openSNMP.js b/plugins/aws/ec2/openSNMP.js index 7ae8c61642..2fcd17d92c 100644 --- a/plugins/aws/ec2/openSNMP.js +++ b/plugins/aws/ec2/openSNMP.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openSNMP.spec.js b/plugins/aws/ec2/openSNMP.spec.js index 85225fbfba..ed51274e8e 100644 --- a/plugins/aws/ec2/openSNMP.spec.js +++ b/plugins/aws/ec2/openSNMP.spec.js @@ -306,5 +306,14 @@ describe('openSNMP', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openSNMP.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openSQLServer.js b/plugins/aws/ec2/openSQLServer.js index 8a97b50398..e82c82c3bd 100644 --- a/plugins/aws/ec2/openSQLServer.js +++ b/plugins/aws/ec2/openSQLServer.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openSQLServer.spec.js b/plugins/aws/ec2/openSQLServer.spec.js index eb0e2a66aa..3d7916a589 100644 --- a/plugins/aws/ec2/openSQLServer.spec.js +++ b/plugins/aws/ec2/openSQLServer.spec.js @@ -306,5 +306,13 @@ describe('openSQLServer', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openSQLServer.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); }); }); diff --git a/plugins/aws/ec2/openSSH.js b/plugins/aws/ec2/openSSH.js index 782e159143..1192847cce 100644 --- a/plugins/aws/ec2/openSSH.js +++ b/plugins/aws/ec2/openSSH.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, compliance: { @@ -51,9 +57,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openSSH.spec.js b/plugins/aws/ec2/openSSH.spec.js index 78c124220a..a540d509cb 100644 --- a/plugins/aws/ec2/openSSH.spec.js +++ b/plugins/aws/ec2/openSSH.spec.js @@ -307,5 +307,14 @@ describe('openSSH', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openSSH.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openSalt.js b/plugins/aws/ec2/openSalt.js index 53febc3550..7638a54995 100644 --- a/plugins/aws/ec2/openSalt.js +++ b/plugins/aws/ec2/openSalt.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openSalt.spec.js b/plugins/aws/ec2/openSalt.spec.js index bdbc48f7d7..0873810e67 100644 --- a/plugins/aws/ec2/openSalt.spec.js +++ b/plugins/aws/ec2/openSalt.spec.js @@ -308,5 +308,14 @@ describe('openSalt', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openSalt.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openTelnet.js b/plugins/aws/ec2/openTelnet.js index 7e8ac7ca59..eb32e08eb4 100644 --- a/plugins/aws/ec2/openTelnet.js +++ b/plugins/aws/ec2/openTelnet.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openTelnet.spec.js b/plugins/aws/ec2/openTelnet.spec.js index 9cf38ac14f..46657e4ee4 100644 --- a/plugins/aws/ec2/openTelnet.spec.js +++ b/plugins/aws/ec2/openTelnet.spec.js @@ -307,5 +307,14 @@ describe('openTelnet', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openTelnet.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openVNCClient.js b/plugins/aws/ec2/openVNCClient.js index df8ffbdf63..aa533a18b9 100644 --- a/plugins/aws/ec2/openVNCClient.js +++ b/plugins/aws/ec2/openVNCClient.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openVNCClient.spec.js b/plugins/aws/ec2/openVNCClient.spec.js index 2f9ab764f7..4cd8667f8f 100644 --- a/plugins/aws/ec2/openVNCClient.spec.js +++ b/plugins/aws/ec2/openVNCClient.spec.js @@ -307,5 +307,14 @@ describe('openVNCClient', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openVNCClient.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/openVNCServer.js b/plugins/aws/ec2/openVNCServer.js index 51094c354b..67b02707d6 100644 --- a/plugins/aws/ec2/openVNCServer.js +++ b/plugins/aws/ec2/openVNCServer.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'false', } }, remediation_description: 'The impacted security group rule will be deleted if no input is provided. Otherwise, any input will replace the open CIDR rule.', @@ -48,9 +54,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; diff --git a/plugins/aws/ec2/openVNCServer.spec.js b/plugins/aws/ec2/openVNCServer.spec.js index 04d392ffa7..65cdb2a463 100644 --- a/plugins/aws/ec2/openVNCServer.spec.js +++ b/plugins/aws/ec2/openVNCServer.spec.js @@ -307,5 +307,14 @@ describe('openVNCServer', function () { }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openVNCServer.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + }); }); diff --git a/plugins/aws/ec2/publicIpAddress.js b/plugins/aws/ec2/publicIpAddress.js index deb5e7abfa..3b90808416 100644 --- a/plugins/aws/ec2/publicIpAddress.js +++ b/plugins/aws/ec2/publicIpAddress.js @@ -60,13 +60,13 @@ module.exports = { describeInstances.data.forEach(function(instance){ if (!instance.Instances || !instance.Instances.length) { - helpers.addResult(results, 0, + helpers.addResult(results, 0, 'EC2 instance description is not found', region); return; } instance.Instances.forEach(function(element){ - var resource = `arn:${awsOrGov}:ec2:${region}:${accountId}:/instance/${element.InstanceId}`; + var resource = `arn:${awsOrGov}:ec2:${region}:${accountId}:instance/${element.InstanceId}`; var openSg = false; for (var sg of element.SecurityGroups) { if (openSgs.includes(sg.GroupId)) openSg = true; diff --git a/plugins/aws/elasticache/elasticacheInstanceGeneration.js b/plugins/aws/elasticache/elasticacheInstanceGeneration.js index d5bb0f2c87..6b89daa485 100644 --- a/plugins/aws/elasticache/elasticacheInstanceGeneration.js +++ b/plugins/aws/elasticache/elasticacheInstanceGeneration.js @@ -9,7 +9,7 @@ module.exports = { more_info: 'Using the latest generation of Amazon ElastiCache instances instances will benefit clusters for higher hardware performance, ' + 'better support for latest Memcached and Redis in-memory engines versions and lower costs.', link: 'https://aws.amazon.com/elasticache/previous-generation/', - recommended_action: 'Upgrade ElastiCache instance generaion to the latest available generation.', + recommended_action: 'Upgrade ElastiCache instance generation to the latest available generation.', apis: ['ElastiCache:describeCacheClusters'], run: function(cache, settings, callback) { diff --git a/plugins/aws/iam/iamUserWithoutPermissions.js b/plugins/aws/iam/iamUserWithoutPermissions.js index 1f3fb414f3..a0c2ba1c13 100644 --- a/plugins/aws/iam/iamUserWithoutPermissions.js +++ b/plugins/aws/iam/iamUserWithoutPermissions.js @@ -90,7 +90,8 @@ module.exports = { return cb(); } - if (listGroupPolicies.data.PolicyNames.length || listAttachedGroupPolicies.data.AttachedPolicies.length ){ + if ((listGroupPolicies.data.PolicyNames && listGroupPolicies.data.PolicyNames.length) || + (listAttachedGroupPolicies.data.AttachedPolicies && listAttachedGroupPolicies.data.AttachedPolicies.length)){ break; } } diff --git a/plugins/aws/lambda/lambdaOldRuntimes.js b/plugins/aws/lambda/lambdaOldRuntimes.js index 9ba49b5e22..57e072c487 100644 --- a/plugins/aws/lambda/lambdaOldRuntimes.js +++ b/plugins/aws/lambda/lambdaOldRuntimes.js @@ -36,14 +36,21 @@ module.exports = { { 'id':'nodejs8.10', 'name': 'Node.js 8.10', 'endOfLifeDate': '2020-03-06' }, { 'id':'nodejs10.x', 'name': 'Node.js 10.x', 'endOfLifeDate': '2022-02-14' }, { 'id':'nodejs12.x', 'name': 'Node.js 12', 'endOfLifeDate': '2023-03-31'}, + { 'id':'nodejs14.x', 'name': 'Node.js 14', 'endOfLifeDate': '2023-11-27'}, + { 'id':'nodejs16.x', 'name': 'Node.js 16', 'endOfLifeDate': '2024-03-11'}, { 'id':'dotnetcore3.1', 'name': '.Net Core 3.1', 'endOfLifeDate': '2023-03-31' }, { 'id':'dotnetcore2.1', 'name': '.Net Core 2.1', 'endOfLifeDate': '2022-04-15' }, { 'id':'dotnetcore2.0', 'name': '.Net Core 2.0', 'endOfLifeDate': '2018-10-01' }, { 'id':'dotnetcore1.0', 'name': '.Net Core 1.0', 'endOfLifeDate': '2019-06-27' }, + { 'id':'dotnet7', 'name': '.Net 7', 'endOfLifeDate': '2024-05-14' }, { 'id':'python2.7', 'name': 'Python 2.7', 'endOfLifeDate': '2022-05-30' }, { 'id':'python3.5', 'name': 'Python 3.5', 'endOfLifeDate': '2020-09-13' }, { 'id':'ruby2.5', 'name': 'Ruby 2.5', 'endOfLifeDate': '2022-03-31' }, + { 'id':'ruby2.7', 'name': 'Ruby 2.7', 'endOfLifeDate': '2023-12-07' }, { 'id':'python3.6', 'name': 'Python 3.6', 'endOfLifeDate': '2022-08-29'}, + { 'id':'python3.7', 'name': 'Python 3.7', 'endOfLifeDate': '2023-11-27'}, + { 'id':'go1.x', 'name': 'Go 1', 'endOfLifeDate': '2023-12-31'}, + { 'id':'java8', 'name': 'Java 8', 'endOfLifeDate': '2023-12-31'}, ]; async.each(regions.lambda, function(region, rcb){ diff --git a/plugins/aws/s3/bucketEnforceEncryption.js b/plugins/aws/s3/bucketEnforceEncryption.js index 026d06c234..e5f7436a48 100644 --- a/plugins/aws/s3/bucketEnforceEncryption.js +++ b/plugins/aws/s3/bucketEnforceEncryption.js @@ -125,7 +125,7 @@ module.exports = { if (statement.Effect && statement.Effect === 'Deny' && statement.Principal && - ((typeof statement.Principal == 'string' && statement.Principal == '*') || + ((helpers.globalPrincipal(statement.Principal)) || (Array.isArray(statement.Principal) && statement.indexOf('*') > -1)) && statement.Action && ((typeof statement.Action == 'string' && statement.Action == 's3:PutObject') || @@ -170,4 +170,4 @@ module.exports = { callback(null, results, source); } -}; \ No newline at end of file +}; diff --git a/plugins/aws/s3/objectLevelReadEventLogging.js b/plugins/aws/s3/objectLevelReadEventLogging.js index cfaca79b4d..ede6cb05eb 100644 --- a/plugins/aws/s3/objectLevelReadEventLogging.js +++ b/plugins/aws/s3/objectLevelReadEventLogging.js @@ -32,9 +32,13 @@ module.exports = { helpers.addResult(results, 0, 'No S3 buckets Founds'); return callback(null, results, source); } - var isall = false; var buckets = []; + var startsWithBuckets = []; + var endsWithBuckets = []; + var notStartsWithBuckets = []; + var notEndsWithBuckets = []; + async.each(regions.cloudtrail, function(region, rcb){ var describeTrails = helpers.addSource(cache, source, ['cloudtrail', 'describeTrails', region]); @@ -91,11 +95,8 @@ module.exports = { if (dataEventCategoryField && s3ObjectField) { if ((readOnlyField || !writeOnlyField )&& !resourcesARNField) { isall = true; - } else { - buckets = fieldSelectors - .filter((f) => f.Field === 'resources.ARN') - .map((f) => f.Equals[0].split(':::')[1]); - buckets = buckets.map((name) => name.slice(0, -1)); + } else if (readOnlyField) { + helpers.processFieldSelectors(fieldSelectors, buckets ,startsWithBuckets,notEndsWithBuckets,endsWithBuckets, notStartsWithBuckets); } } } @@ -106,8 +107,9 @@ module.exports = { },function() { listBuckets.data.forEach(function(bucket){ var bucketLocation = helpers.getS3BucketLocation(cache, defaultRegion, bucket.Name); + const conditions = helpers.checkConditions(startsWithBuckets, notStartsWithBuckets, endsWithBuckets, notEndsWithBuckets, bucket.Name); - if (isall) { + if (isall || conditions.startsWithCondition || conditions.notStartsWithCondition || conditions.endsWithCondition || conditions.notEndsWithCondition){ helpers.addResult(results, 0, 'Bucket has object-level logging for read events', bucketLocation, `arn:${awsOrGov}:s3:::` + bucket.Name); } else if (buckets.length) { if (buckets.includes(bucket.Name)) { diff --git a/plugins/aws/s3/objectLevelWriteEventLogging.js b/plugins/aws/s3/objectLevelWriteEventLogging.js index d9b6b6635c..ba7673be87 100644 --- a/plugins/aws/s3/objectLevelWriteEventLogging.js +++ b/plugins/aws/s3/objectLevelWriteEventLogging.js @@ -35,6 +35,11 @@ module.exports = { var isall = false; var buckets=[]; + var startsWithBuckets = []; + var endsWithBuckets = []; + var notStartsWithBuckets = []; + var notEndsWithBuckets = []; + async.each(regions.cloudtrail, function(region, rcb){ var describeTrails = helpers.addSource(cache, source, ['cloudtrail', 'describeTrails', region]); @@ -90,11 +95,8 @@ module.exports = { if (dataEventCategoryField && s3ObjectField) { if ((writeOnlyField || !readOnlyField )&& !resourcesARNField) { isall = true; - } else { - buckets = fieldSelectors - .filter((f) => f.Field === 'resources.ARN') - .map((f) => f.Equals[0].split(':::')[1]); - buckets = buckets.map((name) => name.slice(0, -1)); + } else if (writeOnlyField ) { + helpers.processFieldSelectors(fieldSelectors, buckets ,startsWithBuckets,notEndsWithBuckets,endsWithBuckets, notStartsWithBuckets); } } } @@ -106,8 +108,9 @@ module.exports = { listBuckets.data.forEach(function(bucket){ var bucketLocation = helpers.getS3BucketLocation(cache, defaultRegion, bucket.Name); + const conditions = helpers.checkConditions(startsWithBuckets, notStartsWithBuckets, endsWithBuckets, notEndsWithBuckets, bucket.Name); - if (isall) { + if (isall || conditions.startsWithCondition || conditions.notStartsWithCondition || conditions.endsWithCondition || conditions.notEndsWithCondition){ helpers.addResult(results, 0, 'Bucket has object-level logging for write events', bucketLocation, `arn:${awsOrGov}:s3:::` + bucket.Name); } else if (buckets.length) { if (buckets.includes(bucket.Name)){ diff --git a/plugins/aws/s3/s3BucketHasTags.js b/plugins/aws/s3/s3BucketHasTags.js index 276edd2307..189b2ab6da 100644 --- a/plugins/aws/s3/s3BucketHasTags.js +++ b/plugins/aws/s3/s3BucketHasTags.js @@ -1,5 +1,4 @@ var helpers = require('../../../helpers/aws'); -var async = require('async'); module.exports = { title: 'S3 Bucket Has Tags', @@ -13,10 +12,8 @@ module.exports = { run: function(cache, settings, callback) { var results = []; var source = {}; - var regions = helpers.regions(settings); var defaultRegion = helpers.defaultRegion(settings); var awsOrGov = helpers.defaultPartition(settings); - var resourceArns = []; var listBuckets = helpers.addSource(cache, source, ['s3', 'listBuckets', defaultRegion]); @@ -32,33 +29,20 @@ module.exports = { return callback(null, results, source); } - async.each(regions.resourcegroupstaggingapi, function(region, rcb) { - const resourceTags = helpers.addSource(cache, {}, - ['resourcegroupstaggingapi', 'getResources', region]); - - if (!resourceTags) return rcb(); - - if (resourceTags.err ) { - helpers.addResult(results , 3, 'Unable to query for Resource Group Tagging',region, helpers.addError(resourceTags)); - return rcb(); - } - if (!resourceTags.data || !resourceTags.data.length) return rcb(); - - resourceArns.push(...resourceTags.data.filter(data => data.Tags && data.Tags.length).map(data => data.ResourceARN)); - - rcb(); - }, function() { - for (let bucket of listBuckets.data) { - const arn = `arn:${awsOrGov}:s3:::${bucket.Name}`; - var bucketLocation = helpers.getS3BucketLocation(cache, defaultRegion, bucket.Name); - - if (resourceArns.includes(arn)) { - helpers.addResult(results, 0, 'S3 bucket has tags', bucketLocation, arn); - } else { - helpers.addResult(results, 2, 'S3 bucket does not have any tags', bucketLocation, arn); - } + var bucketsByRegion= {}; + listBuckets.data.forEach(function(bucket) { + if (!bucket.Name) return; + var bucketLocation = helpers.getS3BucketLocation(cache, defaultRegion, bucket.Name); + if (!bucketsByRegion[bucketLocation]) { + bucketsByRegion[bucketLocation] = []; } - callback(null, results, source); + bucketsByRegion[bucketLocation].push(`arn:${awsOrGov}:s3:::${bucket.Name}`); }); + + for (var region in bucketsByRegion) { + var bucketNames = bucketsByRegion[region] || []; + helpers.checkTags(cache, 'S3 bucket', bucketNames, region, results, settings); + } + callback(null, results, source); } }; diff --git a/plugins/aws/s3/s3BucketHasTags.spec.js b/plugins/aws/s3/s3BucketHasTags.spec.js index da3957de52..c5d16a432d 100644 --- a/plugins/aws/s3/s3BucketHasTags.spec.js +++ b/plugins/aws/s3/s3BucketHasTags.spec.js @@ -2,6 +2,7 @@ var expect = require('chai').expect; var s3BucketHasTags = require('./s3BucketHasTags'); const createCache = (bucketData, bucketDataErr, rgData, rgDataErr) => { + var bucketName = (bucketData && bucketData.length) ? bucketData[0].Name : null; return { s3: { listBuckets: { @@ -9,6 +10,15 @@ const createCache = (bucketData, bucketDataErr, rgData, rgDataErr) => { err: bucketDataErr, data: bucketData } + }, + getBucketLocation: { + 'us-east-1': { + [bucketName]: { + data: { + LocationConstraint: 'us-east-1' + } + } + } } }, resourcegroupstaggingapi: { @@ -50,9 +60,9 @@ describe('s3BucketHasTags', function () { it('should give unknown result if unable to query resource group tagging api', function (done) { const callback = (err, results) => { - expect(results.length).to.equal(2); + expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query for Resource Group Tagging'); + expect(results[0].message).to.include('Unable to query all resources from group tagging api:'); done(); }; const cache = createCache([{ diff --git a/plugins/aws/s3/s3Encryption.js b/plugins/aws/s3/s3Encryption.js index f0bcab3541..f6df649f2d 100644 --- a/plugins/aws/s3/s3Encryption.js +++ b/plugins/aws/s3/s3Encryption.js @@ -22,7 +22,7 @@ function statementTargetsAction(statement, targetAction) { */ function getEncryptionLevel(statement) { if (statement) { - if (statement.Effect === 'Deny' && statement.Principal === '*') { + if (statement.Effect === 'Deny' && helpers.globalPrincipal(statement.Principal)) { if (statementTargetsAction(statement, 's3:PutObject')) { if (statement.Condition && statement.Condition.StringNotEquals) { if (statement.Condition.StringNotEquals['s3:x-amz-server-side-encryption'] === 'AES256') { diff --git a/plugins/aws/sns/snsTopicNoHttpPolicy.js b/plugins/aws/sns/snsTopicNoHttpPolicy.js index ed0768a31c..30e77f8ab1 100644 --- a/plugins/aws/sns/snsTopicNoHttpPolicy.js +++ b/plugins/aws/sns/snsTopicNoHttpPolicy.js @@ -10,7 +10,7 @@ module.exports = { recommended_action: 'Adjust the topic policy to only allow authorized AWS users in known accounts to send or subscribe via the HTTP protocol.', link: 'http://docs.aws.amazon.com/sns/latest/dg/AccessPolicyLanguage.html', apis: ['SNS:listTopics', 'SNS:getTopicAttributes'], - + run: function(cache, settings, callback) { var results = []; var source = {}; @@ -35,20 +35,20 @@ module.exports = { listTopics.data.forEach( topic => { if (!topic.TopicArn) return; - + var getTopicAttributes = helpers.addSource(cache, source, ['sns', 'getTopicAttributes', region, topic.TopicArn]); - + if (!getTopicAttributes || (!getTopicAttributes.err && !getTopicAttributes.data)) return; - + if (getTopicAttributes.err || !getTopicAttributes.data) { helpers.addResult(results, 3, 'Unable to query SNS topic for policy: ' + helpers.addError(getTopicAttributes), region, topic.TopicArn); return; } - + if (!getTopicAttributes.data.Attributes || !getTopicAttributes.data.Attributes.Policy) { helpers.addResult(results, 3, @@ -56,9 +56,9 @@ module.exports = { region, topic.TopicArn); return; } - + var statements = helpers.normalizePolicyDocument(getTopicAttributes.data.Attributes.Policy); - + if (!statements || !statements.length) { helpers.addResult(results, 0, 'The SNS Topic policy does not have trust relationship statements', @@ -68,18 +68,30 @@ module.exports = { var hasHttpProtocolRestriction = false; + function checkProtocol(protocol) { + protocol = protocol.toLowerCase(); + if ((effect === 'Allow' && protocol === 'http') || (effect === 'Deny' && protocol === 'https')) { + return true; + } + } for (var statement of statements) { if (statement.Condition && statement.Condition.StringEquals) { var protocolCondition = statement.Condition.StringEquals['SNS:Protocol']; - if (protocolCondition) { + if (protocolCondition && protocolCondition.length) { var effect = statement.Effect; - var protocol = protocolCondition.toLowerCase(); + if (typeof protocolCondition === 'string') { + hasHttpProtocolRestriction = checkProtocol(protocolCondition); - if ((effect === 'Allow' && protocol === 'http') || (effect === 'Deny' && protocol === 'https')) { - hasHttpProtocolRestriction = true; - break; + } else if (Array.isArray(protocolCondition) && protocolCondition.length) { + for (var protocol of protocolCondition) { + if (checkProtocol(protocol)) { + hasHttpProtocolRestriction = true; + break; + } + } } } + if (hasHttpProtocolRestriction) break; } } @@ -92,9 +104,9 @@ module.exports = { 'The SNS topic policy does not allow unsecured access via HTTP protocol.', region, topic.TopicArn); } - + }); - + rcb(); }, function(){ callback(null, results, source); diff --git a/plugins/aws/sns/snsValidSubscribers.js b/plugins/aws/sns/snsValidSubscribers.js index 2dab47043c..eaa0539e43 100644 --- a/plugins/aws/sns/snsValidSubscribers.js +++ b/plugins/aws/sns/snsValidSubscribers.js @@ -6,7 +6,7 @@ module.exports = { category: 'SNS', domain: 'Application Integration', description: 'Ensure that Amazon SNS subscriptions are valid and there are no unwanted subscribers.', - more_info: 'Amazon Simple Notification Service (Amazon SNS) is a managed service that provides message delivery from publishers to subscribers. So check for appropriate subsribers in order to improve access security to your SNS topics. ', + more_info: 'Amazon Simple Notification Service (Amazon SNS) is a managed service that provides message delivery from publishers to subscribers. So check for appropriate subscribers in order to improve access security to your SNS topics. ', recommended_action: 'Check for unwanted SNS subscriptions periodically', link: 'https://docs.aws.amazon.com/sns/latest/dg/sns-create-subscribe-endpoint-to-topic.html', apis: ['SNS:listSubscriptions'], diff --git a/plugins/aws/sqs/sqsEncryptionEnabled.js b/plugins/aws/sqs/sqsEncryptionEnabled.js index 1acba59700..3339478fec 100644 --- a/plugins/aws/sqs/sqsEncryptionEnabled.js +++ b/plugins/aws/sqs/sqsEncryptionEnabled.js @@ -81,7 +81,9 @@ module.exports = { }); for (let queue of listQueues.data) { - let resource = `arn:${awsOrGov}:sqs:${region}:${accountId}:${queue}`; + var queueName = queue.split('/'); + queueName = queueName[queueName.length-1]; + let resource = `arn:${awsOrGov}:sqs:${region}:${accountId}:${queueName}`; var getQueueAttributes = helpers.addSource(cache, source, ['sqs', 'getQueueAttributes', region, queue]); diff --git a/plugins/aws/ssm/ssmSessionDuration.js b/plugins/aws/ssm/ssmSessionDuration.js index 3f6bdc4130..6f71f43b91 100644 --- a/plugins/aws/ssm/ssmSessionDuration.js +++ b/plugins/aws/ssm/ssmSessionDuration.js @@ -60,12 +60,12 @@ module.exports = { }); for (let instance of sessionsByInstances) { - var resource = `arn:${awsOrGov}:ec2:${region}:${accountId}:/instance/${instance.instanceId}`; + var resource = `arn:${awsOrGov}:ec2:${region}:${accountId}:instance/${instance.instanceId}`; let failingSessions = ''; for (let session of instance.sessions) { let activeSessionTimeInMins = helpers.minutesBetween(new Date(), session.StartDate); - + if (sessionMaxDuration && sessionMaxDuration < activeSessionTimeInMins) { failingSessions += `${session.SessionId} - ${activeSessionTimeInMins} mins\n`; } diff --git a/plugins/azure/appservice/clientCertEnabled.js b/plugins/azure/appservice/clientCertEnabled.js index 526602fbb6..d74320aee6 100644 --- a/plugins/azure/appservice/clientCertEnabled.js +++ b/plugins/azure/appservice/clientCertEnabled.js @@ -15,7 +15,6 @@ module.exports = { const results = []; const source = {}; const locations = helpers.locations(settings.govcloud); - async.each(locations.webApps, function(location, rcb) { const webApps = helpers.addSource( @@ -36,10 +35,14 @@ module.exports = { } webApps.data.forEach(function(webApp) { - if (webApp.clientCertEnabled) { + if (webApp.siteConfig && webApp.siteConfig.http20Enabled) { helpers.addResult(results, 0, 'The App Service has Client Certificates enabled', location, webApp.id); } else { - helpers.addResult(results, 2, 'The App Service does not have Client Certificates enabled', location, webApp.id); + if (webApp.clientCertEnabled) { + helpers.addResult(results, 0, 'The App Service has Client Certificates enabled', location, webApp.id); + } else { + helpers.addResult(results, 2, 'The App Service does not have Client Certificates enabled', location, webApp.id); + } } }); diff --git a/plugins/azure/appservice/clientCertEnabled.spec.js b/plugins/azure/appservice/clientCertEnabled.spec.js index 14e3ea9aaa..bc9d32e8c7 100644 --- a/plugins/azure/appservice/clientCertEnabled.spec.js +++ b/plugins/azure/appservice/clientCertEnabled.spec.js @@ -10,7 +10,18 @@ const webApps = [ { 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Web/sites/app1', 'name': 'app1', - 'clientCertEnabled': false + 'clientCertEnabled': false, + 'siteConfig': { + 'http20Enabled': false + } + }, + { + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Web/sites/app1', + 'name': 'app1', + 'clientCertEnabled': false, + 'siteConfig': { + 'http20Enabled': true + } } ]; @@ -81,5 +92,16 @@ describe('clientCertEnabled', function() { done(); }); }); + + it('should give passing result if app service have http20 enabled', function(done) { + const cache = createCache([webApps[2]]); + clientCertEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('The App Service has Client Certificates enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); }); -}); \ No newline at end of file +}); diff --git a/plugins/azure/fileservice/fileServiceAllAccessAcl.js b/plugins/azure/fileservice/fileServiceAllAccessAcl.js index e6c7fa229d..9cdbeed9e3 100644 --- a/plugins/azure/fileservice/fileServiceAllAccessAcl.js +++ b/plugins/azure/fileservice/fileServiceAllAccessAcl.js @@ -9,8 +9,8 @@ module.exports = { description: 'Ensures file shares do not allow full write, delete, or read ACL permissions', more_info: 'File shares can be configured to allow to read, write, or delete permissions from a share. This option should not be configured unless there is a strong business requirement.', recommended_action: 'Disable global read, write, and delete policies on all file shares and ensure the share ACL is configured with least privileges.', - link: 'https://learn.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share#create-a-file-share-through-the-azure-portal', - apis: ['storageAccounts:list', 'storageAccounts:listKeys', 'fileService:listSharesSegmentedNew', 'fileService:getShareAcl'], + link: 'https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share#create-a-file-share-through-the-azure-portal', + apis: ['storageAccounts:list', 'storageAccounts:listKeys', 'fileService:listSharesSegmented', 'fileService:getShareAcl'], compliance: { hipaa: 'HIPAA access controls require data to be secured with least-privileged ' + 'ACLs. File Service ACLs enable granular permissions for data access.', @@ -60,7 +60,6 @@ module.exports = { 'No existing File Service shares found', location, storageAccount.id); } else { listSharesSegmented.data.forEach(function(fileShare) { - fileShare.id = `${storageAccount.id}/fileService/${fileShare.name}`; // Add share ACL var getShareAcl = helpers.addSource(cache, source, ['fileService', 'getShareAcl', location, fileShare.id]); diff --git a/plugins/azure/fileservice/fileServiceAllAccessAcl.spec.js b/plugins/azure/fileservice/fileServiceAllAccessAcl.spec.js index b9a83e5d74..449d0e171b 100644 --- a/plugins/azure/fileservice/fileServiceAllAccessAcl.spec.js +++ b/plugins/azure/fileservice/fileServiceAllAccessAcl.spec.js @@ -40,7 +40,8 @@ const listKeys = [ const listSharesSegmented = [ { - "name": "file1 " + "name": "file1", + "id": "/subscriptions/1234/resourceGroups/cloud-shell-storage-eastus/providers/Microsoft.Storage/storageAccounts/csb100320011e293683/fileService/file1" } ]; diff --git a/plugins/azure/mysqlserver/mysqlFlexibleServersMinTls.js b/plugins/azure/mysqlserver/mysqlFlexibleServersMinTls.js index 4c945ca6d9..3bf02c08b4 100644 --- a/plugins/azure/mysqlserver/mysqlFlexibleServersMinTls.js +++ b/plugins/azure/mysqlserver/mysqlFlexibleServersMinTls.js @@ -40,6 +40,7 @@ module.exports = { if (!configurations || configurations.err || !configurations.data) { helpers.addResult(results, 3, 'Unable to query for ' + helpers.addError(configurations), location, flexibleServer.id); + continue; } var configuration = configurations.data.filter(config => { diff --git a/plugins/azure/mysqlserver/mysqlFlexibleServersMinTls.spec.js b/plugins/azure/mysqlserver/mysqlFlexibleServersMinTls.spec.js index fc187e0368..869986b907 100644 --- a/plugins/azure/mysqlserver/mysqlFlexibleServersMinTls.spec.js +++ b/plugins/azure/mysqlserver/mysqlFlexibleServersMinTls.spec.js @@ -38,7 +38,7 @@ describe('mysqlFlexibleServersMinTls', function() { ); auth.run(cache, {}, callback); - }) + }); it('should FAIL if MySQL server is not using TLSV1.2', function(done) { const callback = (err, results) => { @@ -122,5 +122,27 @@ describe('mysqlFlexibleServersMinTls', function() { auth.run(cache, {}, callback); }); + it('should UNKNOWN if unable to query for configurations', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + null, + [ + { + "id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforMySQL/flexibleServers/test-server", + "type": "Microsoft.DBforMySQL/flexibleServers" + } + ], + {} + ); + + auth.run(cache, {}, callback); + }) }) }) \ No newline at end of file diff --git a/plugins/azure/networksecuritygroups/networkWatcherEnabled.js b/plugins/azure/networksecuritygroups/networkWatcherEnabled.js index 83c5a553ec..2b51dee960 100644 --- a/plugins/azure/networksecuritygroups/networkWatcherEnabled.js +++ b/plugins/azure/networksecuritygroups/networkWatcherEnabled.js @@ -44,9 +44,8 @@ module.exports = { } networkWatchers.data.forEach((networkWatcher) => { - if (networkWatcher.properties && - networkWatcher.properties.provisioningState && - networkWatcher.properties.provisioningState.toLowerCase() == 'succeeded') { + if (networkWatcher.provisioningState && + networkWatcher.provisioningState.toLowerCase() == 'succeeded') { helpers.addResult(results, 0, 'Network Watcher is enabled', location, networkWatcher.id); } else { helpers.addResult(results, 2, 'Network Watcher is not successfully provisioned for the region', location, networkWatcher.id); diff --git a/plugins/azure/networksecuritygroups/networkWatcherEnabled.spec.js b/plugins/azure/networksecuritygroups/networkWatcherEnabled.spec.js index 54fa27000a..35f9f6f61f 100644 --- a/plugins/azure/networksecuritygroups/networkWatcherEnabled.spec.js +++ b/plugins/azure/networksecuritygroups/networkWatcherEnabled.spec.js @@ -2,28 +2,24 @@ var expect = require('chai').expect; var networkWatcherEnabled = require('./networkWatcherEnabled'); const networkWatchers = [ - { - "name": "NetworkWatcher_eastus", - "id": "/subscriptions/def1d0ac-ebf6-437f-a3b0-28fc0d22117e/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus", - "etag": "W/\"a12bcd34-5333-4361-a645-0f110712c17e\"", - "type": "Microsoft.Network/networkWatchers", - "location": "eastus", - "properties": { - "provisioningState": "Succeeded", - "runningOperationIds": [] - } - }, - { - "name": "NetworkWatcher_eastus2", - "id": "/subscriptions/def1d0ac-ebf6-437f-a3b0-28fc0d22117e/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus2", - "etag": "W/\"s31sde21-686a-449e-b678-1eb7bc38310e\"", - "type": "Microsoft.Network/networkWatchers", - "location": "eastus2", - "properties": { - "provisioningState": "Failed", - "runningOperationIds": [] + { + "name": "NetworkWatcher_eastus", + "id": "/subscriptions/def1d0ac-ebf6-437f-a3b0-28fc0d22117e/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus", + "etag": "W/\"a12bcd34-5333-4361-a645-0f110712c17e\"", + "type": "Microsoft.Network/networkWatchers", + "location": "eastus", + "provisioningState": "Succeeded", + "runningOperationIds": [] + }, + { + "name": "NetworkWatcher_eastus2", + "id": "/subscriptions/def1d0ac-ebf6-437f-a3b0-28fc0d22117e/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus2", + "etag": "W/\"s31sde21-686a-449e-b678-1eb7bc38310e\"", + "type": "Microsoft.Network/networkWatchers", + "location": "eastus2", + "provisioningState": "Failed", + "runningOperationIds": [] } - } ]; const virtualNetworks = [ @@ -41,22 +37,22 @@ const virtualNetworks = [ ] }, "subnets": [ - { - "name": "aadds-subnet", - "id": "/subscriptions/dce7d0ad-ebf6-437f-a3b0-28fc0d22117e/resourceGroups/akhtar-rg/providers/Microsoft.Network/virtualNetworks/aadds-vnet/subnets/aadds-subnet", - "etag": "W/\"9647a968-4864-4a13-a916-5cf7dd6fabff\"", - "properties": { - "provisioningState": "Succeeded", - "addressPrefix": "10.0.6.0/24", - "networkSecurityGroup": { - "id": "/subscriptions/dce7d0ad-ebf6-437f-a3b0-28fc0d22117e/resourceGroups/akhtar-rg/providers/Microsoft.Network/networkSecurityGroups/aadds-nsg" - }, - "delegations": [], - "privateEndpointNetworkPolicies": "Enabled", - "privateLinkServiceNetworkPolicies": "Enabled" - }, - "type": "Microsoft.Network/virtualNetworks/subnets" - } + { + "name": "aadds-subnet", + "id": "/subscriptions/dce7d0ad-ebf6-437f-a3b0-28fc0d22117e/resourceGroups/akhtar-rg/providers/Microsoft.Network/virtualNetworks/aadds-vnet/subnets/aadds-subnet", + "etag": "W/\"9647a968-4864-4a13-a916-5cf7dd6fabff\"", + "properties": { + "provisioningState": "Succeeded", + "addressPrefix": "10.0.6.0/24", + "networkSecurityGroup": { + "id": "/subscriptions/dce7d0ad-ebf6-437f-a3b0-28fc0d22117e/resourceGroups/akhtar-rg/providers/Microsoft.Network/networkSecurityGroups/aadds-nsg" + }, + "delegations": [], + "privateEndpointNetworkPolicies": "Enabled", + "privateLinkServiceNetworkPolicies": "Enabled" + }, + "type": "Microsoft.Network/virtualNetworks/subnets" + } ], "virtualNetworkPeerings": [], "enableDdosProtection": false diff --git a/plugins/azure/postgresqlserver/azureServicesAccessDisabled.js b/plugins/azure/postgresqlserver/azureServicesAccessDisabled.js index 0e89ff03d5..64884c8933 100644 --- a/plugins/azure/postgresqlserver/azureServicesAccessDisabled.js +++ b/plugins/azure/postgresqlserver/azureServicesAccessDisabled.js @@ -42,6 +42,12 @@ module.exports = { if (!firewallRules || firewallRules.err || !firewallRules.data) { helpers.addResult(results, 3, 'Unable to query SQL Server Firewall Rules: ' + helpers.addError(firewallRules), location, postgresServer.id); + continue; + } + + if (!firewallRules.data.length) { + helpers.addResult(results, 0, 'No existing SQL Server Firewall Rules found', location, postgresServer.id); + continue; } let accessToServices = true; @@ -49,7 +55,7 @@ module.exports = { if (rule.name && rule.name.toLowerCase() === 'allowallwindowsazureips') { accessToServices = false; break; - } + } } if (accessToServices) { diff --git a/plugins/azure/securitycenter/securityContactAdditionalEmail.js b/plugins/azure/securitycenter/securityContactAdditionalEmail.js index 7ea9caec47..186dbe4683 100644 --- a/plugins/azure/securitycenter/securityContactAdditionalEmail.js +++ b/plugins/azure/securitycenter/securityContactAdditionalEmail.js @@ -17,8 +17,8 @@ module.exports = { const locations = helpers.locations(settings.govcloud); async.each(locations.securityContacts, (location, rcb) => { - - var securityContacts = helpers.addSource(cache, source, + + var securityContacts = helpers.addSource(cache, source, ['securityContactv2', 'listAll', location]); if (!securityContacts) return rcb(); @@ -34,7 +34,7 @@ module.exports = { return rcb(); } - let additionalEmails = securityContacts.data.find(contact => contact.emails && contact.emails.split(';').length > 1); + let additionalEmails = securityContacts.data.find(contact => contact.emails && contact.emails.length); if (additionalEmails){ helpers.addResult(results, 0, 'Additional email address is configured with security contact email', location); diff --git a/plugins/azure/virtualnetworks/virtualNetworkPeering.js b/plugins/azure/virtualnetworks/virtualNetworkPeering.js index 9278d4dcd1..af2e92f993 100644 --- a/plugins/azure/virtualnetworks/virtualNetworkPeering.js +++ b/plugins/azure/virtualnetworks/virtualNetworkPeering.js @@ -81,7 +81,7 @@ module.exports = { }); if (unknownSubscriptions.length) { - helpers.addResult(results, 2, `Vitual network has peering with these unknown subscriptions: ${unknownSubscriptions.join(', ')}`, location, virtualNetwork.id); + helpers.addResult(results, 2, `Virtual network has peering with these unknown subscriptions: ${unknownSubscriptions.join(', ')}`, location, virtualNetwork.id); } else { helpers.addResult(results, 0, 'Virtual network is connected with a virtual network in whitelisted subscription', location, virtualNetwork.id); } diff --git a/plugins/azure/virtualnetworks/virtualNetworkPeering.spec.js b/plugins/azure/virtualnetworks/virtualNetworkPeering.spec.js index 719aeb2dd8..4b8611a661 100644 --- a/plugins/azure/virtualnetworks/virtualNetworkPeering.spec.js +++ b/plugins/azure/virtualnetworks/virtualNetworkPeering.spec.js @@ -117,7 +117,7 @@ describe('virtualNetworkPeering', function() { virtualNetworkPeering.run(cache, { enable_virtual_network_peering: 'true' }, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Vitual network has peering with these unknown subscriptions: 123'); + expect(results[0].message).to.include('Virtual network has peering with these unknown subscriptions: 123'); expect(results[0].region).to.equal('eastus'); done(); }); diff --git a/plugins/google/deploymentmanager/deleteExpiredDeployments.js b/plugins/google/deploymentmanager/deleteExpiredDeployments.js index 646409d467..7fedf1e0e4 100644 --- a/plugins/google/deploymentmanager/deleteExpiredDeployments.js +++ b/plugins/google/deploymentmanager/deleteExpiredDeployments.js @@ -13,7 +13,7 @@ module.exports = { settings: { deployments_expiration_time: { name: 'Deployments Expiration Time', - description: 'Number of days from creation of depoyment after which it should be considered expired', + description: 'Number of days from creation of deployment after which it should be considered expired', regex: '^.*$', default: false } diff --git a/plugins/google/iam/serviceAccountKeyRotation.js b/plugins/google/iam/serviceAccountKeyRotation.js index d6a952d3d7..eba39da9fa 100644 --- a/plugins/google/iam/serviceAccountKeyRotation.js +++ b/plugins/google/iam/serviceAccountKeyRotation.js @@ -13,7 +13,7 @@ module.exports = { settings: { service_account_keys_rotated_fail: { name: 'Service Account Keys Rotated Fail', - description: 'Return a failing result when service accoun keys exceed this number of days without being rotated', + description: 'Return a failing result when service account keys exceed this number of days without being rotated', regex: '^[1-9]{1}[0-9]{0,3}$', default: '90' } diff --git a/plugins/oracle/networking/lbNoInstances.js b/plugins/oracle/networking/lbNoInstances.js index 1b32c5a8a8..4a5d4580a7 100644 --- a/plugins/oracle/networking/lbNoInstances.js +++ b/plugins/oracle/networking/lbNoInstances.js @@ -40,6 +40,8 @@ module.exports = { async.each(loadBalancers.data, function (lb, cb) { if (lb.backendSets) { + if (!lb.displayName) return cb; + var lbBackend = lb.backendSets['bs_' + lb.displayName]; if (lbBackend && lbBackend.backends && From 038c78e3c659bcf1b9a610a50010671eb063cb87 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Mon, 20 Nov 2023 16:57:14 +0500 Subject: [PATCH 037/498] syncing with saas --- collectors/azure/collector.js | 3 ++- collectors/google/collector.js | 2 +- helpers/azure/auth.js | 3 ++- helpers/google/regions.js | 2 +- plugins/alibaba/oss/bucketCmkEncrypted.js | 4 +++- plugins/aws/cloudwatchlogs/logRetentionPeriod.js | 4 +++- plugins/aws/ec2/crossVpcPublicPrivate.js | 4 +++- plugins/aws/ec2/ebsSnapshotPrivate.js | 4 +++- plugins/aws/workspaces/workspacesVolumeEncryption.js | 4 +++- plugins/azure/storageaccounts/logContainerPublicAccess.js | 4 +++- plugins/azure/storageaccounts/logStorageEncryption.js | 4 +++- 11 files changed, 27 insertions(+), 11 deletions(-) diff --git a/collectors/azure/collector.js b/collectors/azure/collector.js index ef1c30d0b2..df47479d4f 100644 --- a/collectors/azure/collector.js +++ b/collectors/azure/collector.js @@ -53,6 +53,7 @@ let collect = function(AzureConfig, settings, callback) { var helpers = require(__dirname + '/../../helpers/azure/auth.js'); let services = []; + let skip_locations= settings.skip_regions || []; // Login using the Azure config helpers.login(AzureConfig, function(loginErr, loginData) { @@ -140,7 +141,7 @@ let collect = function(AzureConfig, settings, callback) { function(cb) { function processTopCall(collectionObj, service, subCallObj, subCallCb) { processCall(subCallObj, function(processCallErr, processCallData) { - helpers.addLocations(subCallObj, service, collectionObj, processCallErr, processCallData); + helpers.addLocations(subCallObj, service, collectionObj, processCallErr, processCallData , skip_locations); subCallCb(); }); } diff --git a/collectors/google/collector.js b/collectors/google/collector.js index 5c3019afbf..fcaf33842b 100644 --- a/collectors/google/collector.js +++ b/collectors/google/collector.js @@ -197,7 +197,7 @@ var collect = function(GoogleConfig, settings, callback) { }, ], function() { - if (collection && (!collection.projects || !collection.projects.get)) { + if (collection && (!collection.projects || !collection.projects.get || (collection.projects && collection.projects.get && !Object.keys(collection.projects.get).length))) { collection.projects = { ...collection.projects, get: { diff --git a/helpers/azure/auth.js b/helpers/azure/auth.js index ee0593e4b3..21aa2d44e7 100644 --- a/helpers/azure/auth.js +++ b/helpers/azure/auth.js @@ -155,9 +155,10 @@ module.exports = { }); }, - addLocations: function(obj, service, collection, err, data) { + addLocations: function(obj, service, collection, err, data , skip_locations) { if (!service || !locations[service]) return; locations[service].forEach(function(location) { + if (skip_locations.includes(location)) return; collection[location.toLowerCase()] = {}; if (err) { collection[location.toLowerCase()].err = err; diff --git a/helpers/google/regions.js b/helpers/google/regions.js index 9979a98dcf..572a839e9a 100644 --- a/helpers/google/regions.js +++ b/helpers/google/regions.js @@ -113,7 +113,7 @@ module.exports = { 'asia-east1', 'asia-east2', 'asia-northeast1', 'asia-northeast2', 'asia-northeast3', 'australia-southeast1' ], cloudbuild: ['global', 'us-east1', 'us-east4', 'us-west2', 'us-west3', 'us-west4', 'us-central1', 'us-west1', - 'northamerica-northeast1', 'northamerica-northeast2', 'southamerica-east1', 'southamerica-west1', 'europe-west1', 'europe-west2', + 'northamerica-northeast1', 'northamerica-northeast2', 'southamerica-east1', 'southamerica-west1', 'europe-west1', 'europe-west2', 'europe-west3', 'europe-west4', 'europe-west6', 'europe-central2', 'europe-north1', 'asia-south1', 'asia-south2', 'asia-southeast1', 'asia-southeast2', 'asia-east1', 'asia-east2', 'asia-northeast1', 'asia-northeast2', 'asia-northeast3', 'australia-southeast1', 'australia-southeast2' ], diff --git a/plugins/alibaba/oss/bucketCmkEncrypted.js b/plugins/alibaba/oss/bucketCmkEncrypted.js index 460ed8a321..9b322ce2dc 100644 --- a/plugins/alibaba/oss/bucketCmkEncrypted.js +++ b/plugins/alibaba/oss/bucketCmkEncrypted.js @@ -59,7 +59,9 @@ module.exports = { var listKeys = helpers.addSource(cache, source, ['kms', 'ListKeys', region]); - if (!listKeys || listKeys.err || !listKeys.data) { + if (!listKeys) return callback(null, results, source); + + if (listKeys.err || !listKeys.data) { helpers.addResult(results, 3, 'Unable to query KMS keys: ' + helpers.addError(listKeys), region); return callback(null, results, source); } diff --git a/plugins/aws/cloudwatchlogs/logRetentionPeriod.js b/plugins/aws/cloudwatchlogs/logRetentionPeriod.js index 4080943781..dd9ec1d6ca 100644 --- a/plugins/aws/cloudwatchlogs/logRetentionPeriod.js +++ b/plugins/aws/cloudwatchlogs/logRetentionPeriod.js @@ -30,7 +30,9 @@ module.exports = { async.each(regions.cloudwatchlogs, function(region, rcb){ var describeLogGroups = helpers.addSource(cache, source, ['cloudwatchlogs', 'describeLogGroups', region]); - if (!describeLogGroups || describeLogGroups.err || + if (!describeLogGroups) return rcb(); + + if (describeLogGroups.err || !describeLogGroups.data) { helpers.addResult(results, 3, `Unable to query CloudWatch Logs log groups: ${helpers.addError(describeLogGroups)}`, region); return rcb(); diff --git a/plugins/aws/ec2/crossVpcPublicPrivate.js b/plugins/aws/ec2/crossVpcPublicPrivate.js index ca672b7be5..0905d55fe5 100644 --- a/plugins/aws/ec2/crossVpcPublicPrivate.js +++ b/plugins/aws/ec2/crossVpcPublicPrivate.js @@ -27,8 +27,10 @@ module.exports = { // for Subnets var describeSubnets = helpers.addSource(cache, source, ['ec2', 'describeSubnets', region]); + if (!describeSubnets) return rcb(); + // error handling - if (!describeSubnets || !describeSubnets.data || describeSubnets.err) { + if (describeSubnets.data || describeSubnets.err) { helpers.addResult(results, 3, 'Unable to query for Subnets: ' + helpers.addError(describeSubnets), region); return rcb(); } diff --git a/plugins/aws/ec2/ebsSnapshotPrivate.js b/plugins/aws/ec2/ebsSnapshotPrivate.js index 5d24417833..b271c325f2 100644 --- a/plugins/aws/ec2/ebsSnapshotPrivate.js +++ b/plugins/aws/ec2/ebsSnapshotPrivate.js @@ -19,7 +19,9 @@ module.exports = { async.each(regions.support, function(region, rcb) { var describeTrustedAdvisorChecks = helpers.addSource(cache, source, ['support', 'describeTrustedAdvisorChecks', region]); - if (!describeTrustedAdvisorChecks || describeTrustedAdvisorChecks.err || !describeTrustedAdvisorChecks.data) { + if (!describeTrustedAdvisorChecks) return rcb(); + + if (describeTrustedAdvisorChecks.err || !describeTrustedAdvisorChecks.data) { var errMsg = helpers.addError(describeTrustedAdvisorChecks); if (errMsg === 'AWS Premium Support Subscription is required to use this service.') { errMsg = 'Please activate AWS Premium Support'; diff --git a/plugins/aws/workspaces/workspacesVolumeEncryption.js b/plugins/aws/workspaces/workspacesVolumeEncryption.js index 7a2b18c0c1..6b042924c7 100644 --- a/plugins/aws/workspaces/workspacesVolumeEncryption.js +++ b/plugins/aws/workspaces/workspacesVolumeEncryption.js @@ -63,7 +63,9 @@ module.exports = { var listKeys = helpers.addSource(cache, source, ['kms', 'listKeys', region]); - if (!listKeys || listKeys.err || !listKeys.data) { + if (!listKeys) return rcb(); + + if ( listKeys.err || !listKeys.data) { helpers.addResult(results, 3, 'Unable to query KMS keys' + helpers.addError(listKeys), region); return rcb(); } diff --git a/plugins/azure/storageaccounts/logContainerPublicAccess.js b/plugins/azure/storageaccounts/logContainerPublicAccess.js index 7cb2201a04..f58c33bd77 100644 --- a/plugins/azure/storageaccounts/logContainerPublicAccess.js +++ b/plugins/azure/storageaccounts/logContainerPublicAccess.js @@ -26,7 +26,9 @@ module.exports = { var diagnosticSettingsOperations = helpers.addSource(cache, source, ['diagnosticSettingsOperations', 'list', 'global']); - if (!diagnosticSettingsOperations || diagnosticSettingsOperations.err || !diagnosticSettingsOperations.data) { + if (!diagnosticSettingsOperations) return callback(null, results, source); + + if (diagnosticSettingsOperations.err || !diagnosticSettingsOperations.data) { helpers.addResult(results, 3, 'Unable to query for diagnostic settings: ' + helpers.addError(diagnosticSettingsOperations), 'global'); return callback(null, results, source); diff --git a/plugins/azure/storageaccounts/logStorageEncryption.js b/plugins/azure/storageaccounts/logStorageEncryption.js index af76ffb075..59f36ae82e 100644 --- a/plugins/azure/storageaccounts/logStorageEncryption.js +++ b/plugins/azure/storageaccounts/logStorageEncryption.js @@ -24,7 +24,9 @@ module.exports = { var diagnosticSettingsOperations = helpers.addSource(cache, source, ['diagnosticSettingsOperations', 'list', 'global']); - if (!diagnosticSettingsOperations || diagnosticSettingsOperations.err || !diagnosticSettingsOperations.data) { + if (!diagnosticSettingsOperations) return callback(null, results, source); + + if (diagnosticSettingsOperations.err || !diagnosticSettingsOperations.data) { helpers.addResult(results, 3, 'Unable to query for diagnostic settings: ' + helpers.addError(diagnosticSettingsOperations), 'global'); return callback(null, results, source); From 0eb9fcf4d3e31d1225c8b8d636d94148c232eadc Mon Sep 17 00:00:00 2001 From: --global Date: Wed, 22 Nov 2023 12:19:23 +0500 Subject: [PATCH 038/498] TlsVersionCheck --- exports.js | 1 + .../postgresqlserver/postgresqlTlsVersion.js | 83 +++++++++ .../postgresqlTlsVersion.spec.js | 172 ++++++++++++++++++ 3 files changed, 256 insertions(+) create mode 100644 plugins/azure/postgresqlserver/postgresqlTlsVersion.js create mode 100644 plugins/azure/postgresqlserver/postgresqlTlsVersion.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..9c6053f2c8 100644 --- a/exports.js +++ b/exports.js @@ -816,6 +816,7 @@ module.exports = { 'postgresqlServerHasTags' : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlServerHasTags.js'), 'postgresqlInfraDoubleEncryption': require(__dirname + '/plugins/azure/postgresqlserver/postgresqlInfraDoubleEncryption.js'), 'azureServicesAccessDisabled' : require(__dirname + '/plugins/azure/postgresqlserver/azureServicesAccessDisabled.js'), + 'postgresqlTlsVersion' : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlTlsVersion.js'), 'openOracleAutoDataWarehouse' : require(__dirname + '/plugins/azure/networksecuritygroups/openOracleAutoDataWarehouse.js'), 'networkWatcherEnabled' : require(__dirname + '/plugins/azure/networksecuritygroups/networkWatcherEnabled.js'), diff --git a/plugins/azure/postgresqlserver/postgresqlTlsVersion.js b/plugins/azure/postgresqlserver/postgresqlTlsVersion.js new file mode 100644 index 0000000000..77ca3ce3d7 --- /dev/null +++ b/plugins/azure/postgresqlserver/postgresqlTlsVersion.js @@ -0,0 +1,83 @@ +var async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'PostgreSQL Minimum TLS Version', + category: 'PostgreSQL Server', + domain: 'Databases', + description: 'Ensures Microsoft Azure PostgreSQL Servers do not allow outdated TLS certificate versions.', + more_info: 'TLS 1.2 or higher should be used for all TLS connections to Microsoft Azure PostgreSQL server. This setting applies to all databases associated with the server.', + recommended_action: 'Modify SQL server firewall and virtual network settings to set desired minimum TLS version.', + link: 'https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-tls-configurations', + apis: ['servers:listPostgres'], + settings: { + postgresql_server_min_tls_version: { + name: 'PostgreSQL Server Minimum TLS Version', + description: 'Minimum desired TLS version for Microsoft Azure PostgreSQL servers', + regex: '^(1.0|1.1|1.2)$', + default: '1.2' + } + }, + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + var config = { + postgresql_server_min_tls_version: settings.postgresql_server_min_tls_version || this.settings.postgresql_server_min_tls_version.default + }; + + var desiredVersion = parseFloat(config.postgresql_server_min_tls_version); + + async.each(locations.servers, function(location, rcb) { + var servers = helpers.addSource(cache, source, + ['servers', 'listPostgres', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, + 'Unable to query for PostgreSQL servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No PostgreSQL servers found', location); + return rcb(); + } + + servers.data.forEach(function(server) { + if (!server.id) return; + + if (server.minimalTlsVersion) { + if (server.minimalTlsVersion === 'TLSEnforcementDisabled') { + helpers.addResult(results, 2, + 'PostgreSQL server allows all TLS versions', + location, server.id); + } else { + var numericTlsVersion = parseFloat(server.minimalTlsVersion.replace('TLS', '').replace('_', '.')); + if (numericTlsVersion >= desiredVersion) { + helpers.addResult(results, 0, + `PostgreSQL server is using TLS version ${server.minimalTlsVersion} which is equal to or higher than desired TLS version ${config.postgresql_server_min_tls_version}`, + location, server.id); + } else { + helpers.addResult(results, 2, + `PostgreSQL server is using TLS version ${server.minimalTlsVersion} which is less than desired TLS version ${config.postgresql_server_min_tls_version}`, + location, server.id); + } + + } + } else { + helpers.addResult(results, 2, + 'PostgreSQL server allows all TLS versions', + location, server.id); + } + }); + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/postgresqlserver/postgresqlTlsVersion.spec.js b/plugins/azure/postgresqlserver/postgresqlTlsVersion.spec.js new file mode 100644 index 0000000000..27db3616e4 --- /dev/null +++ b/plugins/azure/postgresqlserver/postgresqlTlsVersion.spec.js @@ -0,0 +1,172 @@ +var expect = require('chai').expect; +var postgresqlTlsVersion = require('./postgresqlTlsVersion'); + +const listPostgres = [ + { + 'sku': { + 'name': 'B_Gen5_1', + 'tier': 'Basic', + 'family': 'Gen5', + 'capacity': 1 + }, + 'location': 'eastus', + 'tags': { "key": "value" }, + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1', + 'name': 'server1', + 'type': 'Microsoft.DBforPostgreSQL/servers', + 'administratorLogin': 'Aquaadmin', + 'storageProfile': { + 'storageMB': 5120, + 'backupRetentionDays': 7, + 'geoRedundantBackup': 'Disabled', + 'storageAutogrow': 'Enabled' + }, + 'version': '11', + 'sslEnforcement': 'Enabled', + 'minimalTlsVersion': 'TLS1_0', + 'userVisibleState': 'Ready', + 'fullyQualifiedDomainName': 'server1.postgres.database.azure.com', + 'earliestRestoreDate': '2021-03-10T12:45:13.233+00:00', + 'replicationRole': '', + 'masterServerId': '', + 'byokEnforcement': 'Disabled', + 'privateEndpointConnections': [], + 'infrastructureEncryption': 'Disabled', + 'publicNetworkAccess': 'Enabled' + }, + { + 'sku': { + 'name': 'B_Gen5_1', + 'tier': 'Basic', + 'family': 'Gen5', + 'capacity': 1 + }, + 'location': 'eastus', + 'tags': { "key": "value" }, + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1', + 'name': 'server1', + 'type': 'Microsoft.DBforPostgreSQL/servers', + 'administratorLogin': 'Aquaadmin', + 'storageProfile': { + 'storageMB': 5120, + 'backupRetentionDays': 7, + 'geoRedundantBackup': 'Disabled', + 'storageAutogrow': 'Enabled' + }, + 'version': '11', + 'sslEnforcement': 'Enabled', + 'minimalTlsVersion': 'TLS1_2', + 'userVisibleState': 'Ready', + 'fullyQualifiedDomainName': 'server1.postgres.database.azure.com', + 'earliestRestoreDate': '2021-03-10T12:45:13.233+00:00', + 'replicationRole': '', + 'masterServerId': '', + 'byokEnforcement': 'Disabled', + 'privateEndpointConnections': [], + 'infrastructureEncryption': 'Disabled', + 'publicNetworkAccess': 'Enabled' + }, + { + 'sku': { + 'name': 'B_Gen5_1', + 'tier': 'Basic', + 'family': 'Gen5', + 'capacity': 1 + }, + 'location': 'eastus', + 'tags': {}, + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1', + 'name': 'server1', + 'type': 'Microsoft.DBforPostgreSQL/servers', + 'administratorLogin': 'Aquaadmin', + 'storageProfile': { + 'storageMB': 5120, + 'backupRetentionDays': 7, + 'geoRedundantBackup': 'Disabled', + 'storageAutogrow': 'Disabled' + }, + 'version': '11', + 'sslEnforcement': 'Enabled', + 'minimalTlsVersion': 'TLSEnforcementDisabled', + 'userVisibleState': 'Ready', + 'fullyQualifiedDomainName': 'server1.postgres.database.azure.com', + 'earliestRestoreDate': '2021-03-10T12:45:13.233+00:00', + 'replicationRole': '', + 'masterServerId': '', + 'byokEnforcement': 'Disabled', + 'privateEndpointConnections': [], + 'infrastructureEncryption': 'Disabled', + 'publicNetworkAccess': 'Enabled' + } +]; + +const createCache = (listPostgres) => { + return { + servers: { + listPostgres: { + 'eastus': { + data: listPostgres + } + } + } + }; +}; + +describe('postgresqlTlsVersion', function() { + describe('run', function() { + it('should give passing result if no servers', function(done) { + const cache = createCache({}); + postgresqlTlsVersion.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No PostgreSQL servers found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if PostgreSQL Server is using TLS version less than desired TLS version', function(done) { + const cache = createCache([listPostgres[0]]); + postgresqlTlsVersion.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('less than desired TLS version'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if PostgreSQL Server is using TLS version equal to or higher than desired TLS version', function(done) { + const cache = createCache([listPostgres[1]]); + postgresqlTlsVersion.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('equal to or higher than desired TLS version'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + it('should give failing result if PostgreSQL Server allows all TLS versions', function(done) { + const cache = createCache([listPostgres[2]]); + postgresqlTlsVersion.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('PostgreSQL server allows all TLS versions'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give UnKnown result if unable to query postgreSQL Server', function(done) { + const cache = createCache(null); + postgresqlTlsVersion.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for PostgreSQL servers: '); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + }) +}) \ No newline at end of file From a4c968a13d58bb4c55a4e3e476f2fc47bcc912fe Mon Sep 17 00:00:00 2001 From: fatima99s Date: Wed, 22 Nov 2023 12:23:33 +0500 Subject: [PATCH 039/498] TlsVersionCheck --- plugins/azure/postgresqlserver/postgresqlTlsVersion.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/postgresqlserver/postgresqlTlsVersion.js b/plugins/azure/postgresqlserver/postgresqlTlsVersion.js index 77ca3ce3d7..c2d0917274 100644 --- a/plugins/azure/postgresqlserver/postgresqlTlsVersion.js +++ b/plugins/azure/postgresqlserver/postgresqlTlsVersion.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Databases', description: 'Ensures Microsoft Azure PostgreSQL Servers do not allow outdated TLS certificate versions.', more_info: 'TLS 1.2 or higher should be used for all TLS connections to Microsoft Azure PostgreSQL server. This setting applies to all databases associated with the server.', - recommended_action: 'Modify SQL server firewall and virtual network settings to set desired minimum TLS version.', + recommended_action: 'Modify PostgreSQL server to set desired minimum TLS version.', link: 'https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-tls-configurations', apis: ['servers:listPostgres'], settings: { From 7b9dca7650a5674bc605f375f04037c941d46e34 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Wed, 22 Nov 2023 16:10:21 +0500 Subject: [PATCH 040/498] privateAccessEnabled --- exports.js | 1 + .../postgresqlserver/privateAccessEnabled.js | 50 +++++++ .../privateAccessEnabled.spec.js | 136 ++++++++++++++++++ 3 files changed, 187 insertions(+) create mode 100644 plugins/azure/postgresqlserver/privateAccessEnabled.js create mode 100644 plugins/azure/postgresqlserver/privateAccessEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..6dcc08a55b 100644 --- a/exports.js +++ b/exports.js @@ -815,6 +815,7 @@ module.exports = { 'geoRedundantBackupEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/geoRedundantBackupEnabled.js'), 'postgresqlServerHasTags' : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlServerHasTags.js'), 'postgresqlInfraDoubleEncryption': require(__dirname + '/plugins/azure/postgresqlserver/postgresqlInfraDoubleEncryption.js'), + 'privateAccessEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/privateAccessEnabled.js'), 'azureServicesAccessDisabled' : require(__dirname + '/plugins/azure/postgresqlserver/azureServicesAccessDisabled.js'), 'openOracleAutoDataWarehouse' : require(__dirname + '/plugins/azure/networksecuritygroups/openOracleAutoDataWarehouse.js'), diff --git a/plugins/azure/postgresqlserver/privateAccessEnabled.js b/plugins/azure/postgresqlserver/privateAccessEnabled.js new file mode 100644 index 0000000000..2df3ed15f8 --- /dev/null +++ b/plugins/azure/postgresqlserver/privateAccessEnabled.js @@ -0,0 +1,50 @@ +var async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'PostgreSQL Server Private Endpoints Configured', + category: 'PostgreSQL Server', + domain: 'Databases', + description: 'Ensures that PostgreSQL Servers are accessible only through private endpoints', + more_info: 'Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private Endpoint uses a private IP address from your VNet, effectively bringing the service such as Azure SQL Server into your VNet.', + recommended_action: 'Ensure that Private Endpoints are configured properly and Public Network Access is disabled for PostgreSQL Server', + link: 'https://learn.microsoft.com/en-us/azure/private-link/private-link-overview', + apis: ['servers:listPostgres'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, function(location, rcb) { + + var servers = helpers.addSource(cache, source, + ['servers', 'listPostgres', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, + 'Unable to query for PostgreSQL servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No PostgreSQL servers found', location); + return rcb(); + } + + for (const server of servers.data) { + if (server.privateEndpointConnections && server.privateEndpointConnections.length) { + helpers.addResult(results, 0, 'Private Endpoints are configured for the PostgreSQL Server', location, server.id); + } else { + helpers.addResult(results, 2, 'Private Endpoints are not configured for the PostgreSQL Server', location, server.id); + } + } + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/postgresqlserver/privateAccessEnabled.spec.js b/plugins/azure/postgresqlserver/privateAccessEnabled.spec.js new file mode 100644 index 0000000000..e980f0bb78 --- /dev/null +++ b/plugins/azure/postgresqlserver/privateAccessEnabled.spec.js @@ -0,0 +1,136 @@ +var expect = require('chai').expect; +var privateAccessEnabled = require('./privateAccessEnabled'); + +const listPostgres = [ + { + 'sku': { + 'name': 'B_Gen5_1', + 'tier': 'Basic', + 'family': 'Gen5', + 'capacity': 1 + }, + 'location': 'eastus', + 'tags': { "key": "value" }, + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1', + 'name': 'server1', + 'type': 'Microsoft.DBforPostgreSQL/servers', + 'administratorLogin': 'Aquaadmin', + 'storageProfile': { + 'storageMB': 5120, + 'backupRetentionDays': 7, + 'geoRedundantBackup': 'Disabled', + 'storageAutogrow': 'Enabled' + }, + 'version': '11', + 'sslEnforcement': 'Enabled', + 'minimalTlsVersion': 'TLS1_0', + 'userVisibleState': 'Ready', + 'fullyQualifiedDomainName': 'server1.postgres.database.azure.com', + 'earliestRestoreDate': '2021-03-10T12:45:13.233+00:00', + 'replicationRole': '', + 'masterServerId': '', + 'byokEnforcement': 'Disabled', + 'privateEndpointConnections': [], + 'infrastructureEncryption': 'Disabled', + 'publicNetworkAccess': 'Enabled' + }, + { + 'sku': { + 'name': 'B_Gen5_1', + 'tier': 'Basic', + 'family': 'Gen5', + 'capacity': 1 + }, + 'location': 'eastus', + 'tags': { "key": "value" }, + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1', + 'name': 'server1', + 'type': 'Microsoft.DBforPostgreSQL/servers', + 'administratorLogin': 'Aquaadmin', + 'storageProfile': { + 'storageMB': 5120, + 'backupRetentionDays': 7, + 'geoRedundantBackup': 'Disabled', + 'storageAutogrow': 'Enabled' + }, + 'version': '11', + 'sslEnforcement': 'Enabled', + 'minimalTlsVersion': 'TLS1_2', + 'userVisibleState': 'Ready', + 'fullyQualifiedDomainName': 'server1.postgres.database.azure.com', + 'earliestRestoreDate': '2021-03-10T12:45:13.233+00:00', + 'replicationRole': '', + 'masterServerId': '', + 'byokEnforcement': 'Disabled', + 'privateEndpointConnections': [ + { + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Sql/servers/test-server/privateEndpointConnections/test-endpoint', + 'provisioningState': 'Ready' + } + ], + 'infrastructureEncryption': 'Disabled', + 'publicNetworkAccess': 'Enabled' + } + +]; + +const createCache = (listPostgres) => { + return { + servers: { + listPostgres: { + 'eastus': { + data: listPostgres + } + } + } + }; +}; + +describe('privateAccessEnabled', function() { + describe('run', function() { + it('should give passing result if no servers', function(done) { + const cache = createCache({}); + privateAccessEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No PostgreSQL servers found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if private endpoints are not configured', function(done) { + const cache = createCache([listPostgres[0]]); + privateAccessEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Private Endpoints are not configured for the PostgreSQL Server'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give should give passing result if private endpoints are configured', function(done) { + const cache = createCache([listPostgres[1]]); + privateAccessEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Private Endpoints are configured for the PostgreSQL Server'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give UnKnown result if unable to query postgreSQL Server', function(done) { + const cache = createCache(null); + privateAccessEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for PostgreSQL servers: '); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + }) +}) \ No newline at end of file From 478d55382361e8e073a48c242a7fa98a8f88203a Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 22 Nov 2023 18:00:57 +0500 Subject: [PATCH 041/498] SAAS-20313/AFD-Bot-Protection --- exports.js | 4 +- helpers/azure/api.js | 11 +- helpers/azure/locations.js | 3 +- .../azure/frontdoor/botProtectionEnabled.js | 62 ++++++++ .../frontdoor/botProtectionEnabled.spec.js | 142 ++++++++++++++++++ 5 files changed, 218 insertions(+), 4 deletions(-) create mode 100644 plugins/azure/frontdoor/botProtectionEnabled.js create mode 100644 plugins/azure/frontdoor/botProtectionEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..3ed6f22a67 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,9 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'botProtectionEnabled' : require(__dirname + '/plugins/azure/frontdoor/botProtectionEnabled.js'), + }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..68262a6027 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -478,7 +478,14 @@ var calls = { url: 'https://graph.microsoft.com/v1.0/servicePrincipals', graph: true } - } + }, + afdWafPolicies: { + listAll: { + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Network/frontdoorWebApplicationFirewallPolicies?api-version=2022-05-01' + + } + }, + }; var postcalls = { @@ -910,7 +917,7 @@ var postcalls = { properties: ['id'], url: 'https://management.azure.com/{id}/configurations?api-version=2017-12-01' } - } + }, }; var tertiarycalls = { diff --git a/helpers/azure/locations.js b/helpers/azure/locations.js index 46dd902f36..66e329d340 100644 --- a/helpers/azure/locations.js +++ b/helpers/azure/locations.js @@ -118,5 +118,6 @@ module.exports = { bastionHosts: locations, applications: ['global'], eventGrid: locations, - eventHub: locations + eventHub: locations, + afdWafPolicies: ['global'] }; diff --git a/plugins/azure/frontdoor/botProtectionEnabled.js b/plugins/azure/frontdoor/botProtectionEnabled.js new file mode 100644 index 0000000000..9a7311cbcc --- /dev/null +++ b/plugins/azure/frontdoor/botProtectionEnabled.js @@ -0,0 +1,62 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Front Door WAF Bot Protection', + category: 'Front Door', + domain: 'Content Delivery', + description: 'Ensure that Bot Protection for Azure Front Door WAF policy is enabled.', + more_info: 'Azure Web Application Firewall (WAF) for Front Door provides bot rules to protect from bad bots and to block or log requests from known malicious IP addresses.', + recommended_action: 'Ensure that WAF policy has Bot Protection rule set enabled.', + link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-policy-configure-bot-protection?pivots=portal', + apis: ['afdWafPolicies:listAll'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.afdWafPolicies, (location, rcb) => { + + var afdWafPolicies = helpers.addSource(cache, source, + ['afdWafPolicies', 'listAll', location]); + + if (!afdWafPolicies) return rcb(); + + if (afdWafPolicies.err || !afdWafPolicies.data) { + helpers.addResult(results, 3, 'Unable to query for Front Door WAF policies: ' + helpers.addError(afdWafPolicies), location); + return rcb(); + } + if (!afdWafPolicies.data.length) { + helpers.addResult(results, 0, 'No existing Front Door WAF policies found', location); + return rcb(); + } + + var frontDoorWafPolicies = false; + + for (let policy of afdWafPolicies.data) { + if (!policy.id || !policy.sku || policy.sku.name.toLowerCase() != 'premium_azurefrontdoor') continue; + + frontDoorWafPolicies = true; + + var found = policy.managedRules && + policy.managedRules.managedRuleSets ? + policy.managedRules.managedRuleSets.find(ruleset => ruleset.ruleSetType.toLowerCase() == 'microsoft_botmanagerruleset') : false; + + if (found) { + helpers.addResult(results, 0, 'Front Door profile WAF policy has bot protection enabled', location, policy.id); + } else { + helpers.addResult(results, 2, 'Front Door profile WAF policy does not have bot protection enabled', location, policy.id); + } + } + + if (!frontDoorWafPolicies) { + helpers.addResult(results, 0, 'No existing Front Door WAF policies found', location); + } + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/frontdoor/botProtectionEnabled.spec.js b/plugins/azure/frontdoor/botProtectionEnabled.spec.js new file mode 100644 index 0000000000..8872bfbc5d --- /dev/null +++ b/plugins/azure/frontdoor/botProtectionEnabled.spec.js @@ -0,0 +1,142 @@ +var expect = require('chai').expect; +var botProtectionEnabled = require('./botProtectionEnabled.js'); + +const afdWafPolicies = [ + { + "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", + "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", + "name": "testpolicy2", + "sku": { + "name": "Premium_AzureFrontDoor" + }, + "managedRules": { + "managedRuleSets": [ + { + "ruleSetType": "DefaultRuleSet", + "ruleSetVersion": "preview-0.1", + "ruleSetAction": null, + "ruleGroupOverrides": [], + "exclusions": [] + }, + { + "ruleSetType": "Microsoft_BotManagerRuleSet", + "ruleSetVersion": "1.0", + "ruleSetAction": null, + "ruleGroupOverrides": [], + "exclusions": [] + } + ] + } + }, + { + "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", + "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", + "name": "testpolicy1", + "sku": { + "name": "Premium_AzureFrontDoor" + }, + "managedRules": { + "managedRuleSets": [ + { + "ruleSetType": "DefaultRuleSet", + "ruleSetVersion": "preview-0.1", + "ruleSetAction": null, + "ruleGroupOverrides": [], + "exclusions": [] + }, + ] + } + }, + { + "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", + "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", + "name": "testpolicy1", + "sku": { + "name": "Classic_AzureFrontDoor" + }, + "managedRules": { + "managedRuleSets": [ + { + "ruleSetType": "DefaultRuleSet", + "ruleSetVersion": "preview-0.1", + "ruleSetAction": null, + "ruleGroupOverrides": [], + "exclusions": [] + }, + ] + } + }, +]; + +const createCache = (afdWafPolicies) => { + return { + afdWafPolicies: { + listAll: { + 'global': { + data: afdWafPolicies + } + } + } + }; +}; + +const createErrorCache = () => { + return { + afdWafPolicies: { + listAll: { + 'global': { + data:{} + } + } + } + }; +}; +describe('botProtectionEnabled', function () { + describe('run', function () { + + it('should give pass result if bot protection is enabled for front door waf policy', function (done) { + const cache = createCache([afdWafPolicies[0]]); + botProtectionEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Front Door profile WAF policy has bot protection enabled'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give pass result if no existing front door premium waf policy found', function (done) { + const cache = createCache([afdWafPolicies[2]]); + botProtectionEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Front Door WAF policies found'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give fail result if bot protection is not enabled for front door waf policy', function (done) { + const cache = createCache([afdWafPolicies[1]]); + botProtectionEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Front Door profile WAF policy does not have bot protection enabled'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give pass result if no existing front door waf policy found', function (done) { + const cache = createErrorCache(); + botProtectionEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Front Door WAF policies found'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + }); +}); \ No newline at end of file From 18a7cbe4439e9a7ff81e33b095067e57ca16e29f Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 22 Nov 2023 18:02:39 +0500 Subject: [PATCH 042/498] extra space --- helpers/azure/api.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 68262a6027..f23fc6d112 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -917,7 +917,7 @@ var postcalls = { properties: ['id'], url: 'https://management.azure.com/{id}/configurations?api-version=2017-12-01' } - }, + } }; var tertiarycalls = { From 70af9085941f79dc673a2389bdcc4dcb9a4579c3 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 22 Nov 2023 18:25:19 +0500 Subject: [PATCH 043/498] SAAS-20313/Front-Door-https-only --- exports.js | 4 +- helpers/azure/api.js | 5 + helpers/azure/locations.js | 3 +- plugins/azure/frontdoor/frontDoorHttpsOnly.js | 66 +++++++++ .../frontdoor/frontDoorHttpsOnly.spec.js | 128 ++++++++++++++++++ 5 files changed, 204 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/frontdoor/frontDoorHttpsOnly.js create mode 100644 plugins/azure/frontdoor/frontDoorHttpsOnly.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..cfe6becd0c 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,9 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'frontDootHttpsOnly' : require(__dirname + '/plugins/azure/frontdoor/frontDootHttpsOnly.js'), + }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..7b742773f6 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -478,6 +478,11 @@ var calls = { url: 'https://graph.microsoft.com/v1.0/servicePrincipals', graph: true } + }, + classicFrontDoors: { + list: { + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Network/frontDoors?api-version=2019-05-01' + } } }; diff --git a/helpers/azure/locations.js b/helpers/azure/locations.js index 46dd902f36..88c33057dc 100644 --- a/helpers/azure/locations.js +++ b/helpers/azure/locations.js @@ -118,5 +118,6 @@ module.exports = { bastionHosts: locations, applications: ['global'], eventGrid: locations, - eventHub: locations + eventHub: locations, + classicFrontDoors: ['global'], }; diff --git a/plugins/azure/frontdoor/frontDoorHttpsOnly.js b/plugins/azure/frontdoor/frontDoorHttpsOnly.js new file mode 100644 index 0000000000..6afb1e5d7b --- /dev/null +++ b/plugins/azure/frontdoor/frontDoorHttpsOnly.js @@ -0,0 +1,66 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Front Door HTTPS only', + category: 'Front Door', + domain: 'Content Delivery', + description: 'Ensures HTTPS Only is enabled for Front Door Classic profile, redirecting all HTTP traffic to HTTPS.', + more_info: 'By using the HTTPS only protocol, you ensure that your sensitive data is delivered securely via TLS/SSL encryption.', + recommended_action: 'Ensure that Front Door (classic) under the frontend hosts section has HTTP to HTTPS redirect rule.', + link: 'https://learn.microsoft.com/en-us/azure/frontdoor/front-door-how-to-redirect-https', + apis: ['classicFrontDoors:list'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + async.each(locations.classicFrontDoors, (location, rcb) => { + const classicFrontDoors = + helpers.addSource(cache, source, + ['classicFrontDoors', 'list', location]); + + if (!classicFrontDoors) return rcb(); + + if (classicFrontDoors.err || !classicFrontDoors.data) { + helpers.addResult(results, 3, + 'Unable to query Front Door profiles: ' + helpers.addError(classicFrontDoors), location); + return rcb(); + } + + if (!classicFrontDoors.data.length) { + helpers.addResult(results, 0, 'No existing Classic Front Door profiles found', location); + return rcb(); + } + + classicFrontDoors.data.forEach(function(frontDoor) { + if (!frontDoor.id || !frontDoor.routingRules) return; + + var ruleFound = false; + for (var rule of frontDoor.routingRules) { + var ruleProperties = rule.properties? rule.properties : {}; + if (ruleProperties.acceptedProtocols && ruleProperties.acceptedProtocols[0].toLowerCase() =='http') { + if (ruleProperties.routeConfiguration && + ruleProperties.routeConfiguration.redirectType && + ruleProperties.routeConfiguration.redirectProtocol && + ruleProperties.routeConfiguration.redirectType.toLowerCase() == 'moved' && + ruleProperties.routeConfiguration.redirectProtocol.toLowerCase() == 'httpsonly') { + ruleFound = true; + break; + } + } + } + + if (ruleFound) { + helpers.addResult(results, 0, 'Classic Front Door profile is configured to use HTTPS only', location, frontDoor.id); + } else { + helpers.addResult(results, 2, 'Classic Front Door profile is not configured to use HTTPS only', location, frontDoor.id); + } + + }); + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/frontdoor/frontDoorHttpsOnly.spec.js b/plugins/azure/frontdoor/frontDoorHttpsOnly.spec.js new file mode 100644 index 0000000000..3ecf66460e --- /dev/null +++ b/plugins/azure/frontdoor/frontDoorHttpsOnly.spec.js @@ -0,0 +1,128 @@ +var expect = require('chai').expect; +var frontDoorHttpsOnly = require('./frontDoorHttpsOnly.js'); + +const classicFrontDoors = [ + { + id: '/subscriptions/1234567890/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoors/aquatest', + type: 'Microsoft.Network/frontdoors', + name: 'aquatest', + location: 'Global', + tags: {}, + routingRules: [ + { + "id": "/subscriptions/1234567890/resourcegroups/meerab-rg/providers/Microsoft.Network/Frontdoors/aquatest/RoutingRules/test-instance", + "name": "test-instance", + "type": "Microsoft.Network/Frontdoors/RoutingRules", + "properties": { + "routeConfiguration": { + "redirectType": "Moved", + "redirectProtocol": "HttpsOnly", + }, + "resourceState": "Enabled", + "acceptedProtocols": [ + "Http" + ] + } + }, + { + "id": "/subscriptions/1234567890/resourcegroups/meerab-rg/providers/Microsoft.Network/Frontdoors/aquatest/RoutingRules/rule2", + "name": "rule2", + "type": "Microsoft.Network/Frontdoors/RoutingRules", + "properties": { + "routeConfiguration": { + "redirectType": "Found", + "redirectProtocol": "HttpOnly", + }, + "acceptedProtocols": [ + "Https" + ], + } + } + ] + }, + { + id: '/subscriptions/1234567890/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoors/aquatest', + type: 'Microsoft.Network/frontdoors', + name: 'aquatest', + location: 'Global', + tags: {}, + routingRules: [ + { + "id": "/subscriptions/1234567890/resourcegroups/meerab-rg/providers/Microsoft.Network/Frontdoors/aquatest/RoutingRules/rule2", + "name": "rule2", + "type": "Microsoft.Network/Frontdoors/RoutingRules", + "properties": { + "routeConfiguration": { + "redirectType": "Found", + "redirectProtocol": "HttpOnly", + }, + "acceptedProtocols": [ + "Https" + ], + } + } + ] + } +]; + +const createCache = (classicFrontDoors) => { + return { + classicFrontDoors: { + list: { + 'global': { + data: classicFrontDoors + } + } + } + }; +}; + +const createErrorCache = () => { + return { + classicFrontDoors: { + list: { + 'global': { + data:{} + } + } + } + }; +}; +describe('frontDoorHttpsOnly', function () { + describe('run', function () { + + it('should give pass result if no classic Front Door profiles found', function (done) { + const cache = createErrorCache(); + frontDoorHttpsOnly.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Azure Classic Front Door profiles found'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give pass result if classic Front Door profile is configured to use Https only', function (done) { + const cache = createCache([classicFrontDoors[0]]); + frontDoorHttpsOnly.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Classic Front Door profile is configured to use HTTPS only'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give fail result if classic Front Door profile is not configured to use Https only', function (done) { + const cache = createCache([classicFrontDoors[1]]); + frontDoorHttpsOnly.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Classic Front Door profile is not configured to use HTTPS only'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + }); +}); \ No newline at end of file From 884a5cc6239b293127b99dacbbf459f767377225 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 22 Nov 2023 18:29:14 +0500 Subject: [PATCH 044/498] Update exports.js --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index cfe6becd0c..557f0fd7d9 100644 --- a/exports.js +++ b/exports.js @@ -990,7 +990,7 @@ module.exports = { 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), - 'frontDootHttpsOnly' : require(__dirname + '/plugins/azure/frontdoor/frontDootHttpsOnly.js'), + 'frontDootHttpsOnly' : require(__dirname + '/plugins/azure/frontdoor/frontDoorHttpsOnly.js'), }, github: { From fcf7a2e80185542b6808b08b1f71111893d3e478 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 22 Nov 2023 18:43:29 +0500 Subject: [PATCH 045/498] SAAS-20313/Front-Door-Waf-Enabled --- exports.js | 4 +- helpers/azure/api.js | 8 + .../azure/frontdoor/frontDoorWafEnabled.js | 61 +++++ .../frontdoor/frontDoorWafEnabled.spec.js | 218 ++++++++++++++++++ 4 files changed, 290 insertions(+), 1 deletion(-) create mode 100644 plugins/azure/frontdoor/frontDoorWafEnabled.js create mode 100644 plugins/azure/frontdoor/frontDoorWafEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..c3964ae804 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,9 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'frontDoorWafEnabled' : require(__dirname + '/plugins/azure/frontdoor/frontDoorWafEnabled.js'), + }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..fe962aabf7 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -910,6 +910,14 @@ var postcalls = { properties: ['id'], url: 'https://management.azure.com/{id}/configurations?api-version=2017-12-01' } + }, + afdSecurityPolicies: { + listByProfile: { + reliesOnPath: 'profiles.listPostgres', + properties: ['id'], + url: 'https://management.azure.com/subscriptions/{id}/securityPolicies?api-version=2023-05-01' + + } } }; diff --git a/plugins/azure/frontdoor/frontDoorWafEnabled.js b/plugins/azure/frontdoor/frontDoorWafEnabled.js new file mode 100644 index 0000000000..570b1401d9 --- /dev/null +++ b/plugins/azure/frontdoor/frontDoorWafEnabled.js @@ -0,0 +1,61 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Front Door Waf Enabled', + category: 'Front Door', + domain: 'Content Delivery', + description: 'Ensure that WAF is enabled for Azure Front Door premium profile.', + more_info: 'WAF actively inspects incoming requests to the front door and blocks requests that are determined to be malicious based on a set of rules.', + recommended_action: 'Ensure that Azure Front Door premium profile has WAF policy attached in security policies section.', + link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-policy-settings', + apis: ['profiles:list', 'afdSecurityPolicies:listByProfile',], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + async.each(locations.profiles, (location, rcb) => { + + var profiles = helpers.addSource(cache, source, + ['profiles', 'list', location]); + + if (!profiles) return rcb(); + + if (profiles.err || !profiles.data) { + helpers.addResult(results, 3, 'Unable to query Front Door profiles: ' + helpers.addError(profiles), location); + return rcb(); + } + if (!profiles.data.length) { + helpers.addResult(results, 0, 'No existing Front Door profiles found', location); + return rcb(); + } + + var frontDoorPremium = false; + + profiles.data.forEach(function(profile) { + if (!profile.id || !profile.sku || profile.sku.name.toLowerCase() != 'premium_azurefrontdoor') return; + + frontDoorPremium = true; + const afdSecurityPolicies = helpers.addSource(cache, source, + ['afdSecurityPolicies', 'listByProfile', location, profile.id]); + if (!afdSecurityPolicies || afdSecurityPolicies.err || !afdSecurityPolicies.data) { + helpers.addResult(results, 3, 'Unable to query Front Door security policies : ' + helpers.addError(afdSecurityPolicies), location, profile.id); + } else { + if (!afdSecurityPolicies.data.length) { + helpers.addResult(results, 2, 'Front Door profile does not have WAF enabled', location, profile.id); + } else { + helpers.addResult(results, 0, 'Front Door profile has WAF enabled', location, profile.id); + } + } + }); + + if (!frontDoorPremium) { + helpers.addResult(results, 0, 'No existing Front Door profiles found', location); + } + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/frontdoor/frontDoorWafEnabled.spec.js b/plugins/azure/frontdoor/frontDoorWafEnabled.spec.js new file mode 100644 index 0000000000..ee712e0d25 --- /dev/null +++ b/plugins/azure/frontdoor/frontDoorWafEnabled.spec.js @@ -0,0 +1,218 @@ +var expect = require('chai').expect; +var frontDoorWafEnabled = require('./frontDoorWafEnabled.js'); + +const profiles = [ + { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/Microsoft.Cdn/profiles/omer-cdn-profile-test", + "type": "Microsoft.Cdn/profiles", + "name": "omer-cdn-profile-test", + "location": "Global", + "kind": "frontdoor", + "tags": {}, + "sku": { + "name": "Standard_AzureFrontDoor" + }, + "frontDoorId": "cd0e521b-8975-411d-b009-7db9de8f16a3", + "resourceState": "Active", + "provisioningState": "Succeeded" + }, + { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.Cdn/profiles/mehak-fd", + "type": "Microsoft.Cdn/profiles", + "name": "mehak-fd", + "location": "Global", + "kind": "frontdoor", + "tags": {}, + "sku": { + "name": "Premium_AzureFrontDoor" + }, + "frontDoorId": "40590271-c2c4-4264-8061-45b884a91a70", + "resourceState": "Active", + "provisioningState": "Succeeded" + }, + { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.Cdn/profiles/meerab-test", + "type": "Microsoft.Cdn/profiles", + "name": "meerab-test", + "location": "Global", + "kind": "frontdoor", + "tags": {}, + "sku": { + "name": "Premium_AzureFrontDoor" + }, + "frontDoorId": "7bc32535-6836-44ef-99fa-19dbdcf4dabf", + "resourceState": "Active", + "provisioningState": "Succeeded" + }, +]; + +const afdSecurityPolicies = [ + { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.Cdn/profiles/meerab-test/securitypolicies/e9df717b-b2c0-4f37-9150-33d736402038", + "type": "Microsoft.Cdn/profiles/securitypolicies", + "name": "e9df717b-b2c0-4f37-9150-33d736402038", + "parameters": { + "wafPolicy": { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/meerabpremiumtest" + }, + "associations": [ + { + "domains": [ + { + "isActive": true, + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.Cdn/profiles/meerab-test/afdendpoints/test-meerab-runtime" + } + ], + "patternsToMatch": [ + "/*" + ] + } + ], + "type": "WebApplicationFirewall" + }, + "deploymentStatus": "NotStarted", + "provisioningState": "Succeeded" + } +] + +const createCache = (profiles, securityPolicies) => { + let securityPolicy = {}; + if (profiles.length) { + securityPolicy[profiles[0].id] = { + data: securityPolicies + }; + } + + + return { + profiles: { + list: { + 'global': { + data: profiles + } + } + }, + afdSecurityPolicies: { + listByProfile: { + 'global': securityPolicy + } + } + }; +}; + +const createErrorCache = (key) => { + if (key == 'profile') { + return { + profiles: { + list: { + 'global': {} + } + } + }; + } else if (key === 'noprofile'){ + return { + profiles: { + list: { + 'global': { + data:{} + } + } + } + }; + }else if (key === 'securityPolicy') { + return { + profiles: { + list: { + 'global': { + data: [profiles[0]] + } + } + }, + afdSecurityPolicies: { + listByProfile: { + 'global': {} + } + } + }; + } else { + const profileId = (profiles && profiles.length) ? profiles[1].id : null; + const securityPolicy = (afdSecurityPolicies && afdSecurityPolicies.length) ? afdSecurityPolicies[0].id : null; + return { + profiles: { + list: { + 'global': { + data: [profiles[1]] + } + } + }, + afdSecurityPolicies: { + listByProfile: { + 'global': { + data: {} + } + } + } + }; + } +}; + +describe('frontDoorWafEnabled', function () { + describe('run', function () { + + it('should give pass result if No existing Azure Front Door profiles found', function (done) { + const cache = createErrorCache('noprofile'); + frontDoorWafEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Front Door profiles found'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give unknown result if Unable to query Front Door profiles:', function (done) { + const cache = createErrorCache('profile'); + frontDoorWafEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Front Door profiles: '); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give unknown result if Unable to query security policies', function (done) { + const cache = createErrorCache('policy'); + frontDoorWafEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Front Door security policies'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give pass result Front Door profile have waf enabled', function (done) { + const cache = createCache([profiles[1]], [afdSecurityPolicies[0]]); + frontDoorWafEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Front Door profile has WAF enabled'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give fail result if Front Door profile does not have waf enabled', function (done) { + const cache = createCache([profiles[1]], []); + frontDoorWafEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Front Door profile does not have WAF enabled'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + }); +}); \ No newline at end of file From cadd244b580ea6955093eb1e92ea2e4c06c50bd1 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 22 Nov 2023 20:23:16 +0500 Subject: [PATCH 046/498] Update plugins/azure/frontdoor/frontDoorHttpsOnly.spec.js --- plugins/azure/frontdoor/frontDoorHttpsOnly.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/frontdoor/frontDoorHttpsOnly.spec.js b/plugins/azure/frontdoor/frontDoorHttpsOnly.spec.js index 3ecf66460e..22d19fe0f0 100644 --- a/plugins/azure/frontdoor/frontDoorHttpsOnly.spec.js +++ b/plugins/azure/frontdoor/frontDoorHttpsOnly.spec.js @@ -96,7 +96,7 @@ describe('frontDoorHttpsOnly', function () { frontDoorHttpsOnly.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('No existing Azure Classic Front Door profiles found'); + expect(results[0].message).to.include('No existing Classic Front Door profiles found'); expect(results[0].region).to.equal('global'); done(); }); From a6cf4373098d83f4ed2386dd732aa017ececbc95 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 22 Nov 2023 23:31:07 +0500 Subject: [PATCH 047/498] SAAS-20313/Front-Door-Request-Body-Inspection --- exports.js | 4 +- .../frontDoorRequestBodyInspection.js | 58 ++++++++ .../frontDoorRequestBodyInspection.spec.js | 127 ++++++++++++++++++ 3 files changed, 188 insertions(+), 1 deletion(-) create mode 100644 plugins/azure/frontdoor/frontDoorRequestBodyInspection.js create mode 100644 plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..a599fab287 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,9 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'frontDoorRequestBodyInspection': require(__dirname + '/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js'), + }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js new file mode 100644 index 0000000000..28955459ab --- /dev/null +++ b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js @@ -0,0 +1,58 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Front Door Request Body Inspection', + category: 'Front Door', + domain: 'Content Delivery', + description: 'Ensures that request body inspection is enabled for Azure Front Door premium WAF policy.', + more_info: 'Web Application Firewalls associated to Azure Front Doors premium that have request body inspection enabled, allows to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI.', + recommended_action: 'Ensure that request body inspection in policy settings for Azure Front Door WAF policy is enabled.', + link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection', + apis: ['afdWafPolicies:listAll'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.afdWafPolicies, (location, rcb) => { + + var afdWafPolicies = helpers.addSource(cache, source, + ['afdWafPolicies', 'listAll', location]); + + if (!afdWafPolicies) return rcb(); + + if (afdWafPolicies.err || !afdWafPolicies.data) { + helpers.addResult(results, 3, 'Unable to query for Front Door WAF policies: ' + helpers.addError(afdWafPolicies), location); + return rcb(); + } + if (!afdWafPolicies.data.length) { + helpers.addResult(results, 0, 'No existing Front Door WAF policies found', location); + return rcb(); + } + + var frontDoorWafPolicies = false; + for (let policy of afdWafPolicies.data) { + if (!policy.id || !policy.sku || policy.sku.name.toLowerCase() != 'premium_azurefrontdoor') continue; + + frontDoorWafPolicies = true; + if (policy.policySettings && + policy.policySettings.requestBodyCheck && + policy.policySettings.requestBodyCheck.toLowerCase() == 'enabled') { + helpers.addResult(results, 0, 'Front Door WAF policy has request body inspection enabled', location, policy.id); + } else { + helpers.addResult(results, 2, 'Front Door WAF policy does not have request body inspection enabled', location, policy.id); + } + } + + if (!frontDoorWafPolicies) { + helpers.addResult(results, 0, 'No existing Front Door WAF policies found', location); + } + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js new file mode 100644 index 0000000000..a22415c97c --- /dev/null +++ b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js @@ -0,0 +1,127 @@ +var expect = require('chai').expect; +var frontDoorRequestBodyInspection = require('./frontDoorRequestBodyInspection.js'); + +const afdWafPolicies = [ + { + "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", + "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", + "name": "testpolicy2", + "sku": { + "name": "Premium_AzureFrontDoor" + }, + "policySettings": { + "enabledState": "Enabled", + "mode": "Prevention", + "redirectUrl": null, + "customBlockResponseStatusCode": 403, + "customBlockResponseBody": null, + "requestBodyCheck": "Disabled" + }, + }, + { + "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", + "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", + "name": "testpolicy1", + "sku": { + "name": "Premium_AzureFrontDoor" + }, + "policySettings": { + "enabledState": "Enabled", + "mode": "Prevention", + "redirectUrl": null, + "customBlockResponseStatusCode": 403, + "customBlockResponseBody": null, + "requestBodyCheck": "Enabled" + }, + + }, + { + "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", + "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", + "name": "testpolicy1", + "sku": { + "name": "classic" + }, + "policySettings": { + "enabledState": "Enabled", + "mode": "Prevention", + "redirectUrl": null, + "customBlockResponseStatusCode": 403, + "customBlockResponseBody": null, + "requestBodyCheck": "Enabled" + }, + + }, +]; + +const createCache = (afdWafPolicies) => { + return { + afdWafPolicies: { + listAll: { + 'global': { + data: afdWafPolicies + } + } + } + }; +}; + +const createErrorCache = () => { + return { + afdWafPolicies: { + listAll: { + 'global': { + err: 'Unable to query' + } + } + } + }; +}; +describe('frontDoorRequestBodyInspection', function () { + describe('run', function () { + + it('should give pass result if request body inspection is enabled for front door waf policy', function (done) { + const cache = createCache([afdWafPolicies[1]]); + frontDoorRequestBodyInspection.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Front Door WAF policy has request body inspection enabled'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give pass result if no existing front door waf policy found', function (done) { + const cache = createCache([afdWafPolicies[2]]); + frontDoorRequestBodyInspection.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Front Door WAF policies found'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give fail result if request body inspection is not enabled for front door waf policy', function (done) { + const cache = createCache([afdWafPolicies[0]]); + frontDoorRequestBodyInspection.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Front Door WAF policy does not have request body inspection enabled'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give unknown result if unable to query for front door WAF policies', function (done) { + const cache = createErrorCache(); + frontDoorRequestBodyInspection.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Front Door WAF policies:'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + }); +}); \ No newline at end of file From 459dd6331fcc8a78648d5a9561e6084e5d3c5dd8 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Thu, 23 Nov 2023 11:35:04 +0500 Subject: [PATCH 048/498] privateEndpointcongif --- exports.js | 2 +- ...ccessEnabled.js => postgresqlPrivateEndpoints.js} | 0 .../postgresqlserver/privateAccessEnabled.spec.js | 12 ++++++------ 3 files changed, 7 insertions(+), 7 deletions(-) rename plugins/azure/postgresqlserver/{privateAccessEnabled.js => postgresqlPrivateEndpoints.js} (100%) diff --git a/exports.js b/exports.js index 6dcc08a55b..037b77f0ea 100644 --- a/exports.js +++ b/exports.js @@ -815,7 +815,7 @@ module.exports = { 'geoRedundantBackupEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/geoRedundantBackupEnabled.js'), 'postgresqlServerHasTags' : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlServerHasTags.js'), 'postgresqlInfraDoubleEncryption': require(__dirname + '/plugins/azure/postgresqlserver/postgresqlInfraDoubleEncryption.js'), - 'privateAccessEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/privateAccessEnabled.js'), + 'postgresqlPrivateEndpoints' : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.js'), 'azureServicesAccessDisabled' : require(__dirname + '/plugins/azure/postgresqlserver/azureServicesAccessDisabled.js'), 'openOracleAutoDataWarehouse' : require(__dirname + '/plugins/azure/networksecuritygroups/openOracleAutoDataWarehouse.js'), diff --git a/plugins/azure/postgresqlserver/privateAccessEnabled.js b/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.js similarity index 100% rename from plugins/azure/postgresqlserver/privateAccessEnabled.js rename to plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.js diff --git a/plugins/azure/postgresqlserver/privateAccessEnabled.spec.js b/plugins/azure/postgresqlserver/privateAccessEnabled.spec.js index e980f0bb78..acd140fd9f 100644 --- a/plugins/azure/postgresqlserver/privateAccessEnabled.spec.js +++ b/plugins/azure/postgresqlserver/privateAccessEnabled.spec.js @@ -1,5 +1,5 @@ var expect = require('chai').expect; -var privateAccessEnabled = require('./privateAccessEnabled'); +var privateEndpoints = require('./postgresqlPrivateEndpoints'); const listPostgres = [ { @@ -86,11 +86,11 @@ const createCache = (listPostgres) => { }; }; -describe('privateAccessEnabled', function() { +describe('privateEndpoints', function() { describe('run', function() { it('should give passing result if no servers', function(done) { const cache = createCache({}); - privateAccessEnabled.run(cache, {}, (err, results) => { + privateEndpoints.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('No PostgreSQL servers found'); @@ -101,7 +101,7 @@ describe('privateAccessEnabled', function() { it('should give failing result if private endpoints are not configured', function(done) { const cache = createCache([listPostgres[0]]); - privateAccessEnabled.run(cache, {}, (err, results) => { + privateEndpoints.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); expect(results[0].message).to.include('Private Endpoints are not configured for the PostgreSQL Server'); @@ -112,7 +112,7 @@ describe('privateAccessEnabled', function() { it('should give should give passing result if private endpoints are configured', function(done) { const cache = createCache([listPostgres[1]]); - privateAccessEnabled.run(cache, {}, (err, results) => { + privateEndpoints.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('Private Endpoints are configured for the PostgreSQL Server'); @@ -123,7 +123,7 @@ describe('privateAccessEnabled', function() { it('should give UnKnown result if unable to query postgreSQL Server', function(done) { const cache = createCache(null); - privateAccessEnabled.run(cache, {}, (err, results) => { + privateEndpoints.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].message).to.include('Unable to query for PostgreSQL servers: '); From e9c80f8b951edc2d681d254e5adb1cfe4d70a32c Mon Sep 17 00:00:00 2001 From: fatima99s Date: Thu, 23 Nov 2023 11:36:41 +0500 Subject: [PATCH 049/498] privateEndpointcongif --- ...teAccessEnabled.spec.js => postgresqlPrivateEndpoints.spec.js} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename plugins/azure/postgresqlserver/{privateAccessEnabled.spec.js => postgresqlPrivateEndpoints.spec.js} (100%) diff --git a/plugins/azure/postgresqlserver/privateAccessEnabled.spec.js b/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js similarity index 100% rename from plugins/azure/postgresqlserver/privateAccessEnabled.spec.js rename to plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js From 6e162364180cd33481875a85e14452ff0b68b6c2 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Thu, 23 Nov 2023 13:44:01 +0500 Subject: [PATCH 050/498] postgresqlServerCMKencrypted --- exports.js | 1 + .../postgresqlEncryptionAtRestWithCMK.js | 51 +++++++ .../postgresqlEncryptionAtRestWithCMK.spec.js | 129 ++++++++++++++++++ 3 files changed, 181 insertions(+) create mode 100644 plugins/azure/postgresqlserver/postgresqlEncryptionAtRestWithCMK.js create mode 100644 plugins/azure/postgresqlserver/postgresqlEncryptionAtRestWithCMK.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..f705bbd11c 100644 --- a/exports.js +++ b/exports.js @@ -806,6 +806,7 @@ module.exports = { 'logRetentionDays' : require(__dirname + '/plugins/azure/postgresqlserver/logRetentionDays.js'), 'connectionThrottlingEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/connectionThrottlingEnabled.js'), 'logDurationEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/logDurationEnabled.js'), + 'postgresqlCMKEncrypted' : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlEncryptionAtRestWithCMK.js'), 'logDisconnectionsEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/logDisconnectionsEnabled.js'), 'logConnectionsEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/logConnectionsEnabled.js'), 'logCheckpointsEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/logCheckpointsEnabled.js'), diff --git a/plugins/azure/postgresqlserver/postgresqlEncryptionAtRestWithCMK.js b/plugins/azure/postgresqlserver/postgresqlEncryptionAtRestWithCMK.js new file mode 100644 index 0000000000..3475add9b0 --- /dev/null +++ b/plugins/azure/postgresqlserver/postgresqlEncryptionAtRestWithCMK.js @@ -0,0 +1,51 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'PostgreSQL Encryption At Rest with BYOK', + category: 'PostgreSQL Server', + domain: 'Databases', + description: 'Ensure that Azure PostgreSQL Database Servers data is encrypted with CMK.', + more_info: 'Data at rest encryption with BYOK ensures that your PostgreSQL server data is protected using a key that you manage. Enabling BYOK adds an extra layer of security by allowing you to control access to the encryption keys.', + recommended_action: 'Enable CMK encryotion for PostgreSQL database servers.', + link: 'https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-data-encryption-postgresql', + apis: ['servers:listPostgres'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, (location, rcb) => { + const servers = helpers.addSource(cache, source, + ['servers', 'listPostgres', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, + 'Unable to query for PostgreSQL Servers:' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No existing PostgreSQL Servers found', location); + return rcb(); + } + + for (let server of servers.data) { + if (!server.id) continue; + if (server.byokEnforcement && server.byokEnforcement == 'Enabled') { + helpers.addResult(results, 0, 'PostgreSQL server is encrypted using CMK', location, server.id); + } else { + helpers.addResult(results, 2, 'PostgreSQL server is not encrypted using CMK', location, server.id); + } + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/postgresqlserver/postgresqlEncryptionAtRestWithCMK.spec.js b/plugins/azure/postgresqlserver/postgresqlEncryptionAtRestWithCMK.spec.js new file mode 100644 index 0000000000..bab800d5e7 --- /dev/null +++ b/plugins/azure/postgresqlserver/postgresqlEncryptionAtRestWithCMK.spec.js @@ -0,0 +1,129 @@ +var expect = require('chai').expect; +var postgresqlEncryptionAtRestWithCMK = require('./postgresqlEncryptionAtRestWithCMK'); + +const listPostgres = [ + { + 'sku': { + 'name': 'B_Gen5_1', + 'tier': 'Basic', + 'family': 'Gen5', + 'capacity': 1 + }, + 'location': 'eastus', + 'tags': { "key": "value" }, + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1', + 'name': 'server1', + 'type': 'Microsoft.DBforPostgreSQL/servers', + 'administratorLogin': 'Aquaadmin', + 'storageProfile': { + 'storageMB': 5120, + 'backupRetentionDays': 7, + 'geoRedundantBackup': 'Disabled', + 'storageAutogrow': 'Enabled' + }, + 'version': '11', + 'sslEnforcement': 'Enabled', + 'minimalTlsVersion': 'TLSEnforcementDisabled', + 'userVisibleState': 'Ready', + 'fullyQualifiedDomainName': 'server1.postgres.database.azure.com', + 'earliestRestoreDate': '2021-03-10T12:45:13.233+00:00', + 'replicationRole': '', + 'masterServerId': '', + 'byokEnforcement': 'Disabled', + 'privateEndpointConnections': [], + 'infrastructureEncryption': 'Disabled', + 'publicNetworkAccess': 'Enabled' + }, + { + 'sku': { + 'name': 'B_Gen5_1', + 'tier': 'Basic', + 'family': 'Gen5', + 'capacity': 1 + }, + 'location': 'eastus', + 'tags': {}, + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1', + 'name': 'server1', + 'type': 'Microsoft.DBforPostgreSQL/servers', + 'administratorLogin': 'Aquaadmin', + 'storageProfile': { + 'storageMB': 5120, + 'backupRetentionDays': 7, + 'geoRedundantBackup': 'Disabled', + 'storageAutogrow': 'Disabled' + }, + 'version': '11', + 'sslEnforcement': 'Enabled', + 'minimalTlsVersion': 'TLSEnforcementDisabled', + 'userVisibleState': 'Ready', + 'fullyQualifiedDomainName': 'server1.postgres.database.azure.com', + 'earliestRestoreDate': '2021-03-10T12:45:13.233+00:00', + 'replicationRole': '', + 'masterServerId': '', + 'byokEnforcement': 'Enabled', + 'privateEndpointConnections': [], + 'infrastructureEncryption': 'Enabled', + 'publicNetworkAccess': 'Enabled' + } +]; + +const createCache = (listPostgres) => { + return { + servers: { + listPostgres: { + 'eastus': { + data: listPostgres + } + } + } + }; +}; + +describe('postgresqlEncryptionAtRestWithCMK', function() { + describe('run', function() { + it('should give passing result if no servers', function(done) { + const cache = createCache({}); + postgresqlEncryptionAtRestWithCMK.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing PostgreSQL Servers found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if PostgreSQL Server is not encrypted using CMK', function(done) { + const cache = createCache([listPostgres[0]]); + postgresqlEncryptionAtRestWithCMK.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('PostgreSQL server is not encrypted using CMK'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if PostgreSQL Server is encrypted using CMK', function(done) { + const cache = createCache([listPostgres[1]]); + postgresqlEncryptionAtRestWithCMK.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('PostgreSQL server is encrypted using CMK'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + it('should give UnKnown result if unable to query postgreSQL Server', function(done) { + const cache = createCache(null); + postgresqlEncryptionAtRestWithCMK.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for PostgreSQL Servers:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + }); +}); \ No newline at end of file From 95dd19e66c2572aacd6d8959b29de2083024e532 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Thu, 23 Nov 2023 16:57:22 +0500 Subject: [PATCH 051/498] removed classic --- plugins/azure/frontdoor/frontDoorHttpsOnly.js | 6 +++--- plugins/azure/frontdoor/frontDoorHttpsOnly.spec.js | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/plugins/azure/frontdoor/frontDoorHttpsOnly.js b/plugins/azure/frontdoor/frontDoorHttpsOnly.js index 6afb1e5d7b..503491cb46 100644 --- a/plugins/azure/frontdoor/frontDoorHttpsOnly.js +++ b/plugins/azure/frontdoor/frontDoorHttpsOnly.js @@ -29,7 +29,7 @@ module.exports = { } if (!classicFrontDoors.data.length) { - helpers.addResult(results, 0, 'No existing Classic Front Door profiles found', location); + helpers.addResult(results, 0, 'No existing Front Door profiles found', location); return rcb(); } @@ -52,9 +52,9 @@ module.exports = { } if (ruleFound) { - helpers.addResult(results, 0, 'Classic Front Door profile is configured to use HTTPS only', location, frontDoor.id); + helpers.addResult(results, 0, 'Front Door profile is configured to use HTTPS only', location, frontDoor.id); } else { - helpers.addResult(results, 2, 'Classic Front Door profile is not configured to use HTTPS only', location, frontDoor.id); + helpers.addResult(results, 2, 'Front Door profile is not configured to use HTTPS only', location, frontDoor.id); } }); diff --git a/plugins/azure/frontdoor/frontDoorHttpsOnly.spec.js b/plugins/azure/frontdoor/frontDoorHttpsOnly.spec.js index 22d19fe0f0..c3061d0639 100644 --- a/plugins/azure/frontdoor/frontDoorHttpsOnly.spec.js +++ b/plugins/azure/frontdoor/frontDoorHttpsOnly.spec.js @@ -96,7 +96,7 @@ describe('frontDoorHttpsOnly', function () { frontDoorHttpsOnly.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('No existing Classic Front Door profiles found'); + expect(results[0].message).to.include('No existing Front Door profiles found'); expect(results[0].region).to.equal('global'); done(); }); @@ -107,7 +107,7 @@ describe('frontDoorHttpsOnly', function () { frontDoorHttpsOnly.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Classic Front Door profile is configured to use HTTPS only'); + expect(results[0].message).to.include('Front Door profile is configured to use HTTPS only'); expect(results[0].region).to.equal('global'); done(); }); @@ -118,7 +118,7 @@ describe('frontDoorHttpsOnly', function () { frontDoorHttpsOnly.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Classic Front Door profile is not configured to use HTTPS only'); + expect(results[0].message).to.include('Front Door profile is not configured to use HTTPS only'); expect(results[0].region).to.equal('global'); done(); }); From 37bfa8f409c24d82c671f1a39378c3ba39afdd23 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 23 Nov 2023 17:39:27 +0500 Subject: [PATCH 052/498] Apply suggestions from code review --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index 557f0fd7d9..42453bdaff 100644 --- a/exports.js +++ b/exports.js @@ -990,7 +990,7 @@ module.exports = { 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), - 'frontDootHttpsOnly' : require(__dirname + '/plugins/azure/frontdoor/frontDoorHttpsOnly.js'), + 'frontDoorHttpsOnly' : require(__dirname + '/plugins/azure/frontdoor/frontDoorHttpsOnly.js'), }, github: { From 7df0fae46925b4b0cda546f55946a720dd73e2df Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Thu, 23 Nov 2023 18:19:52 +0500 Subject: [PATCH 053/498] SAAS-20313/afd-detection-mode --- exports.js | 5 +- .../frontdoor/frontDoorWafDetectionMode.js | 47 ++++++++ .../frontDoorWafDetectionMode.spec.js | 108 ++++++++++++++++++ 3 files changed, 158 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/frontdoor/frontDoorWafDetectionMode.js create mode 100644 plugins/azure/frontdoor/frontDoorWafDetectionMode.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..340b4637a2 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,8 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'frontDoorWafDetectionMode' : require(__dirname + '/plugins/azure/frontDoor/frontDoorWafDetectionMode.js') }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), @@ -1478,4 +1479,4 @@ module.exports = { 'securityNotificationsEnabled' : require(__dirname + '/plugins/alibaba/securitycenter/securityNotificationsEnabled.js'), 'vulnerabilityScanEnabled' : require(__dirname + '/plugins/alibaba/securitycenter/vulnerabilityScanEnabled.js') } -}; +}; \ No newline at end of file diff --git a/plugins/azure/frontdoor/frontDoorWafDetectionMode.js b/plugins/azure/frontdoor/frontDoorWafDetectionMode.js new file mode 100644 index 0000000000..71abb7ada8 --- /dev/null +++ b/plugins/azure/frontdoor/frontDoorWafDetectionMode.js @@ -0,0 +1,47 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Front Door WAF Detection Mode', + category: 'Front Door', + domain: 'Content Delivery', + description: 'Ensure that WAF policy for Azure Front Door is set to Detection mode.', + more_info: 'Azure Web Application Firewall (WAF) on Azure Front Door provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. It monitors and logs the request and its matched WAF rule to WAF logs.', + recommended_action: 'Modify Front Door WAF policy and enable prevention mode.', + link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview', + apis: ['afdWafPolicies:listAll'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + async.each(locations.afdWafPolicies, (location, rcb) => { + var afdWafPolicies = helpers.addSource(cache, source, + ['afdWafPolicies', 'listAll', location]); + + if (!afdWafPolicies) return rcb(); + + if (afdWafPolicies.err || !afdWafPolicies.data) { + helpers.addResult(results, 3, 'Unable to query for Front Door WAF policies: ' + helpers.addError(afdWafPolicies), location); + return rcb(); + } + if (!afdWafPolicies.data.length) { + helpers.addResult(results, 0, 'No existing Front Door WAF policies found', location); + return rcb(); + } + + for (let policy of afdWafPolicies.data) { + if (!policy.id) continue; + + if (policy.policySettings && policy.policySettings.mode && policy.policySettings.mode.toLowerCase() == 'detection') { + helpers.addResult(results, 0, 'Detection mode enabled for Front Door WAF policy', location, policy.id); + } else { + helpers.addResult(results, 2, 'Detection mode not enabled for Front Door WAF policy', location, policy.id); + } + } + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/frontdoor/frontDoorWafDetectionMode.spec.js b/plugins/azure/frontdoor/frontDoorWafDetectionMode.spec.js new file mode 100644 index 0000000000..f6a31966cb --- /dev/null +++ b/plugins/azure/frontdoor/frontDoorWafDetectionMode.spec.js @@ -0,0 +1,108 @@ +var expect = require('chai').expect; +var frontDoorWafDetectionMode = require('./frontDoorWafDetectionMode.js'); + +const afdWafPolicies = [ + { + "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", + "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", + "name": "testpolicy2", + "sku": { + "name": "Premium_AzureFrontDoor" + }, + "policySettings": { + "enabledState": "Enabled", + "mode": "Prevention", + "redirectUrl": null, + "customBlockResponseStatusCode": 403, + "customBlockResponseBody": null, + "requestBodyCheck": "Disabled" + }, + }, + { + "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", + "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", + "name": "testpolicy1", + "sku": { + "name": "Premium_AzureFrontDoor" + }, + "policySettings": { + "enabledState": "Enabled", + "mode": "Detection", + "redirectUrl": null, + "customBlockResponseStatusCode": 403, + "customBlockResponseBody": null, + "requestBodyCheck": "Disabled" + }, + }, +]; + +const createCache = (afdWafPolicies) => { + return { + afdWafPolicies: { + listAll: { + 'global': { + data: afdWafPolicies + } + } + } + }; +}; + +const createErrorCache = () => { + return { + afdWafPolicies: { + listAll: { + 'global': {} + } + } + }; +}; +describe('frontDoorWafDetectionMode', function () { + describe('run', function () { + + it('should give pass result if detection mode is enabled for front door waf policy', function (done) { + const cache = createCache([afdWafPolicies[1]]); + frontDoorWafDetectionMode.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Detection mode enabled for Front Door WAF policy'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give unknown result if unable to query for Front Door WAF policies', function (done) { + const cache = createErrorCache(); + frontDoorWafDetectionMode.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Front Door WAF policies'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give pass result if no existing front door waf policies found', function (done) { + const cache = createCache([]); + frontDoorWafDetectionMode.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Front Door WAF policies found'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give fail result if detection mode is not enabled for front door waf policy', function (done) { + const cache = createCache([afdWafPolicies[0]]); + frontDoorWafDetectionMode.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Detection mode not enabled for Front Door WAF policy'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + }); +}); \ No newline at end of file From 4d2fb9529c0a64701cbf8ea8bf97a6d37f59897d Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 24 Nov 2023 14:46:09 +0500 Subject: [PATCH 054/498] SAAS-20313/Dns-management-domain --- exports.js | 6 +- .../frontdoor/frontDoorDnsManagedDomain.js | 73 ++++++ .../frontDoorDnsManagedDomain.spec.js | 233 ++++++++++++++++++ 3 files changed, 310 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/frontdoor/frontDoorDnsManagedDomain.js create mode 100644 plugins/azure/frontdoor/frontDoorDnsManagedDomain.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..24948beaa4 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,9 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'frontDoorDnsManagedDomain' : require(__dirname + '/plugins/azure/frontdoor/frontDoorDnsManagedDomain.js') + }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), @@ -1478,4 +1480,4 @@ module.exports = { 'securityNotificationsEnabled' : require(__dirname + '/plugins/alibaba/securitycenter/securityNotificationsEnabled.js'), 'vulnerabilityScanEnabled' : require(__dirname + '/plugins/alibaba/securitycenter/vulnerabilityScanEnabled.js') } -}; +}; \ No newline at end of file diff --git a/plugins/azure/frontdoor/frontDoorDnsManagedDomain.js b/plugins/azure/frontdoor/frontDoorDnsManagedDomain.js new file mode 100644 index 0000000000..fc716b2bfe --- /dev/null +++ b/plugins/azure/frontdoor/frontDoorDnsManagedDomain.js @@ -0,0 +1,73 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Front Door Domain Managed DNS', + category: 'Front Door', + domain: 'Content Delivery', + description: 'Ensures that Front Door Standard and Premium profile custom domains are configured to use Azure Managed DNS', + more_info: 'Azure Managed DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure.', + recommended_action: 'Ensure that Non-Azure validated domains for Front Door Standard and Premium are using Azure Managed DNS.', + link: 'https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain?tabs=powershell#azure-front-door-managed-certificates-for-non-azure-pre-validated-domains', + apis: ['profiles:list', 'customDomain:listByFrontDoorProfiles'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + async.each(locations.profiles, (location, rcb) => { + const profiles = helpers.addSource(cache, source, + ['profiles', 'list', location]); + + if (!profiles) return rcb(); + + if (profiles.err || !profiles.data) { + helpers.addResult(results, 3, + 'Unable to query Azure Front Door profiles: ' + helpers.addError(profiles), location); + return rcb(); + } + + if (!profiles.data.length) { + helpers.addResult(results, 0, 'No existing Azure Front Door profiles found', location); + return rcb(); + } + + var frontDoorProfile = false; + profiles.data.forEach(function(profile) { + if (!profile.id || profile.kind != 'frontdoor') return; + + frontDoorProfile = true; + var failingDomains = {}; + const customDomains = helpers.addSource(cache, source, + ['customDomain', 'listByFrontDoorProfiles', location, profile.id]); + if (!customDomains || customDomains.err || !customDomains.data) { + helpers.addResult(results, 3, + 'Unable to query Front Door custom domains: ' + helpers.addError(customDomains), location, profile.id); + } else if (!customDomains.data.length) { + helpers.addResult(results, 0, 'No existing Front Door custom domains found', location, profile.id); + } else { + failingDomains = customDomains.data.filter(customDomain => { + return (!customDomain.azureDnsZone); + }).map(function(customDomain) { + return customDomain.name; + }); + + if (failingDomains.length){ + helpers.addResult(results, 2, + `Front Door Profile domains are not using Azure managed DNS ${failingDomains.join(', ')}`, location, profile.id); + } else { + helpers.addResult(results, 0, + 'Front Door Profile domains are using Azure managed DNS', location, profile.id); + } + } + }); + + if (!frontDoorProfile) { + helpers.addResult(results, 0, 'No existing Azure Front Door profiles found', location); + } + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/frontdoor/frontDoorDnsManagedDomain.spec.js b/plugins/azure/frontdoor/frontDoorDnsManagedDomain.spec.js new file mode 100644 index 0000000000..7efb78dba6 --- /dev/null +++ b/plugins/azure/frontdoor/frontDoorDnsManagedDomain.spec.js @@ -0,0 +1,233 @@ +var expect = require('chai').expect; +var frontDoorDnsManagedDomain = require('./frontDoorDnsManagedDomain.js'); + +const profiles = [ + { + "id": "/subscriptions/234/resourcegroups/sadeedrg/providers/Microsoft.Cdn/profiles/test-profile", + "type": "Microsoft.Cdn/profiles", + "name": "test-profile", + "location": "Global", + "kind": "frontdoor", + "tags": {}, + "sku": { + "name": "Standard_Microsoft" + }, + "properties": { + "resourceState": "Active", + "provisioningState": "Succeeded" + } + }, + { + "id": "/subscriptions/234/resourcegroups/sadeedrg/providers/Microsoft.Cdn/profiles/test-profile", + "type": "Microsoft.Cdn/profiles", + "name": "test-profile", + "location": "Global", + "kind": "frontdoor", + "tags": {}, + "sku": { + "name": "Standard_Microsoft" + }, + "properties": { + "resourceState": "Active", + "provisioningState": "Succeeded" + } + }, + { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.Cdn/profiles/mehak-fd", + "type": "Microsoft.Cdn/profiles", + "name": "mehak-fd", + "location": "Global", + "kind": "frontdoor", + "tags": {}, + "sku": { + "name": "Premium_AzureFrontDoor" + }, + "properties": { + "originResponseTimeoutSeconds": 60, + "frontDoorId": "40590271-c2c4-4264-8061-45b884a91a70", + "resourceState": "Active", + "provisioningState": "Succeeded" + } + } +]; + + +const customDomain = [ + { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.Cdn/profiles/mehak-fd/customdomains/test-naim-app-srvenv-appserviceenvironment-net", + "type": "Microsoft.Cdn/profiles/customdomains", + "name": "test-naim-app-srvenv-appserviceenvironment-net", + "hostName": "test.naim-app-srvenv.appserviceenvironment.net", + "tlsSettings": { + "certificateType": "ManagedCertificate", + "minimumTlsVersion": "TLS12", + "secret": null + }, + "validationProperties": { + "validationToken": "mh0nl1m0syywj6m6bt5s9hksxw1sk4h9", + "expirationDate": "2023-08-07T20:07:11.5302594+00:00" + }, + "azureDnsZone": { + "id": "/subscriptions/a7ddb462-bd4a-4c99-bda2-e008b2ab62f8/resourceGroups/naim-resources/providers/Microsoft.Network/dnszones/naim-app-srvenv.appserviceenvironment.net" + }, + "domainValidationState": "Pending", + "preValidatedCustomDomainResourceId": null, + "provisioningState": "Succeeded", + "deploymentStatus": "NotStarted" + }, + { + + }, + { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.Cdn/profiles/mehak-fd/customdomains/test-naim-app-srvenv-appserviceenvironment-net", + "type": "Microsoft.Cdn/profiles/customdomains", + "name": "test-naim-app-srvenv-appserviceenvironment-net", + "hostName": "test.naim-app-srvenv.appserviceenvironment.net", + "tlsSettings": { + "certificateType": "ManagedCertificate", + "minimumTlsVersion": "TLS1", + "secret": null + }, + "validationProperties": { + "validationToken": "mh0nl1m0syywj6m6bt5s9hksxw1sk4h9", + "expirationDate": "2023-08-07T20:07:11.5302594+00:00" + }, + "azureDnsZone": null, + "domainValidationState": "Pending", + "preValidatedCustomDomainResourceId": null, + "provisioningState": "Succeeded", + "deploymentStatus": "NotStarted" + }, +] + +const createCache = (profiles, customDomains) => { + let customDomain = {}; + if (profiles.length) { + customDomain[profiles[0].id] = { + data: customDomains + }; + } + + + return { + profiles: { + list: { + 'global': { + data: profiles + } + } + }, + customDomain: { + listByFrontDoorProfiles: { + 'global': customDomain + } + } + }; +}; + +const createErrorCache = (key) => { + if (key == 'profile') { + return { + profiles: { + list: { + 'global': {} + } + } + }; + } else if (key === 'customDomains') { + return { + profiles: { + list: { + 'global': { + data: [profiles[0]] + } + } + }, + customDomains: { + listByFrontDoorProfiles: { + 'global': {} + } + } + }; + } else { + const profileId = (profiles && profiles.length) ? profiles[0].id : null; + const customDomains = (customDomains && customDomains.length) ? customDomains[0].id : null; + return { + profiles: { + list: { + 'global': { + data: [profiles[0]] + } + } + }, + diagnosticSettings: { + customDomains: { + 'global': { + data: {} + } + } + } + }; + } +}; + +describe('frontDoorDnsManagedDomain', function () { + describe('run', function () { + + it('should give unknown if Unable to query Azure Front Door profiles:', function (done) { + const cache = createErrorCache('profile'); + frontDoorDnsManagedDomain.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Azure Front Door profiles'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + + it('should give unknown if Unable to query Front Door custom domains:', function (done) { + const cache = createErrorCache('customDomains'); + frontDoorDnsManagedDomain.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Front Door custom domains:'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give pass if No existing Front Door custom domains found', function (done) { + const cache = createCache([profiles[0]], customDomain[1]); + frontDoorDnsManagedDomain.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Front Door custom domains found'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give pass result if AFD profile custom domain is using Azure managed DNS', function (done) { + const cache = createCache([profiles[2]], [customDomain[0]]); + frontDoorDnsManagedDomain.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Front Door Profile domains are using Azure managed DNS'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give fail result if AFD profile custom domain is not using Azure managed DNS', function (done) { + const cache = createCache([profiles[2]], [customDomain[2]]); + frontDoorDnsManagedDomain.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Front Door Profile domains are not using Azure managed DNS'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + }); +}); \ No newline at end of file From 27af23022520ca702bae949e96bad94d93016ad4 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 24 Nov 2023 18:32:56 +0500 Subject: [PATCH 055/498] Open-source-issue-fixes --- plugins/aws/iam/sshKeysRotated.js | 2 +- plugins/aws/iam/sshKeysRotated.spec.js | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/aws/iam/sshKeysRotated.js b/plugins/aws/iam/sshKeysRotated.js index bf6a4b40f9..55da621173 100644 --- a/plugins/aws/iam/sshKeysRotated.js +++ b/plugins/aws/iam/sshKeysRotated.js @@ -59,7 +59,7 @@ module.exports = { if (!listSSHPublicKeys || listSSHPublicKeys.err || !listSSHPublicKeys.data || !listSSHPublicKeys.data.SSHPublicKeys) { helpers.addResult(results, 3, - 'Unable to query for SSH Keys: ' + helpers.addError(listSSHPublicKeys), user.Arn); + 'Unable to query for SSH Keys: ' + helpers.addError(listSSHPublicKeys), 'global', user.Arn); continue; } diff --git a/plugins/aws/iam/sshKeysRotated.spec.js b/plugins/aws/iam/sshKeysRotated.spec.js index e21b408a1a..ce950d7ad2 100644 --- a/plugins/aws/iam/sshKeysRotated.spec.js +++ b/plugins/aws/iam/sshKeysRotated.spec.js @@ -155,6 +155,7 @@ describe('sshKeysRotated', function() { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].message).to.include('Unable to query for SSH Keys:'); + expect(results[0].region).to.equal('global'); done(); }); }); From ed784e4ad69e1e54604ce9245dd1fba66e292079 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sat, 25 Nov 2023 12:28:04 +0500 Subject: [PATCH 056/498] diagnostic logs enabled --- exports.js | 4 +- helpers/azure/api.js | 11 +- helpers/azure/locations.js | 3 +- .../mediaServices/amsDiagnosticLogsEnabled.js | 61 ++++++++ .../amsDiagnosticLogsEnabled.spec.js | 137 ++++++++++++++++++ 5 files changed, 213 insertions(+), 3 deletions(-) create mode 100644 plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js create mode 100644 plugins/azure/mediaServices/amsDiagnosticLogsEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..c20464df48 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,9 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + + 'amsDiagnosticLogsEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..ba7fc77c2f 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -465,6 +465,11 @@ var calls = { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01' } }, + mediaServices:{ + listAll: { + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Media/mediaservices?api-version=2023-01-01' + } + }, // For CIEM groups: { list: { @@ -956,8 +961,12 @@ var tertiarycalls = { reliesOnPath: 'registries.list', properties: ['id'], url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' + }, + listByMediaService: { + reliesOnPath: 'mediaServices.listAll', + properties: ['id'], + url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' } - }, backupShortTermRetentionPolicies: { listByDatabase: { diff --git a/helpers/azure/locations.js b/helpers/azure/locations.js index 46dd902f36..0b182e74e1 100644 --- a/helpers/azure/locations.js +++ b/helpers/azure/locations.js @@ -118,5 +118,6 @@ module.exports = { bastionHosts: locations, applications: ['global'], eventGrid: locations, - eventHub: locations + eventHub: locations, + mediaServices: locations, }; diff --git a/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js b/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js new file mode 100644 index 0000000000..a7bd95a55f --- /dev/null +++ b/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js @@ -0,0 +1,61 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Azure Media Services Diagnostic Logs Enabled', + category: 'Media Services', + domain: 'Network Access Control', + description: 'Ensure that Microsoft Azure Media Services have diagnostic logs enabled.', + more_info: 'Diagnostic logs provide valuable insights into the operation and health of Media Services. By enabling diagnostic logs, you can gather diagnostic data that could be useful to create notification alerts.', + link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/monitoring/monitor-media-services', + recommended_action: 'Modify the media service settings and enable diagnostic logs.', + apis: ['mediaServices:listAll', 'diagnosticSettings:listByMediaService'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.mediaServices, function(location, rcb){ + var mediaServices = helpers.addSource(cache, source, + ['mediaServices', 'listAll', location]); + + if (!mediaServices) return rcb(); + + if (mediaServices.err || !mediaServices.data) { + helpers.addResult(results, 3, 'Unable to query for Media Services: ' + helpers.addError(mediaServices), location); + return rcb(); + } + + if (!mediaServices.data.length) { + helpers.addResult(results, 0, 'No existing Media Services found', location); + return rcb(); + } + + for (let mediaService of mediaServices.data) { + if (!mediaService.id) continue; + + var diagnosticSettings = helpers.addSource(cache, source, + ['diagnosticSettings', 'listByMediaService', location, mediaService.id]); + + if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { + helpers.addResult(results, 3, `Unable to query for Media Service diagnostic settings: ${helpers.addError(diagnosticSettings)}`, + location, mediaService.id); + continue; + } + console.log(diagnosticSettings.data[0].logs) + var found = diagnosticSettings.data.find(ds => ds.logs && ds.logs.length); + + if (found) { + helpers.addResult(results, 0, 'Media Service has diagnostic logs enabled', location, mediaService.id); + } else { + helpers.addResult(results, 2, 'Media Service does not have diagnostic logs enabled', location, mediaService.id); + } + } + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.spec.js b/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.spec.js new file mode 100644 index 0000000000..cf226de825 --- /dev/null +++ b/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.spec.js @@ -0,0 +1,137 @@ +var expect = require('chai').expect; +var amsDiagnosticLogsEnabled = require('./amsDiagnosticLogsEnabled'); + +const mediaServices = [ + { + "name": 'test-vnet', + "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Media/mediaservices/test', + "type": 'Microsoft.Media/mediaservices', + "location": 'eastus', + "publicNetworkAccess": 'Enabled', + "provisioningState": 'Succeeded', + "privateEndpointConnections": [], + "minimumTlsVersion": 'Tls12' + } +]; + +const diagnosticSettings = [ + { + id: '/subscriptions/123/resourceGroups/aqua-resource-group/providers/microsoft.media/mediaservices/test/providers/microsoft.insights/diagnosticSettings/test2', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'test2', + location: 'eastus', + kind: null, + tags: null, + eventHubName: null, + metrics: [], + logs: [ + { + category: null, + categoryGroup: 'audit', + enabled: false, + retentionPolicy: { enabled: false, days: 0 } + }, + { + category: null, + categoryGroup: 'allLogs', + enabled: true, + retentionPolicy: { enabled: false, days: 0 } + } + ], + logAnalyticsDestinationType: null + }, + { + id: '/subscriptions/123/resourceGroups/aqua-resource-group/providers/microsoft.media/mediaservices/test/providers/microsoft.insights/diagnosticSettings/test2', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'test2', + location: 'eastus', + kind: null, + tags: null, + identity: null, + metrics: [], + logs: [], + logAnalyticsDestinationType: null + }, +]; + +const createCache = (ams, ds) => { + const id = (ams && ams.length) ? ams[0].id : null; + return { + mediaServices: { + listAll: { + 'eastus': { + data: ams + } + } + }, + diagnosticSettings: { + listByMediaService: { + 'eastus': { + [id]: { + data: ds + } + } + } + + }, + }; +}; + +describe('amsDiagnosticLogsEnabled', function() { + describe('run', function() { + it('should give passing result if no media services found', function(done) { + const cache = createCache([], null); + amsDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Media Services found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for media services', function(done) { + const cache = createCache(null, null); + amsDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Media Services:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for diagnostic settings', function(done) { + const cache = createCache([mediaServices[0]], null); + amsDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Media Service diagnostic settings:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if diagnostic logs enabled', function(done) { + const cache = createCache([mediaServices[0]], [diagnosticSettings[0]]); + amsDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Media Service has diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if diagnostic logs not enabled', function(done) { + const cache = createCache([mediaServices[0]], [diagnosticSettings[1]]); + amsDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Media Service does not have diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); From 705cbd6edf239049da24d5e1f881e1185fd17f62 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sat, 25 Nov 2023 14:12:56 +0500 Subject: [PATCH 057/498] ams public access disabled --- exports.js | 4 +- helpers/azure/api.js | 5 ++ helpers/azure/locations.js | 3 +- .../mediaServices/amsPublicAccessDisabled.js | 50 +++++++++++ .../amsPublicAccessDisabled.spec.js | 85 +++++++++++++++++++ 5 files changed, 145 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/mediaServices/amsPublicAccessDisabled.js create mode 100644 plugins/azure/mediaServices/amsPublicAccessDisabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..367354a63a 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,9 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + + 'amsPublicAccessDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsPublicAccessDisabled.js') }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..e92dc26903 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -465,6 +465,11 @@ var calls = { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01' } }, + mediaServices:{ + listAll: { + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Media/mediaservices?api-version=2023-01-01' + } + }, // For CIEM groups: { list: { diff --git a/helpers/azure/locations.js b/helpers/azure/locations.js index 46dd902f36..0b182e74e1 100644 --- a/helpers/azure/locations.js +++ b/helpers/azure/locations.js @@ -118,5 +118,6 @@ module.exports = { bastionHosts: locations, applications: ['global'], eventGrid: locations, - eventHub: locations + eventHub: locations, + mediaServices: locations, }; diff --git a/plugins/azure/mediaServices/amsPublicAccessDisabled.js b/plugins/azure/mediaServices/amsPublicAccessDisabled.js new file mode 100644 index 0000000000..03e39a7f20 --- /dev/null +++ b/plugins/azure/mediaServices/amsPublicAccessDisabled.js @@ -0,0 +1,50 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Azure Media Services Public Access Disabled', + category: 'Media Services', + domain: 'Network Access Control', + description: 'Ensure that Microsoft Azure Media Services have public access disabled.', + more_info: 'Diagnostic logs provide valuable insights into the operation and health of Media Services. By enabling diagnostic logs, you can gather diagnostic data that could be useful to create notification alerts.', + link: 'https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/media-services-security-baseline', + recommended_action: 'Modify the media service network settings and enable private access.', + apis: ['mediaServices:listAll'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.mediaServices, function(location, rcb){ + var mediaServices = helpers.addSource(cache, source, + ['mediaServices', 'listAll', location]); + + if (!mediaServices) return rcb(); + + if (mediaServices.err || !mediaServices.data) { + helpers.addResult(results, 3, 'Unable to query for Media Services: ' + helpers.addError(mediaServices), location); + return rcb(); + } + + if (!mediaServices.data.length) { + helpers.addResult(results, 0, 'No existing Media Services found', location); + return rcb(); + } + + for (let mediaService of mediaServices.data) { + if (!mediaService.id) continue; + + if (mediaService.publicNetworkAccess && mediaService.publicNetworkAccess.toLowerCase() === 'disabled') { + helpers.addResult(results, 0, 'Media Service has public access disabled', location, mediaService.id); + } else { + helpers.addResult(results, 2, 'Media Service does not have public access disabled', location, mediaService.id); + } + } + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/mediaServices/amsPublicAccessDisabled.spec.js b/plugins/azure/mediaServices/amsPublicAccessDisabled.spec.js new file mode 100644 index 0000000000..1ab8bd415d --- /dev/null +++ b/plugins/azure/mediaServices/amsPublicAccessDisabled.spec.js @@ -0,0 +1,85 @@ +var expect = require('chai').expect; +var amsPublicAccessDisabled = require('./amsPublicAccessDisabled'); + +const mediaServices = [ + { + "name": 'test', + "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Media/mediaservices/test', + "type": 'Microsoft.Media/mediaservices', + "location": 'eastus', + "publicNetworkAccess": 'Enabled', + "provisioningState": 'Succeeded', + "privateEndpointConnections": [], + "minimumTlsVersion": 'Tls12' + }, + { + "name": 'test', + "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Media/mediaservices/test', + "type": 'Microsoft.Media/mediaservices', + "location": 'eastus', + "publicNetworkAccess": 'Disabled', + "provisioningState": 'Succeeded', + "privateEndpointConnections": [], + "minimumTlsVersion": 'Tls12' + } +]; + +const createCache = (ams, ds) => { + return { + mediaServices: { + listAll: { + 'eastus': { + data: ams + } + } + } + }; +}; + +describe('amsPublicAccessDisabled', function() { + describe('run', function() { + it('should give passing result if no media services found', function(done) { + const cache = createCache([]); + amsPublicAccessDisabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Media Services found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for media services', function(done) { + const cache = createCache(null); + amsPublicAccessDisabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Media Services:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if public access disabled', function(done) { + const cache = createCache([mediaServices[1]]); + amsPublicAccessDisabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Media Service has public access disabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if public access enabled', function(done) { + const cache = createCache([mediaServices[0]]); + amsPublicAccessDisabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Media Service does not have public access disabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From d406cbbc2de9a8c00769c1f42aee42fc634b54e8 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sat, 25 Nov 2023 14:14:15 +0500 Subject: [PATCH 058/498] console statement removed --- plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js b/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js index a7bd95a55f..f2b9fb1d9c 100644 --- a/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js +++ b/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js @@ -43,7 +43,6 @@ module.exports = { location, mediaService.id); continue; } - console.log(diagnosticSettings.data[0].logs) var found = diagnosticSettings.data.find(ds => ds.logs && ds.logs.length); if (found) { From ded1d3c92522d68595a2b32173cff4f6000d6a9e Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sat, 25 Nov 2023 16:19:12 +0500 Subject: [PATCH 059/498] ams classic v2 api disabled --- exports.js | 4 +- helpers/azure/api.js | 15 +++ helpers/azure/locations.js | 3 +- .../mediaServices/amsClassicApiDisabled.js | 59 +++++++++ .../amsClassicApiDisabled.spec.js | 120 ++++++++++++++++++ 5 files changed, 199 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/mediaServices/amsClassicApiDisabled.js create mode 100644 plugins/azure/mediaServices/amsClassicApiDisabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..0d2e5ac306 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,9 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + + 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js') }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..a01001ea6e 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -456,6 +456,12 @@ var calls = { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.EventHub/namespaces?api-version=2022-10-01-preview' } }, + mediaServices:{ + listAll: { + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Media/mediaservices?api-version=2023-01-01' + } + + }, // For CIEM aad: { listRoleAssignments: { @@ -465,6 +471,7 @@ var calls = { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01' } }, + // For CIEM groups: { list: { @@ -910,6 +917,13 @@ var postcalls = { properties: ['id'], url: 'https://management.azure.com/{id}/configurations?api-version=2017-12-01' } + }, + mediaServices: { + get: { + reliesOnPath: 'mediaServices.listAll', + properties: ['id'], + url: 'https://management.azure.com/{id}?api-version=2023-01-01' + } } }; @@ -974,6 +988,7 @@ var tertiarycalls = { vault: true } } + }; var specialcalls = { diff --git a/helpers/azure/locations.js b/helpers/azure/locations.js index 46dd902f36..b4a9b1a8a7 100644 --- a/helpers/azure/locations.js +++ b/helpers/azure/locations.js @@ -118,5 +118,6 @@ module.exports = { bastionHosts: locations, applications: ['global'], eventGrid: locations, - eventHub: locations + eventHub: locations, + mediaServices: locations }; diff --git a/plugins/azure/mediaServices/amsClassicApiDisabled.js b/plugins/azure/mediaServices/amsClassicApiDisabled.js new file mode 100644 index 0000000000..3966348a3a --- /dev/null +++ b/plugins/azure/mediaServices/amsClassicApiDisabled.js @@ -0,0 +1,59 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Azure Media Services Classic API Disabled', + category: 'Media Services', + domain: 'Media Service Configuration', + description: 'Ensure that Microsoft Azure Media Services do not have the Classic API enabled.', + more_info: 'Disabling the Classic API for Azure Media Services is recommended to utilize modern APIs and features. Enabling classic features can enable the use of classic V2 APIs but might disable advanced security features like managed identities.', + link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/migrate-v-2-v-3-differences-api-access', + recommended_action: 'Remove Azure Media Services accounts with Classic API enabled and create new accounts without enabling the Classic API.', + apis: ['mediaServices:listAll', 'mediaServices:get'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.mediaServices, function(location, rcb){ + var mediaServices = helpers.addSource(cache, source, + ['mediaServices', 'listAll', location]); + + if (!mediaServices) return rcb(); + + if (mediaServices.err || !mediaServices.data) { + helpers.addResult(results, 3, 'Unable to query for Media Services: ' + helpers.addError(mediaServices), location); + return rcb(); + } + + if (!mediaServices.data.length) { + helpers.addResult(results, 0, 'No existing Media Services found', location); + return rcb(); + } + + for (let mediaService of mediaServices.data) { + if (!mediaService.id) continue; + + var getMediaService = helpers.addSource(cache, source, + ['mediaServices', 'get', location, mediaService.id]); + + if (!getMediaService || getMediaService.err || !getMediaService.data) { + helpers.addResult(results, 3, `Unable to query for Media Service: ${helpers.addError(getMediaService)}`, + location, mediaService.id); + continue; + } + + if (getMediaService.data.identity) { + helpers.addResult(results, 0, 'Classic API is disabled for the Media Service account', location, mediaService.id); + } else { + helpers.addResult(results, 2, 'Classic API is enabled for the Media Service account', location, mediaService.id); + } + } + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/mediaServices/amsClassicApiDisabled.spec.js b/plugins/azure/mediaServices/amsClassicApiDisabled.spec.js new file mode 100644 index 0000000000..d2a9b95c91 --- /dev/null +++ b/plugins/azure/mediaServices/amsClassicApiDisabled.spec.js @@ -0,0 +1,120 @@ +var expect = require('chai').expect; +var amsClassicApiDisabled = require('./amsClassicApiDisabled'); + +const mediaServices = [ + { + "name": 'test', + "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Media/mediaservices/test', + "type": 'Microsoft.Media/mediaservices', + "location": 'eastus', + "publicNetworkAccess": 'Enabled', + "provisioningState": 'Succeeded', + "privateEndpointConnections": [], + "minimumTlsVersion": 'Tls12' + } +]; + +const getMediaService = [ + { + "name": 'test', + "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Media/mediaservices/test', + "type": 'Microsoft.Media/mediaservices', + "location": 'eastus', + "publicNetworkAccess": 'Enabled', + "provisioningState": 'Succeeded', + "privateEndpointConnections": [], + "minimumTlsVersion": 'Tls12' + }, + { + "name": 'test', + "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Media/mediaservices/test', + "type": 'Microsoft.Media/mediaservices', + "location": 'eastus', + "publicNetworkAccess": 'Enabled', + "provisioningState": 'Succeeded', + "privateEndpointConnections": [], + "minimumTlsVersion": 'Tls12', + "identity": { + "type": "UserAssigned", + } + } +]; + +const createCache = (ams, ds) => { + const id = (ams && ams.length) ? ams[0].id : null; + return { + mediaServices: { + listAll: { + 'eastus': { + data: ams + } + }, + get: { + 'eastus': { + [id]: { + data: ds + } + } + } + }, + }; +}; + +describe('amsClassicApiDisabled', function() { + describe('run', function() { + it('should give passing result if no media services found', function(done) { + const cache = createCache([], null); + amsClassicApiDisabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Media Services found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for media services', function(done) { + const cache = createCache(null, null); + amsClassicApiDisabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Media Services:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to get media service', function(done) { + const cache = createCache([mediaServices[0]], null); + amsClassicApiDisabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Media Service'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if classic API is not enabled', function(done) { + const cache = createCache([mediaServices[0]], getMediaService[1]); + amsClassicApiDisabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Classic API is disabled for the Media Service account'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if classic API enabled', function(done) { + const cache = createCache([mediaServices[0]], getMediaService[0]); + amsClassicApiDisabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Classic API is enabled for the Media Service account'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From 7eb6bf6ca8aa6d691cef8d99b520fa96baf09c47 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sat, 25 Nov 2023 16:48:38 +0500 Subject: [PATCH 060/498] storage account managed identity enabled --- exports.js | 4 +- helpers/azure/api.js | 5 ++ helpers/azure/locations.js | 3 +- .../amsStorageAccountIdentityEnabled.js | 50 +++++++++++ .../amsStorageAccountIdentityEnabled.spec.js | 87 +++++++++++++++++++ 5 files changed, 147 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js create mode 100644 plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..a7a309ac42 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,9 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + + 'amsStorageAccountIdentityEnabled': require(__dirname + '/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js') }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..e92dc26903 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -465,6 +465,11 @@ var calls = { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01' } }, + mediaServices:{ + listAll: { + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Media/mediaservices?api-version=2023-01-01' + } + }, // For CIEM groups: { list: { diff --git a/helpers/azure/locations.js b/helpers/azure/locations.js index 46dd902f36..0b182e74e1 100644 --- a/helpers/azure/locations.js +++ b/helpers/azure/locations.js @@ -118,5 +118,6 @@ module.exports = { bastionHosts: locations, applications: ['global'], eventGrid: locations, - eventHub: locations + eventHub: locations, + mediaServices: locations, }; diff --git a/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js b/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js new file mode 100644 index 0000000000..e050e7af13 --- /dev/null +++ b/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js @@ -0,0 +1,50 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Azure Media Services Managed Identity for Storage Account Authentication', + category: 'Media Services', + domain: 'Identity and Access Management', + description: 'Ensure that Azure Media Services have managed identity enabled for Storage Account authentication.', + more_info: 'Enabling managed identity for storage authentication allows secure access to Azure Storage without explicit credentials, enhancing security and simplifying access management for Azure Media Services.', + link: 'https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview', + recommended_action: 'Modify the media service\'s storage account settings and enable diagnostic logs.', + apis: ['mediaServices:listAll'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.mediaServices, function(location, rcb){ + var mediaServices = helpers.addSource(cache, source, + ['mediaServices', 'listAll', location]); + + if (!mediaServices) return rcb(); + + if (mediaServices.err || !mediaServices.data) { + helpers.addResult(results, 3, 'Unable to query for Media Services: ' + helpers.addError(mediaServices), location); + return rcb(); + } + + if (!mediaServices.data.length) { + helpers.addResult(results, 0, 'No existing Media Services found', location); + return rcb(); + } + + for (let mediaService of mediaServices.data) { + if (!mediaService.id) continue; + + if (mediaService.storageAuthentication && mediaService.storageAuthentication.toLowerCase() === 'managedidentity') { + helpers.addResult(results, 0, 'Managed Identity is enabled for Azure Media Service storage authentication', location, mediaService.id); + } else { + helpers.addResult(results, 2, 'Managed Identity is not enabled for Azure Media Service storage authentication', location, mediaService.id); + } + } + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.spec.js b/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.spec.js new file mode 100644 index 0000000000..0312127799 --- /dev/null +++ b/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.spec.js @@ -0,0 +1,87 @@ +var expect = require('chai').expect; +var amsStorageAccountIdentityEnabled = require('./amsStorageAccountIdentityEnabled'); + +const mediaServices = [ + { + "name": 'test', + "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Media/mediaservices/test', + "type": 'Microsoft.Media/mediaservices', + "location": 'eastus', + "publicNetworkAccess": 'Enabled', + "provisioningState": 'Succeeded', + "privateEndpointConnections": [], + "minimumTlsVersion": 'Tls12', + "storageAuthentication": "system" + }, + { + "name": 'test', + "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Media/mediaservices/test', + "type": 'Microsoft.Media/mediaservices', + "location": 'eastus', + "publicNetworkAccess": 'Disabled', + "provisioningState": 'Succeeded', + "privateEndpointConnections": [], + "minimumTlsVersion": 'Tls12', + "storageAuthentication": "ManagedIdentity" + } +]; + +const createCache = (ams, ds) => { + return { + mediaServices: { + listAll: { + 'eastus': { + data: ams + } + } + } + }; +}; + +describe('amsStorageAccountIdentityEnabled', function() { + describe('run', function() { + it('should give passing result if no media services found', function(done) { + const cache = createCache([]); + amsStorageAccountIdentityEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Media Services found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for media services', function(done) { + const cache = createCache(null); + amsStorageAccountIdentityEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Media Services:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if storage account managed identity enabled for authentication', function(done) { + const cache = createCache([mediaServices[1]]); + amsStorageAccountIdentityEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Managed Identity is enabled for Azure Media Service storage authentication'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if system authentication enabled', function(done) { + const cache = createCache([mediaServices[0]]); + amsStorageAccountIdentityEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Managed Identity is not enabled for Azure Media Service storage authentication'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From e8a29ce70ca6a79a5c91f4aea2e73e9b2c8a5b1f Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Mon, 27 Nov 2023 01:30:49 +0500 Subject: [PATCH 061/498] Azure - Redis Cache Private Endpoint Enabled Plugin --- exports.js | 1 + .../redisCache/redisCachePrivateEndpoint.js | 49 ++++++++++ .../redisCachePrivateEndpoint.spec.js | 92 +++++++++++++++++++ 3 files changed, 142 insertions(+) create mode 100644 plugins/azure/redisCache/redisCachePrivateEndpoint.js create mode 100644 plugins/azure/redisCache/redisCachePrivateEndpoint.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..abdd79c8ec 100644 --- a/exports.js +++ b/exports.js @@ -692,6 +692,7 @@ module.exports = { 'minimumTlsVersion' : require(__dirname + '/plugins/azure/redisCache/minimumTlsVersion.js'), 'sslAccessOnlyEnabled' : require(__dirname + '/plugins/azure/redisCache/sslAccessOnlyEnabled.js'), 'redisCacheHasTags' : require(__dirname + '/plugins/azure/redisCache/redisCacheHasTags.js'), + 'redisCachePrivateEndpoint' : require(__dirname + '/plugins/azure/redisCache/redisCachePrivateEndpoint.js'), 'multipleSubnets' : require(__dirname + '/plugins/azure/virtualnetworks/multipleSubnets.js'), 'ddosStandardProtectionEnabled' : require(__dirname + '/plugins/azure/virtualnetworks/ddosStandardProtectionEnabled.js'), diff --git a/plugins/azure/redisCache/redisCachePrivateEndpoint.js b/plugins/azure/redisCache/redisCachePrivateEndpoint.js new file mode 100644 index 0000000000..12a67e4b02 --- /dev/null +++ b/plugins/azure/redisCache/redisCachePrivateEndpoint.js @@ -0,0 +1,49 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Redis Cache Private Endpoint', + category: 'Redis Cache', + domain: 'Databases', + description: 'Ensures that Azure Cache for Redis is only accessible through private endpoints.', + more_info: 'Enabling a private endpoint for Azure Cache for Redis enhances security by isolating the cache from the public internet and providing controlled access within a private network.', + recommended_action: 'Ensure that Azure Cache for Redis has public network access disabled.', + link: 'https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-network-isolation#azure-private-link-recommended', + apis: ['redisCaches:listBySubscription'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.redisCaches, function(location, rcb) { + const caches = helpers.addSource(cache, source, + ['redisCaches', 'listBySubscription', location]); + + if (!caches) return rcb(); + + if (caches.err || !caches.data) { + helpers.addResult(results, 3, 'Unable to query Redis Caches: ' + helpers.addError(caches), location); + return rcb(); + } + + if (!caches.data.length) { + helpers.addResult(results, 0, 'No Redis Caches found', location); + return rcb(); + } + + for (let cache of caches.data) { + if (cache.publicNetworkAccess && cache.publicNetworkAccess.toLowerCase() === 'enabled') { + helpers.addResult(results, 2, 'Redis Cache is publicly accessible', location, cache.id); + } else { + helpers.addResult(results, 0, 'Redis Cache is only accessible through private endpoints', location, cache.id); + } + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/redisCache/redisCachePrivateEndpoint.spec.js b/plugins/azure/redisCache/redisCachePrivateEndpoint.spec.js new file mode 100644 index 0000000000..9d82e13c35 --- /dev/null +++ b/plugins/azure/redisCache/redisCachePrivateEndpoint.spec.js @@ -0,0 +1,92 @@ +var expect = require('chai').expect; +var plugin = require('./redisCachePrivateEndpoint'); + +const redisCaches = [ + { + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Cache/Redis/test-cache', + 'location': 'East US', + 'name': 'test-cache', + 'type': 'Microsoft.Cache/Redis', + 'publicNetworkAccess': 'Disabled', + }, + { + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Cache/Redis/test-cache', + 'location': 'East US', + 'name': 'test-cache', + 'type': 'Microsoft.Cache/Redis', + 'publicNetworkAccess': 'Enabled', + }, + +]; + +const createCache = (redisCaches) => { + let caches = {}; + if (redisCaches) { + caches['data'] = redisCaches; + } + return { + redisCaches: { + listBySubscription: { + 'eastus': caches + } + }, + }; +}; + +describe('redisCachePrivateEndpoint', function() { + describe('run', function() { + it('should give passing result if there are no redis caches', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No Redis Caches found'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache([]); + + plugin.run(cache, {}, callback); + }); + it('should give unknown result if unable to query for redis caches', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Redis Caches'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache(null); + + plugin.run(cache, {}, callback); + }); + it('should give passing result if redis cache is only accessible through private endpoint', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Redis Cache is only accessible through private endpoints'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache([redisCaches[0]]); + + plugin.run(cache, {}, callback); + }); + + it('should give passing result if redis cache is publicly accessible', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Redis Cache is publicly accessible'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache([redisCaches[1]]); + + plugin.run(cache, {}, callback); + }); + }) +}) \ No newline at end of file From 3686e9032ed1d77538ea6305e869ee3f6cd521ea Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Mon, 27 Nov 2023 14:02:16 +0500 Subject: [PATCH 062/498] Azure - Service Bus Namespace TLS Version Plugin --- exports.js | 4 +- helpers/azure/api.js | 7 ++ helpers/azure/locations.js | 3 +- .../azure/servicebus/namespaceTlsVersion.js | 50 ++++++++++ .../servicebus/namespaceTlsVersion.spec.js | 92 +++++++++++++++++++ 5 files changed, 154 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/servicebus/namespaceTlsVersion.js create mode 100644 plugins/azure/servicebus/namespaceTlsVersion.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..2781d110ea 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,9 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + + 'namespaceLocalAuth' : require(__dirname + '/plugins/azure/servicebus/namespaceLocalAuth.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..fb35e80056 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -456,6 +456,11 @@ var calls = { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.EventHub/namespaces?api-version=2022-10-01-preview' } }, + serviceBus: { + listNamespacesBySubscription: { + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.ServiceBus/namespaces?api-version=2022-10-01-preview' + } + }, // For CIEM aad: { listRoleAssignments: { @@ -479,6 +484,8 @@ var calls = { graph: true } } + + }; var postcalls = { diff --git a/helpers/azure/locations.js b/helpers/azure/locations.js index 46dd902f36..b354ef2f24 100644 --- a/helpers/azure/locations.js +++ b/helpers/azure/locations.js @@ -118,5 +118,6 @@ module.exports = { bastionHosts: locations, applications: ['global'], eventGrid: locations, - eventHub: locations + eventHub: locations, + serviceBus: locations }; diff --git a/plugins/azure/servicebus/namespaceTlsVersion.js b/plugins/azure/servicebus/namespaceTlsVersion.js new file mode 100644 index 0000000000..5209dcd253 --- /dev/null +++ b/plugins/azure/servicebus/namespaceTlsVersion.js @@ -0,0 +1,50 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Namespace Minimum TLS Version', + category: 'Service Bus', + domain: 'Application Integration', + description: 'Ensures that Azure Sevice Bus namespace is using the latest TLS version.', + more_info: 'TLS versions 1.0 and 1.1 are known to be susceptible to attacks, and to have other Common Vulnerabilities and Exposures (CVE) weaknesses. So there\'s an industry-wide push toward the exclusive use of Transport Layer Security(TLS) version 1.2 or later.', + recommended_action: 'Ensure that Azure Srvice Bus namespaces are using the latest TLS version', + link: 'https://learn.microsoft.com/en-us/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version', + apis: ['serviceBus:listNamespacesBySubscription'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.serviceBus, function(location, rcb) { + const namespaces = helpers.addSource(cache, source, + ['serviceBus', 'listNamespacesBySubscription', location]); + + if (!namespaces) return rcb(); + + + if (namespaces.err || !namespaces.data) { + helpers.addResult(results, 3, 'Unable to query Service Bus namespaces: ' + helpers.addError(namespaces), location); + return rcb(); + } + + if (!namespaces.data.length) { + helpers.addResult(results, 0, 'No Service Bus namespaces found', location); + return rcb(); + } + + for (let namespace of namespaces.data) { + if (namespace.minimumTlsVersion && (parseFloat(namespace.minimumTlsVersion) >= 1.2)) { + helpers.addResult(results, 0, 'Service Bus namespace is using the latest TLS Version', location, namespace.id); + } else { + helpers.addResult(results, 2, 'Service Bus namespace is not using the latest TLS Version', location, namespace.id); + } + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/servicebus/namespaceTlsVersion.spec.js b/plugins/azure/servicebus/namespaceTlsVersion.spec.js new file mode 100644 index 0000000000..43ca872ba7 --- /dev/null +++ b/plugins/azure/servicebus/namespaceTlsVersion.spec.js @@ -0,0 +1,92 @@ +var expect = require('chai').expect; +var namespaceTlsVersion = require('./namespaceTlsVersion.js'); + +const namespaces = [ + { + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test', + name: 'test', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: false, + provisioningState: 'Succeeded', + status: 'Active', + minimumTlsVersion: '1.1' + }, + { + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test', + name: 'test2', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: true, + provisioningState: 'Succeeded', + status: 'Active', + minimumTlsVersion: '1.2' + }, +]; + + +const createCache = (namespaces, err) => { + + return { + serviceBus: { + listNamespacesBySubscription: { + 'eastus': { + data: namespaces, + err: err + } + } + } + }; +}; + +describe('namespaceTlsVersion', function () { + describe('run', function () { + + it('should give a passing result if no Service Bus namespaces are found', function (done) { + const cache = createCache([], null); + namespaceTlsVersion.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No Service Bus namespaces found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for Service Bus namespaces', function (done) { + const cache = createCache(null, ['error']); + namespaceTlsVersion.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Service Bus namespaces'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + + it('should give passing result if namespace is using the latest tls version', function (done) { + const cache = createCache([namespaces[1]], null); + namespaceTlsVersion.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Service Bus namespace is using the latest TLS Version'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if namespace is not using the latest tls version', function (done) { + const cache = createCache([namespaces[0]], null); + namespaceTlsVersion.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Service Bus namespace is not using the latest TLS Version'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From aa1691b5543ef2bfe333c3de3838fe4610fe9571 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Mon, 27 Nov 2023 15:34:30 +0500 Subject: [PATCH 063/498] SAAS-20313/Front-Door-Waf-Default-Rate-limit --- exports.js | 4 +- .../frontdoor/frontDoorWafDefaultRateLimit.js | 52 ++++++ .../frontDoorWafDefaultRateLimit.spec.js | 175 ++++++++++++++++++ 3 files changed, 230 insertions(+), 1 deletion(-) create mode 100644 plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.js create mode 100644 plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..fdbc4e06e9 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,9 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'frontDoorWafDefaultRateLimit' : require(__dirname + '/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.js'), + }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.js b/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.js new file mode 100644 index 0000000000..cf0937f92f --- /dev/null +++ b/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.js @@ -0,0 +1,52 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Front Door WAF Rate limit', + category: 'Front Door', + domain: 'Content Delivery', + description: 'Ensures that Front Door WAF policy has rate limit custom rule configured.', + more_info: 'Rate limiting enables you to detect and block abnormally high levels of traffic from any socket IP address. By using Azure Web Application Firewall in Azure Front Door, you can mitigate some types of denial-of-service attacks.', + recommended_action: 'Ensures that Front Door WAF policy has default rate limit custom rule configured.', + link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-rate-limit', + apis: ['afdWafPolicies:listAll'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.afdWafPolicies, (location, rcb) => { + + var afdWafPolicies = helpers.addSource(cache, source, + ['afdWafPolicies', 'listAll', location]); + + if (!afdWafPolicies) return rcb(); + + if (afdWafPolicies.err || !afdWafPolicies.data) { + helpers.addResult(results, 3, 'Unable to query for Front Door WAF policies: ' + helpers.addError(afdWafPolicies), location); + return rcb(); + } + if (!afdWafPolicies.data.length) { + helpers.addResult(results, 0, 'No existing Front Door WAF policies found', location); + return rcb(); + } + + for (let policy of afdWafPolicies.data) { + if (!policy.id) continue; + var found = policy.customRules && policy.customRules.rules? + policy.customRules.rules.find(rule => rule.ruleType.toLowerCase() == 'ratelimitrule' && rule.action.toLowerCase() == 'block') : 'false' + + if (found) { + helpers.addResult(results, 0, 'Front Door profile WAF policy has rate limit custom rule configured', location, policy.id); + } else { + helpers.addResult(results, 2, 'Front Door profile WAF policy does not have rate limit custom rule configured', location, policy.id); + } + } + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.spec.js b/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.spec.js new file mode 100644 index 0000000000..f357affd2f --- /dev/null +++ b/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.spec.js @@ -0,0 +1,175 @@ +var expect = require('chai').expect; +var frontDoorWafDefaultRateLimit = require('./frontDoorWafDefaultRateLimit.js'); + +const afdWafPolicies = [ + { + "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", + "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", + "name": "testpolicy2", + "sku": { + "name": "Premium_AzureFrontDoor" + }, + "customRules": { + "rules": [ + { + "name": "testcustomrule", + "enabledState": "Enabled", + "priority": 1, + "ruleType": "RateLimitRule", + "rateLimitDurationInMinutes": 0, + "rateLimitThreshold": 0, + "matchConditions": [ + { + "matchVariable": "SocketAddr", + "selector": null, + "operator": "GeoMatch", + "negateCondition": false, + "matchValue": [ + "PK" + ], + "transforms": [] + } + ], + "action": "Block" + } + ] + } + }, + { + "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", + "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", + "name": "testpolicy1", + "sku": { + "name": "Premium_AzureFrontDoor" + }, + "customRules": { + "rules": [ + { + "name": "testcustomrule", + "enabledState": "Enabled", + "priority": 1, + "ruleType": "MatchRule", + "rateLimitDurationInMinutes": 0, + "rateLimitThreshold": 0, + "matchConditions": [ + { + "matchVariable": "SocketAddr", + "selector": null, + "operator": "GeoMatch", + "negateCondition": false, + "matchValue": [ + "PK" + ], + "transforms": [] + } + ], + "action": "Block" + } + ] + } + }, + { + "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", + "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", + "name": "testpolicy1", + "sku": { + "name": "Classic_AzureFrontDoor" + }, + "customRules": { + "rules": [ + { + "name": "testcustomrule", + "enabledState": "Enabled", + "priority": 1, + "ruleType": "MatchRule", + "rateLimitDurationInMinutes": 0, + "rateLimitThreshold": 0, + "matchConditions": [ + { + "matchVariable": "SocketAddr", + "selector": null, + "operator": "GeoMatch", + "negateCondition": false, + "matchValue": [ + "PK" + ], + "transforms": [] + } + ], + "action": "Block" + } + ] + } + }, +]; + +const createCache = (afdWafPolicies) => { + return { + afdWafPolicies: { + listAll: { + 'global': { + data: afdWafPolicies + } + } + } + }; +}; + +const createErrorCache = () => { + return { + afdWafPolicies: { + listAll: { + 'global': 'err' + } + } + }; +}; +describe('frontDoorWafDefaultRateLimit', function () { + describe('run', function () { + + it('should give pass result front door profile waf policy has rate limit custom rule configured', function (done) { + const cache = createCache([afdWafPolicies[0]]); + frontDoorWafDefaultRateLimit.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Front Door profile WAF policy has rate limit custom rule configured'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give pass result if no existing front door premium waf policy found', function (done) { + const cache = createCache([]); + frontDoorWafDefaultRateLimit.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Front Door WAF policies found'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give fail result if front door profile WAF policy does not have rate limit custom rule configured', function (done) { + const cache = createCache([afdWafPolicies[1]]); + frontDoorWafDefaultRateLimit.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Front Door profile WAF policy does not have rate limit custom rule configured'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give unknown result unable to query for Front Door WAF policie', function (done) { + const cache = createErrorCache(); + frontDoorWafDefaultRateLimit.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Front Door WAF policies'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + }); +}); \ No newline at end of file From 1ece399d2cfbca9685c264928f00e934366cbc28 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Mon, 27 Nov 2023 16:24:36 +0500 Subject: [PATCH 064/498] SAAS-20313/Front-Door-WAF-Logs-Enabled --- exports.js | 5 +- plugins/azure/frontdoor/wafLogsEnabled.js | 71 ++++++ .../azure/frontdoor/wafLogsEnabled.spec.js | 228 ++++++++++++++++++ 3 files changed, 302 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/frontdoor/wafLogsEnabled.js create mode 100644 plugins/azure/frontdoor/wafLogsEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..95e4453c9a 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,8 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'wafLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/wafLogsEnabled.js'), + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), @@ -1478,4 +1479,4 @@ module.exports = { 'securityNotificationsEnabled' : require(__dirname + '/plugins/alibaba/securitycenter/securityNotificationsEnabled.js'), 'vulnerabilityScanEnabled' : require(__dirname + '/plugins/alibaba/securitycenter/vulnerabilityScanEnabled.js') } -}; +}; \ No newline at end of file diff --git a/plugins/azure/frontdoor/wafLogsEnabled.js b/plugins/azure/frontdoor/wafLogsEnabled.js new file mode 100644 index 0000000000..9dcb482734 --- /dev/null +++ b/plugins/azure/frontdoor/wafLogsEnabled.js @@ -0,0 +1,71 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Front Door WAF Logs Enabled', + category: 'Front Door', + domain: 'Content Delivery', + description: 'Ensures that Azure Front Door WAF Log is enabled.', + more_info: 'Azure Front Door captures several types of logs. Web application firewall (WAF) logs can be used to detect potential attacks, and false positive detections that might indicate legitimate requests that the WAF blocked.', + recommended_action: 'Ensure that diagnostic setting for Front Door WAF Log is enabled.', + link: 'https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-logs', + apis: ['profiles:list', 'diagnosticSettings:listByAzureFrontDoor'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + async.each(locations.profiles, (location, rcb) => { + const profiles = helpers.addSource(cache, source, + ['profiles', 'list', location]); + + if (!profiles) return rcb(); + + if (profiles.err || !profiles.data) { + helpers.addResult(results, 3, + 'Unable to query Front Door profiles: ' + helpers.addError(profiles), location); + return rcb(); + } + + if (!profiles.data.length) { + helpers.addResult(results, 0, 'No existing Azure Front Door profiles found', location); + return rcb(); + } + + var frontDoorProfile = false; + profiles.data.forEach(function(profile) { + if (!profile.id || profile.kind!='frontdoor') return; + + frontDoorProfile = true; + const diagnosticSettings = helpers.addSource(cache, source, + ['diagnosticSettings', 'listByAzureFrontDoor', location, profile.id]); + + if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { + helpers.addResult(results, 3, 'Unable to query Front Door diagnostics settings: ' + helpers.addError(diagnosticSettings), location, profile.id); + } else if (!diagnosticSettings.data.length) { + helpers.addResult(results, 2, 'No existing Front Door diagnostics settings found', location, profile.id); + } else { + var frontDoorWafLogsEnabled = false; + diagnosticSettings.data.forEach(setting => { + var logs = setting.logs; + if (logs.some(log => (log.categoryGroup === 'allLogs' || log.category === 'FrontDoorWebApplicationFirewallLog') && log.enabled)) { + frontDoorWafLogsEnabled = true; + } + }); + if (frontDoorWafLogsEnabled) { + helpers.addResult(results, 0, 'Front Door profile has WAF logs are enabled', location, profile.id); + } else { + helpers.addResult(results, 2, 'Front Door access profile does not have WAF logs enabled', location, profile.id); + } + } + }); + + if (!frontDoorProfile) { + helpers.addResult(results, 0, 'No existing Azure Front Door profiles found', location); + } + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/frontdoor/wafLogsEnabled.spec.js b/plugins/azure/frontdoor/wafLogsEnabled.spec.js new file mode 100644 index 0000000000..1bdde68589 --- /dev/null +++ b/plugins/azure/frontdoor/wafLogsEnabled.spec.js @@ -0,0 +1,228 @@ +var expect = require('chai').expect; +var accessLogsEnabled = require('./accessLogsEnabled.js'); + +const profiles = [ + { + "id": "/subscriptions/234/resourcegroups/sadeedrg/providers/Microsoft.Cdn/profiles/test-profile", + "type": "Microsoft.Cdn/profiles", + "name": "test-profile", + "location": "Global", + "kind": "frontdoor", + "tags": {}, + "sku": { + "name": "Standard_Microsoft" + }, + "properties": { + "resourceState": "Active", + "provisioningState": "Succeeded" + } + }, + { + "id": "/subscriptions/234/resourcegroups/sadeedrg/providers/Microsoft.Cdn/profiles/test-profile", + "type": "Microsoft.Cdn/profiles", + "name": "test-profile", + "location": "Global", + "kind": "frontdoor", + "tags": {}, + "sku": { + "name": "Standard_Microsoft" + }, + "properties": { + "resourceState": "Active", + "provisioningState": "Succeeded" + } + } +]; + + +const diagnosticSettings = [ + { + id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/profiles/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'testaccesslogs', + location: 'global', + logs: [ + { + "category": "FrontDoorAccessLog", + "categoryGroup": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + ], + "logAnalyticsDestinationType": null + }, + { + id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/profiles/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'testaccesslogs', + location: 'global', + logs: [ + { + "category": "FrontDoorAccessLog", + "categoryGroup": null, + "enabled": false, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + ], + "logAnalyticsDestinationType": null + }, + {} +] + +const createCache = (profiles, diagnostics) => { + let diagnostic = {}; + if (profiles.length) { + diagnostic[profiles[0].id] = { + data: diagnostics + }; + } + + + return { + profiles: { + list: { + 'global': { + data: profiles + } + } + }, + diagnosticSettings: { + listByAzureFrontDoor: { + 'global': diagnostic + } + } + }; +}; + +const createErrorCache = (key) => { + if (key == 'profile') { + return { + profiles: { + list: { + 'global': {} + } + } + }; + } else if (key === 'noprofile'){ + return { + profiles: { + list: { + 'global': { + data:{} + } + } + } + }; + }else if (key === 'diagnostic') { + return { + profiles: { + list: { + 'global': { + data: [profiles[0]] + } + } + }, + diagnosticSettings: { + listByAzureFrontDoor: { + 'global': {} + } + } + }; + } else { + const profileId = (profiles && profiles.length) ? profiles[0].id : null; + const diagnosticSetting = (diagnosticSettings && diagnosticSettings.length) ? diagnosticSettings[0].id : null; + return { + profiles: { + list: { + 'global': { + data: [profiles[0]] + } + } + }, + diagnosticSettings: { + listByAzureFrontDoor: { + 'global': { + data: {} + } + } + } + }; + } +}; + +describe('accessLogsEnabled', function () { + describe('run', function () { + + it('should give pass result if No existing Azure Front Door profiles found', function (done) { + const cache = createErrorCache('noprofile'); + accessLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Azure Front Door profiles found'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give unknown result if Unable to query Front Door profiles:', function (done) { + const cache = createErrorCache('profile'); + accessLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Front Door profiles:'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give unknown result if Unable to query diagnostics settings', function (done) { + const cache = createErrorCache('policy'); + accessLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Front Door diagnostics settings'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give pass result if No existing Front Door diagnostics settings', function (done) { + const cache = createCache([profiles[1]], diagnosticSettings[2]); + accessLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('No existing Front Door diagnostics settings'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give passing result if Access Log are enabled for Azure Front Door', function (done) { + const cache = createCache([profiles[0]], [diagnosticSettings[0]]); + accessLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Front Door access logs are enabled'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give failing result if Request logging is not enabled for endpoint', function (done) { + const cache = createCache([profiles[1]], [diagnosticSettings[1]]); + accessLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Front Door access logs are not enabled'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + }); +}); \ No newline at end of file From 1ad0287ce8975ffdd7cd57ba8ba9dc3c3e367f51 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 27 Nov 2023 16:25:41 +0500 Subject: [PATCH 065/498] Update exports.js --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index 95e4453c9a..84d847377b 100644 --- a/exports.js +++ b/exports.js @@ -1479,4 +1479,4 @@ module.exports = { 'securityNotificationsEnabled' : require(__dirname + '/plugins/alibaba/securitycenter/securityNotificationsEnabled.js'), 'vulnerabilityScanEnabled' : require(__dirname + '/plugins/alibaba/securitycenter/vulnerabilityScanEnabled.js') } -}; \ No newline at end of file +}; From 5d21e5f6ac89e2d28c38ed98b459f503f2dd3cc3 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Mon, 27 Nov 2023 16:40:17 +0500 Subject: [PATCH 066/498] SAAS-20313/AFD-Bot-Protection --- plugins/azure/frontdoor/botProtectionEnabled.js | 10 +--------- .../azure/frontdoor/botProtectionEnabled.spec.js | 13 +------------ 2 files changed, 2 insertions(+), 21 deletions(-) diff --git a/plugins/azure/frontdoor/botProtectionEnabled.js b/plugins/azure/frontdoor/botProtectionEnabled.js index 9a7311cbcc..1a4857b58e 100644 --- a/plugins/azure/frontdoor/botProtectionEnabled.js +++ b/plugins/azure/frontdoor/botProtectionEnabled.js @@ -32,12 +32,8 @@ module.exports = { return rcb(); } - var frontDoorWafPolicies = false; - for (let policy of afdWafPolicies.data) { - if (!policy.id || !policy.sku || policy.sku.name.toLowerCase() != 'premium_azurefrontdoor') continue; - - frontDoorWafPolicies = true; + if (!policy.id) continue; var found = policy.managedRules && policy.managedRules.managedRuleSets ? @@ -50,10 +46,6 @@ module.exports = { } } - if (!frontDoorWafPolicies) { - helpers.addResult(results, 0, 'No existing Front Door WAF policies found', location); - } - rcb(); }, function() { callback(null, results, source); diff --git a/plugins/azure/frontdoor/botProtectionEnabled.spec.js b/plugins/azure/frontdoor/botProtectionEnabled.spec.js index 8872bfbc5d..62160a9ac0 100644 --- a/plugins/azure/frontdoor/botProtectionEnabled.spec.js +++ b/plugins/azure/frontdoor/botProtectionEnabled.spec.js @@ -104,18 +104,7 @@ describe('botProtectionEnabled', function () { done(); }); }); - - it('should give pass result if no existing front door premium waf policy found', function (done) { - const cache = createCache([afdWafPolicies[2]]); - botProtectionEnabled.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('No existing Front Door WAF policies found'); - expect(results[0].region).to.equal('global'); - done(); - }); - }); - + it('should give fail result if bot protection is not enabled for front door waf policy', function (done) { const cache = createCache([afdWafPolicies[1]]); botProtectionEnabled.run(cache, {}, (err, results) => { From 5e8cdf96086314331fa5262beafa6636a7d20f7c Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Mon, 27 Nov 2023 14:02:55 +0500 Subject: [PATCH 067/498] Azure - Service Bus Namespace Local Authentication Plugin --- exports.js | 1 + .../azure/servicebus/namespaceLocalAuth.js | 50 +++++++++++ .../servicebus/namespaceLocalAuth.spec.js | 90 +++++++++++++++++++ .../azure/servicebus/namespaceTlsVersion.js | 4 +- 4 files changed, 143 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/servicebus/namespaceLocalAuth.js create mode 100644 plugins/azure/servicebus/namespaceLocalAuth.spec.js diff --git a/exports.js b/exports.js index 2781d110ea..a4956330ea 100644 --- a/exports.js +++ b/exports.js @@ -992,6 +992,7 @@ module.exports = { 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), 'namespaceLocalAuth' : require(__dirname + '/plugins/azure/servicebus/namespaceLocalAuth.js'), + 'namespaceTlsVersion' : require(__dirname + '/plugins/azure/servicebus/namespaceTlsVersion.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/servicebus/namespaceLocalAuth.js b/plugins/azure/servicebus/namespaceLocalAuth.js new file mode 100644 index 0000000000..6912a617b6 --- /dev/null +++ b/plugins/azure/servicebus/namespaceLocalAuth.js @@ -0,0 +1,50 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Namespace Local Authentication Disabled', + category: 'Service Bus', + domain: 'Application Integration', + description: 'Ensures local authentication is disabled for Service Bus namespaces.', + more_info: 'For enhanced security, centralized identity management, and seamless integration with Azure\'s authentication and authorization services, it is recommended to rely on Azure Active Directory (Azure AD) and disable local authentication (shared access policies) in Azure Service Bus namespaces.', + recommended_action: 'Ensure that Azure Service Bus namespaces have local authentication disabled.', + link: 'https://learn.microsoft.com/en-us/azure/service-bus-messaging/disable-local-authentication', + apis: ['serviceBus:listNamespacesBySubscription'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.serviceBus, function(location, rcb) { + const namespaces = helpers.addSource(cache, source, + ['serviceBus', 'listNamespacesBySubscription', location]); + + if (!namespaces) return rcb(); + + + if (namespaces.err || !namespaces.data) { + helpers.addResult(results, 3, 'Unable to query Service Bus namespaces: ' + helpers.addError(namespaces), location); + return rcb(); + } + + if (!namespaces.data.length) { + helpers.addResult(results, 0, 'No Service Bus namespaces found', location); + return rcb(); + } + + for (let namespace of namespaces.data) { + if (namespace.disableLocalAuth) { + helpers.addResult(results, 0, 'Service Bus Namespace has local authentication disabled', location, namespace.id); + } else { + helpers.addResult(results, 2, 'Service Bus Namespace has local authentication enabled', location, namespace.id); + } + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/servicebus/namespaceLocalAuth.spec.js b/plugins/azure/servicebus/namespaceLocalAuth.spec.js new file mode 100644 index 0000000000..2755a180db --- /dev/null +++ b/plugins/azure/servicebus/namespaceLocalAuth.spec.js @@ -0,0 +1,90 @@ +var expect = require('chai').expect; +var namespaceLocalAuth = require('./namespaceLocalAuth.js'); + +const namespaces = [ + { + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test', + name: 'test', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: false, + provisioningState: 'Succeeded', + status: 'Active' + }, + { + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test', + name: 'test2', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: true, + provisioningState: 'Succeeded', + status: 'Active' + }, +]; + + +const createCache = (namespaces, err) => { + + return { + serviceBus: { + listNamespacesBySubscription: { + 'eastus': { + data: namespaces, + err: err + } + } + } + }; +}; + +describe('namespaceLocalAuth', function () { + describe('run', function () { + + it('should give a passing result if no Service Bus namespaces are found', function (done) { + const cache = createCache([], null); + namespaceLocalAuth.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No Service Bus namespaces found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for Service Bus namespaces', function (done) { + const cache = createCache(null, ['error']); + namespaceLocalAuth.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Service Bus namespaces'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + + it('should give passing result if local authenication is disabled for namespace', function (done) { + const cache = createCache([namespaces[1]], null); + namespaceLocalAuth.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Service Bus Namespace has local authentication disabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if local authentication is enabled for namespace', function (done) { + const cache = createCache([namespaces[0]], null); + namespaceLocalAuth.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Service Bus Namespace has local authentication enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file diff --git a/plugins/azure/servicebus/namespaceTlsVersion.js b/plugins/azure/servicebus/namespaceTlsVersion.js index 5209dcd253..32a4df1678 100644 --- a/plugins/azure/servicebus/namespaceTlsVersion.js +++ b/plugins/azure/servicebus/namespaceTlsVersion.js @@ -5,7 +5,7 @@ module.exports = { title: 'Namespace Minimum TLS Version', category: 'Service Bus', domain: 'Application Integration', - description: 'Ensures that Azure Sevice Bus namespace is using the latest TLS version.', + description: 'Ensures that Azure Service Bus namespace is using the latest TLS version.', more_info: 'TLS versions 1.0 and 1.1 are known to be susceptible to attacks, and to have other Common Vulnerabilities and Exposures (CVE) weaknesses. So there\'s an industry-wide push toward the exclusive use of Transport Layer Security(TLS) version 1.2 or later.', recommended_action: 'Ensure that Azure Srvice Bus namespaces are using the latest TLS version', link: 'https://learn.microsoft.com/en-us/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version', @@ -34,7 +34,7 @@ module.exports = { } for (let namespace of namespaces.data) { - if (namespace.minimumTlsVersion && (parseFloat(namespace.minimumTlsVersion) >= 1.2)) { + if (namespace.minimumTlsVersion && (parseFloat(namespace.minimumTlsVersion) >= 1.2)) { helpers.addResult(results, 0, 'Service Bus namespace is using the latest TLS Version', location, namespace.id); } else { helpers.addResult(results, 2, 'Service Bus namespace is not using the latest TLS Version', location, namespace.id); From a6c94e4a988771cd48686cb4f25b01d4f3a2f054 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Mon, 27 Nov 2023 18:35:54 +0500 Subject: [PATCH 068/498] SAAS-20313/Front-Door-WAF-Logs-Enabled --- helpers/azure/functions.js | 16 +++++++++- plugins/azure/frontdoor/accessLogsEnabled.js | 10 ++---- .../azure/frontdoor/accessLogsEnabled.spec.js | 3 +- plugins/azure/frontdoor/wafLogsEnabled.js | 12 ++----- .../azure/frontdoor/wafLogsEnabled.spec.js | 32 +++++++++---------- 5 files changed, 37 insertions(+), 36 deletions(-) diff --git a/helpers/azure/functions.js b/helpers/azure/functions.js index 0a40c0a0e1..40759337ab 100644 --- a/helpers/azure/functions.js +++ b/helpers/azure/functions.js @@ -692,6 +692,19 @@ function remediateOpenPorts(putCall, pluginName, protocol, port, config, cache, }); } +function diagnosticSettingLogs(diagnosticSettings, logsCategory, categoryGroup) { + var logsEnabled = false; + diagnosticSettings.data.forEach(setting => { + var logs = setting.logs; + if (logs.some(log => (categoryGroup.indexOf(log.categoryGroup) > -1 || log.category == logsCategory) && log.enabled)) { + logsEnabled = true; + return; + } + }); + + return logsEnabled; +} + module.exports = { addResult: addResult, findOpenPorts: findOpenPorts, @@ -702,5 +715,6 @@ module.exports = { remediatePlugin: remediatePlugin, processCall: processCall, remediateOpenPorts: remediateOpenPorts, - remediateOpenPortsHelper: remediateOpenPortsHelper + remediateOpenPortsHelper: remediateOpenPortsHelper, + diagnosticSettingLogs: diagnosticSettingLogs, }; diff --git a/plugins/azure/frontdoor/accessLogsEnabled.js b/plugins/azure/frontdoor/accessLogsEnabled.js index aed9fa4cb4..cdfd229be8 100644 --- a/plugins/azure/frontdoor/accessLogsEnabled.js +++ b/plugins/azure/frontdoor/accessLogsEnabled.js @@ -45,14 +45,8 @@ module.exports = { } else if (!diagnosticSettings.data.length) { helpers.addResult(results, 2, 'No existing Front Door diagnostics settings found', location, profile.id); } else { - var frontDoorAccessLogEnabled = false; - diagnosticSettings.data.forEach(setting => { - var logs = setting.logs; - if (logs.some(log => (log.categoryGroup === 'audit' || log.categoryGroup === 'allLogs' || log.category === 'FrontDoorAccessLog') && log.enabled)) { - frontDoorAccessLogEnabled = true; - } - }); - if (frontDoorAccessLogEnabled) { + var accessLogsEnabled = helpers.diagnosticSettingLogs(diagnosticSettings, 'FrontDoorAccessLog', ['audit','allLogs']); + if (accessLogsEnabled) { helpers.addResult(results, 0, 'Front Door access logs are enabled', location, profile.id); } else { helpers.addResult(results, 2, 'Front Door access logs are not enabled', location, profile.id); diff --git a/plugins/azure/frontdoor/accessLogsEnabled.spec.js b/plugins/azure/frontdoor/accessLogsEnabled.spec.js index 1bdde68589..2cc245ab56 100644 --- a/plugins/azure/frontdoor/accessLogsEnabled.spec.js +++ b/plugins/azure/frontdoor/accessLogsEnabled.spec.js @@ -34,7 +34,6 @@ const profiles = [ } ]; - const diagnosticSettings = [ { id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/profiles/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', @@ -214,7 +213,7 @@ describe('accessLogsEnabled', function () { }); }); - it('should give failing result if Request logging is not enabled for endpoint', function (done) { + it('should give failing result if Access logging is not enabled for Azure Front Door', function (done) { const cache = createCache([profiles[1]], [diagnosticSettings[1]]); accessLogsEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); diff --git a/plugins/azure/frontdoor/wafLogsEnabled.js b/plugins/azure/frontdoor/wafLogsEnabled.js index 9dcb482734..526da63264 100644 --- a/plugins/azure/frontdoor/wafLogsEnabled.js +++ b/plugins/azure/frontdoor/wafLogsEnabled.js @@ -45,17 +45,11 @@ module.exports = { } else if (!diagnosticSettings.data.length) { helpers.addResult(results, 2, 'No existing Front Door diagnostics settings found', location, profile.id); } else { - var frontDoorWafLogsEnabled = false; - diagnosticSettings.data.forEach(setting => { - var logs = setting.logs; - if (logs.some(log => (log.categoryGroup === 'allLogs' || log.category === 'FrontDoorWebApplicationFirewallLog') && log.enabled)) { - frontDoorWafLogsEnabled = true; - } - }); + var frontDoorWafLogsEnabled = helpers.diagnosticSettingLogs(diagnosticSettings, 'FrontDoorWebApplicationFirewallLog', ['allLogs']); if (frontDoorWafLogsEnabled) { - helpers.addResult(results, 0, 'Front Door profile has WAF logs are enabled', location, profile.id); + helpers.addResult(results, 0, 'Front Door profile WAF logs are enabled', location, profile.id); } else { - helpers.addResult(results, 2, 'Front Door access profile does not have WAF logs enabled', location, profile.id); + helpers.addResult(results, 2, 'Front Door profile WAF logs are not enabled', location, profile.id); } } }); diff --git a/plugins/azure/frontdoor/wafLogsEnabled.spec.js b/plugins/azure/frontdoor/wafLogsEnabled.spec.js index 1bdde68589..2448aa21b2 100644 --- a/plugins/azure/frontdoor/wafLogsEnabled.spec.js +++ b/plugins/azure/frontdoor/wafLogsEnabled.spec.js @@ -1,5 +1,5 @@ var expect = require('chai').expect; -var accessLogsEnabled = require('./accessLogsEnabled.js'); +var wafLogsEnabled = require('./wafLogsEnabled.js'); const profiles = [ { @@ -57,13 +57,13 @@ const diagnosticSettings = [ { id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/profiles/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', type: 'Microsoft.Insights/diagnosticSettings', - name: 'testaccesslogs', + name: 'testwaflogs', location: 'global', logs: [ { - "category": "FrontDoorAccessLog", + "category": "FrontDoorWebApplicationFirewallLog", "categoryGroup": null, - "enabled": false, + "enabled": true, "retentionPolicy": { "enabled": false, "days": 0 @@ -156,12 +156,12 @@ const createErrorCache = (key) => { } }; -describe('accessLogsEnabled', function () { +describe('wafLogsEnabled', function () { describe('run', function () { it('should give pass result if No existing Azure Front Door profiles found', function (done) { const cache = createErrorCache('noprofile'); - accessLogsEnabled.run(cache, {}, (err, results) => { + wafLogsEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('No existing Azure Front Door profiles found'); @@ -172,7 +172,7 @@ describe('accessLogsEnabled', function () { it('should give unknown result if Unable to query Front Door profiles:', function (done) { const cache = createErrorCache('profile'); - accessLogsEnabled.run(cache, {}, (err, results) => { + wafLogsEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].message).to.include('Unable to query Front Door profiles:'); @@ -183,7 +183,7 @@ describe('accessLogsEnabled', function () { it('should give unknown result if Unable to query diagnostics settings', function (done) { const cache = createErrorCache('policy'); - accessLogsEnabled.run(cache, {}, (err, results) => { + wafLogsEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].message).to.include('Unable to query Front Door diagnostics settings'); @@ -194,7 +194,7 @@ describe('accessLogsEnabled', function () { it('should give pass result if No existing Front Door diagnostics settings', function (done) { const cache = createCache([profiles[1]], diagnosticSettings[2]); - accessLogsEnabled.run(cache, {}, (err, results) => { + wafLogsEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); expect(results[0].message).to.include('No existing Front Door diagnostics settings'); @@ -203,23 +203,23 @@ describe('accessLogsEnabled', function () { }); }); - it('should give passing result if Access Log are enabled for Azure Front Door', function (done) { - const cache = createCache([profiles[0]], [diagnosticSettings[0]]); - accessLogsEnabled.run(cache, {}, (err, results) => { + it('should give passing result if Front Door profile WAF logs are enabled for Azure Front Door', function (done) { + const cache = createCache([profiles[0]], [diagnosticSettings[1]]); + wafLogsEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Front Door access logs are enabled'); + expect(results[0].message).to.include('Front Door profile WAF logs are enabled'); expect(results[0].region).to.equal('global'); done(); }); }); it('should give failing result if Request logging is not enabled for endpoint', function (done) { - const cache = createCache([profiles[1]], [diagnosticSettings[1]]); - accessLogsEnabled.run(cache, {}, (err, results) => { + const cache = createCache([profiles[1]], [diagnosticSettings[0]]); + wafLogsEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Front Door access logs are not enabled'); + expect(results[0].message).to.include('Front Door profile WAF logs are not enabled'); expect(results[0].region).to.equal('global'); done(); }); From 9d921b6c2e078da27ef90ae28a571ae9fe915898 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Mon, 27 Nov 2023 18:39:41 +0500 Subject: [PATCH 069/498] updated spec --- plugins/azure/frontdoor/wafLogsEnabled.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/frontdoor/wafLogsEnabled.spec.js b/plugins/azure/frontdoor/wafLogsEnabled.spec.js index 2448aa21b2..456de2714c 100644 --- a/plugins/azure/frontdoor/wafLogsEnabled.spec.js +++ b/plugins/azure/frontdoor/wafLogsEnabled.spec.js @@ -214,7 +214,7 @@ describe('wafLogsEnabled', function () { }); }); - it('should give failing result if Request logging is not enabled for endpoint', function (done) { + it('should give failing result if Front Door profile WAF logs are not enabled for Azure Front Door', function (done) { const cache = createCache([profiles[1]], [diagnosticSettings[0]]); wafLogsEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); From fce82fcf64d33aacf2eb8d08b03411d2786ba430 Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Mon, 27 Nov 2023 20:04:01 +0500 Subject: [PATCH 070/498] Azure - Namespace Encryption At Rest Plugin --- exports.js | 1 + .../servicebus/namespaceEncryptionAtRest.js | 53 ++++++++ .../namespaceEncryptionAtRest.spec.js | 118 ++++++++++++++++++ 3 files changed, 172 insertions(+) create mode 100644 plugins/azure/servicebus/namespaceEncryptionAtRest.js create mode 100644 plugins/azure/servicebus/namespaceEncryptionAtRest.spec.js diff --git a/exports.js b/exports.js index a4956330ea..dd8ffc2354 100644 --- a/exports.js +++ b/exports.js @@ -993,6 +993,7 @@ module.exports = { 'namespaceLocalAuth' : require(__dirname + '/plugins/azure/servicebus/namespaceLocalAuth.js'), 'namespaceTlsVersion' : require(__dirname + '/plugins/azure/servicebus/namespaceTlsVersion.js'), + 'namespaceEncryptionAtRest' : require(__dirname + '/plugins/azure/servicebus/namespaceEncryptionAtRest.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/servicebus/namespaceEncryptionAtRest.js b/plugins/azure/servicebus/namespaceEncryptionAtRest.js new file mode 100644 index 0000000000..2a7278ba83 --- /dev/null +++ b/plugins/azure/servicebus/namespaceEncryptionAtRest.js @@ -0,0 +1,53 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Namespace Encryption At Rest with CMK', + category: 'Service Bus', + domain: 'Application Integration', + description: 'Ensure that Azure Service Bus namespaces are encrypted with CMK.', + more_info: 'Azure Service Bus allows you to encrypt data in your namespaces using customer-managed keys (CMK) instead of using platform-managed keys, which are enabled by default. Using CMK encryption offers enhanced security and compliance, allowing centralized management and control of encryption keys through Azure Key Vault.', + recommended_action: 'Ensure that Azure Service Bus namespaces have CMK encryption enabled.', + link: 'https://learn.microsoft.com/en-us/azure/service-bus-messaging/configure-customer-managed-key', + apis: ['serviceBus:listNamespacesBySubscription'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.serviceBus, function(location, rcb) { + const namespaces = helpers.addSource(cache, source, + ['serviceBus', 'listNamespacesBySubscription', location]); + + if (!namespaces) return rcb(); + + + if (namespaces.err || !namespaces.data) { + helpers.addResult(results, 3, 'Unable to query Service Bus namespaces: ' + helpers.addError(namespaces), location); + return rcb(); + } + + if (!namespaces.data.length) { + helpers.addResult(results, 0, 'No Service Bus namespaces found', location); + return rcb(); + } + + for (let namespace of namespaces.data) { + + if (namespace.sku && namespace.sku.tier && namespace.sku.tier.toLowerCase() !== 'premium') { + helpers.addResult(results, 0, 'Service Bus Namespace is not a premium namespace', location, namespace.id); + } else if (namespace.encryption && Object.keys(namespace.encryption).length) { + helpers.addResult(results, 0, 'Service Bus Namespace is encrypted using CMK', location, namespace.id); + } else { + helpers.addResult(results, 2, 'Service Bus Namespace is not encrypted using CMK', location, namespace.id); + } + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/servicebus/namespaceEncryptionAtRest.spec.js b/plugins/azure/servicebus/namespaceEncryptionAtRest.spec.js new file mode 100644 index 0000000000..394f71b462 --- /dev/null +++ b/plugins/azure/servicebus/namespaceEncryptionAtRest.spec.js @@ -0,0 +1,118 @@ +var expect = require('chai').expect; +var namespaceEncryptionAtRest = require('./namespaceEncryptionAtRest.js'); + +const namespaces = [ + { + sku: { name: 'Premium', tier: 'Premium', capacity: 1 }, + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test', + name: 'test', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: false, + provisioningState: 'Succeeded', + status: 'Active' + }, + { + sku: { name: 'Premium', tier: 'Premium', capacity: 1 }, + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test2', + name: 'test2', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: true, + provisioningState: 'Succeeded', + status: 'Active', + encryption: { + keySource: 'Microsoft.KeyVault', + requireInfrastructureEncryption: false + }, + }, + { + sku: { name: 'Basic', tier: 'Basic' }, + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test3', + name: 'test2', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: true, + provisioningState: 'Succeeded', + status: 'Active' + }, +]; + + +const createCache = (namespaces, err) => { + + return { + serviceBus: { + listNamespacesBySubscription: { + 'eastus': { + data: namespaces, + err: err + } + } + } + }; +}; + +describe('namespaceEncryptionAtRest', function () { + describe('run', function () { + + it('should give a passing result if no Service Bus namespaces are found', function (done) { + const cache = createCache([], null); + namespaceEncryptionAtRest.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No Service Bus namespaces found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for Service Bus namespaces', function (done) { + const cache = createCache(null, ['error']); + namespaceEncryptionAtRest.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Service Bus namespaces'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + + it('should give passing result if namespace is not using premium tier', function (done) { + const cache = createCache([namespaces[2]], null); + namespaceEncryptionAtRest.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Service Bus Namespace is not a premium namespace'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if namespace is using CMK encryption', function (done) { + const cache = createCache([namespaces[1]], null); + namespaceEncryptionAtRest.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Service Bus Namespace is encrypted using CMK'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if namespace is not using CMK encryption', function (done) { + const cache = createCache([namespaces[0]], null); + namespaceEncryptionAtRest.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Service Bus Namespace is not encrypted using CMK'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From 402a5a9b989736cd878bc4c8b73930727cb266df Mon Sep 17 00:00:00 2001 From: MuzzammilH Date: Tue, 28 Nov 2023 14:52:07 +0500 Subject: [PATCH 071/498] added sql db data maksing enabled --- exports.js | 3 +- helpers/azure/api.js | 9 +- helpers/azure/resources.js | 3 + .../sqldatabases/dbDataMaskingEnabled.js | 71 +++++++ .../sqldatabases/dbDataMaskingEnabled.spec.js | 174 ++++++++++++++++++ 5 files changed, 258 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/sqldatabases/dbDataMaskingEnabled.js create mode 100644 plugins/azure/sqldatabases/dbDataMaskingEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..831491b1c2 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,8 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion': require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'dbDataMaskingEnabled': require(__dirname + '/plugins/azure/sqldatabases/dbDataMaskingEnabled.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..9a8ecd315e 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -973,7 +973,14 @@ var tertiarycalls = { url: '{id}/policy?api-version=7.3', vault: true } - } + }, + dataMaskingPolicies: { + get: { + reliesOnPath: 'databases.listByServer', + properties: ['id'], + url: 'https://management.azure.com/{id}/dataMaskingPolicies/Default?api-version=2021-11-01', + } + }, }; var specialcalls = { diff --git a/helpers/azure/resources.js b/helpers/azure/resources.js index bc0486c46c..fae6fa6f9f 100644 --- a/helpers/azure/resources.js +++ b/helpers/azure/resources.js @@ -241,5 +241,8 @@ module.exports = { listAppSettings: 'id', getAuthSettings: '', getBackupConfiguration: 'id', + }, + dataMaskingPolicies: { + list: 'id' } }; diff --git a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js new file mode 100644 index 0000000000..24ff3b42f0 --- /dev/null +++ b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js @@ -0,0 +1,71 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Set Dynamic Data Masking for SQL Databases', + category: 'SQL Databases', + domain: 'Databases', + description: 'Set up dynamic data masking to protect sensitive data exposure in SQL databases.', + more_info: 'Dynamic data masking helps prevent unauthorized access to sensitive data by hiding it in query results.', + recommended_action: 'Set up dynamic data masking for designated database fields to enhance data security.', + link: 'https://docs.microsoft.com/en-us/azure/sql-database/sql-database-dynamic-data-masking-get-started-portal', + apis: ['servers:listSql', 'databases:listByServer', 'dataMaskingPolicies:get'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, function(location, rcb) { + var servers = helpers.addSource(cache, source, ['servers', 'listSql', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, 'Unable to query for SQL servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No SQL servers found', location); + return rcb(); + } + + // Loop through servers and check databases + servers.data.forEach(function(server) { + var databases = helpers.addSource(cache, source, + ['databases', 'listByServer', location, server.id]); + + if (!databases || databases.err || !databases.data) { + helpers.addResult(results, 3, + 'Unable to query for SQL server databases: ' + helpers.addError(databases), location, server.id); + } else { + if (!databases.data.length) { + helpers.addResult(results, 0, + 'No databases found for SQL server', location, server.id); + } else { + databases.data.forEach(function(database) { + + var dataMaskingPolicies = helpers.addSource(cache, source, ['dataMaskingPolicies', 'get', location, database.id]); + if (!dataMaskingPolicies || dataMaskingPolicies.err || !dataMaskingPolicies.data) { + helpers.addResult(results, 3, 'Unable to query dynamic data masking: ' + helpers.addError(dataMaskingPolicies), location, database.id); + } else { + if (dataMaskingPolicies.data.dataMaskingState.toLowerCase()=='enabled') { + helpers.addResult(results, 0, 'Dynamic data masking is enabled for the database', location, database.id); + } else { + helpers.addResult(results, 2, 'Dynamic data masking is not enabled for the database', location, database.id); + } + } + }); + } + } + }); + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; + + diff --git a/plugins/azure/sqldatabases/dbDataMaskingEnabled.spec.js b/plugins/azure/sqldatabases/dbDataMaskingEnabled.spec.js new file mode 100644 index 0000000000..e9e278acc5 --- /dev/null +++ b/plugins/azure/sqldatabases/dbDataMaskingEnabled.spec.js @@ -0,0 +1,174 @@ +var expect = require('chai').expect; +var setDynamicDataMasking = require('./dbDataMaskingEnabled'); + +const servers = [ + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server", + } +]; + +const databases = [ + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + } +]; + +const dataMaskingPolicies = [ + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database/datamaskingpolicies/default", + "name": "default", + "type": "Microsoft.Sql/servers/databases/datamaskingpolicies", + "dataMaskingState": "Enabled", + }, + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database/datamaskingpolicies/default", + "name": "default", + "type": "Microsoft.Sql/servers/databases/datamaskingpolicies", + "dataMaskingState": "Disabled", + } +]; + +const createCache = (servers, databases, dataMaskingPolicies, serversErr, databasesErr) => { + const serverId = (servers && servers.length) ? servers[0].id : null; + const dbId = (databases && databases.length) ? databases[0].id : null; + return { + servers: { + listSql: { + 'eastus': { + err: serversErr, + data: servers + } + } + }, + databases: { + listByServer: { + 'eastus': { + [serverId]: { + err: databasesErr, + data: databases + } + } + } + }, + dataMaskingPolicies: { + get: { + 'eastus': { + [dbId]: { + data: dataMaskingPolicies + } + } + } + } + }; +}; + +describe('setDynamicDataMasking', function() { + describe('run', function() { + it('should give passing result if no SQL servers found', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No SQL servers found'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + [] + ); + + setDynamicDataMasking.run(cache, {}, callback); + }); + + it('should give passing result if no databases found for SQL server', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No databases found for SQL server'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + [] + ); + + setDynamicDataMasking.run(cache, {}, callback); + }); + + it('should give passing result if Dynamic data masking is enabled for the database', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Dynamic data masking is enabled for the database'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + databases, + dataMaskingPolicies[0] + ); + + setDynamicDataMasking.run(cache, {}, callback); + }); + + it('should give failing result if Dynamic data masking is not enabled for the database', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Dynamic data masking is not enabled for the database'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + databases, + dataMaskingPolicies[1] + ); + + setDynamicDataMasking.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query for SQL servers', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('unable to query servers'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + [], + [], + [], + { message: 'unable to query servers' } + ); + + setDynamicDataMasking.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query for SQL server databases', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('unable to query databases'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + [], + null, + { message: 'unable to query databases' } + ); + + setDynamicDataMasking.run(cache, {}, callback); + }); + }); +}); From f1c414f0052648cbc488a2ce95003a0a94cd1384 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Tue, 28 Nov 2023 15:06:00 +0500 Subject: [PATCH 072/498] added sql db ledgerDigestStorageEnabled --- exports.js | 3 +- helpers/azure/api.js | 9 +- helpers/azure/resources.js | 5 +- .../dbLedgerDigestStorageEnabled.js | 69 ++++++ .../dbLedgerDigestStorageEnabled.spec.js | 196 ++++++++++++++++++ 5 files changed, 279 insertions(+), 3 deletions(-) create mode 100644 plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js create mode 100644 plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..238b678883 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,8 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion': require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'dbLedgerDigestStorageEnabled': require(__dirname + '/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..df170d8f52 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -973,7 +973,14 @@ var tertiarycalls = { url: '{id}/policy?api-version=7.3', vault: true } - } + }, + ledgerDigestUploads: { + list: { + reliesOnPath: 'databases.listByServer', + properties: ['id'], + url: 'https://management.azure.com/{id}/ledgerDigestUploads?api-version=2021-11-01' + } + }, }; var specialcalls = { diff --git a/helpers/azure/resources.js b/helpers/azure/resources.js index bc0486c46c..17bd3e202c 100644 --- a/helpers/azure/resources.js +++ b/helpers/azure/resources.js @@ -241,5 +241,8 @@ module.exports = { listAppSettings: 'id', getAuthSettings: '', getBackupConfiguration: 'id', - } + }, + ledgerDigestUploads: { + list: 'id' + }, }; diff --git a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js new file mode 100644 index 0000000000..51360cffe0 --- /dev/null +++ b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js @@ -0,0 +1,69 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Enable Automatic Ledger Digest Storage for SQL Databases', + category: 'SQL Databases', + domain: 'Databases', + description: 'Enable automatic Ledger digest storage for enhanced data integrity.', + more_info: 'Configuring automatic Ledger digest storage allows for the generation and storage of digests for later verification.', + recommended_action: 'Configure an Azure Storage account or Azure Confidential Ledger for automatic Ledger digest storage. Alternatively, manually generate digests and store them in a secure location.', + link: 'https://docs.microsoft.com/en-us/azure/sql-database/sql-database-ledger-overview', + apis: ['servers:listSql', 'databases:listByServer', 'ledgerDigestUploads:list'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, function(location, rcb) { + var servers = helpers.addSource(cache, source, ['servers', 'listSql', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, 'Unable to query for SQL servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No SQL servers found', location); + return rcb(); + } + + // Loop through servers and check databases + servers.data.forEach(function(server) { + var databases = helpers.addSource(cache, source, + ['databases', 'listByServer', location, server.id]); + + if (!databases || databases.err || !databases.data) { + helpers.addResult(results, 3, + 'Unable to query for SQL server databases: ' + helpers.addError(databases), location, server.id); + } else { + if (!databases.data.length) { + helpers.addResult(results, 0, + 'No databases found for SQL server', location, server.id); + } else { + databases.data.forEach(function(database) { + var ledgerDigestUploads = helpers.addSource(cache, source, ['ledgerDigestUploads', 'list', location, database.id]); + if (!ledgerDigestUploads || ledgerDigestUploads.err) { + helpers.addResult(results, 3, 'Unable to query for Azure ledger: ' + helpers.addError(ledgerDigestUploads), location, database.id); + } else { + if (ledgerDigestUploads.data[0].state.toLowerCase() == 'enabled') { + helpers.addResult(results, 0, 'Automatic Ledger digest storage is enabled', location, database.id); + } else { + helpers.addResult(results, 2, 'Automatic Ledger digest storage is disbaled', location, database.id); + } + + } + }); + } + } + }); + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js new file mode 100644 index 0000000000..48f4c9cf65 --- /dev/null +++ b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js @@ -0,0 +1,196 @@ +var expect = require('chai').expect; +var enableAutomaticLedgerDigestStorage = require('./dbLedgerDigestStorageEnabled'); + +const servers = [ + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server", + } +]; + +const databases = [ + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + } +]; + +const ledgerDigestUploads = [ + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database/ledgerDigestUploads/1", + "state": "Enabled", + }, + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database/ledgerDigestUploads/2", + "state": "Disabled", + }, +]; + +const createCache = (servers, databases, ledgerDigestUploads, serversErr, databasesErr, ledgerDigestUploadsErr) => { + const serverId = (servers && servers.length) ? servers[0].id : null; + const databaseId = (databases && databases.length) ? databases[0].id : null; + return { + servers: { + listSql: { + 'eastus': { + err: serversErr, + data: servers + } + } + }, + databases: { + listByServer: { + 'eastus': { + [serverId]: { + err: databasesErr, + data: databases + } + } + } + }, + ledgerDigestUploads: { + list: { + 'eastus': { + [databaseId]: { + err: ledgerDigestUploadsErr, + data: ledgerDigestUploads + } + } + } + } + }; +}; + +describe('enableAutomaticLedgerDigestStorage', function() { + describe('run', function() { + it('should give passing result if no SQL servers found', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No SQL servers found'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + [], + databases, + ledgerDigestUploads + ); + + enableAutomaticLedgerDigestStorage.run(cache, {}, callback); + }); + + it('should give passing result if no databases found for SQL server', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No databases found for SQL server'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + [], + ledgerDigestUploads + ); + + enableAutomaticLedgerDigestStorage.run(cache, {}, callback); + }); + + it('should give passing result if Automatic Ledger digest storage is enabled for the database', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Automatic Ledger digest storage is enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + databases, + [ledgerDigestUploads[0]] + ); + + enableAutomaticLedgerDigestStorage.run(cache, {}, callback); + }); + + it('should give failing result if Automatic Ledger digest storage is disabled for the database', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Automatic Ledger digest storage is disbaled'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + databases, + [ledgerDigestUploads[1]] + ); + + enableAutomaticLedgerDigestStorage.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query for SQL servers', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for SQL servers'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + [], + databases, + ledgerDigestUploads, + { message: 'unable to query servers' } + ); + + enableAutomaticLedgerDigestStorage.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query for SQL server databases', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for SQL server databases'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + [], + ledgerDigestUploads, + null, + { message: 'unable to query databases' } + ); + + enableAutomaticLedgerDigestStorage.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query for Azure ledger', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Azure ledger'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + databases, + null, + null, + null, + { message: 'unable to query ledger' } + ); + + enableAutomaticLedgerDigestStorage.run(cache, {}, callback); + }); + }); +}); From 8d52bf8f4cb82fac71239fb845043db94b6cac76 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 28 Nov 2023 15:06:35 +0500 Subject: [PATCH 073/498] adding-application-gateway-logs --- exports.js | 2 + .../applicationGateway/agAccessLogsEnabled.js | 59 +++++ .../agAccessLogsEnabled.spec.js | 219 ++++++++++++++++++ .../agFirewallLogsEnabled.js | 59 +++++ .../agFirewallLogsEnabled.spec.js | 219 ++++++++++++++++++ 5 files changed, 558 insertions(+) create mode 100644 plugins/azure/applicationGateway/agAccessLogsEnabled.js create mode 100644 plugins/azure/applicationGateway/agAccessLogsEnabled.spec.js create mode 100644 plugins/azure/applicationGateway/agFirewallLogsEnabled.js create mode 100644 plugins/azure/applicationGateway/agFirewallLogsEnabled.spec.js diff --git a/exports.js b/exports.js index 84d847377b..fb4396705e 100644 --- a/exports.js +++ b/exports.js @@ -976,6 +976,8 @@ module.exports = { 'agWafEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agWafEnabled'), 'agPreventionModeEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agPreventionModeEnabled.js'), + 'agAccessLogsEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agAccessLogsEnabled.js'), + 'agFirewallLogsEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agFirewallLogsEnabled.js'), 'subscriptionHasTags' : require(__dirname + '/plugins/azure/subscription/subscriptionHasTags.js'), 'rgHasTags' : require(__dirname + '/plugins/azure/resourceGroup/rgHasTags.js'), diff --git a/plugins/azure/applicationGateway/agAccessLogsEnabled.js b/plugins/azure/applicationGateway/agAccessLogsEnabled.js new file mode 100644 index 0000000000..0a39243400 --- /dev/null +++ b/plugins/azure/applicationGateway/agAccessLogsEnabled.js @@ -0,0 +1,59 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Application Gateway Access Logs Enabled', + category: 'Application Gateway', + domain: 'Network Access Control', + description: 'Ensures that Application Gateway Access Log is enabled.', + more_info: 'Application Gateway logs provide detailed information for events related to a resource and its operations. Access logs helps to analyze important information includeing the caller\'s IP, requested URL, response latency, return code, and bytes in and out. An access log is collected every 60 seconds.', + recommended_action: 'Ensure that diagnostic setting for Application Gateway Access Log is enabled.', + link: 'https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics', + apis: ['applicationGateway:listAll', 'diagnosticSettings:listByApplicationGateways'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + async.each(locations.applicationGateway, (location, rcb) => { + const applicationGateways = helpers.addSource(cache, source, + ['applicationGateway', 'listAll', location]); + + if (!applicationGateways) return rcb(); + + if (applicationGateways.err || !applicationGateways.data) { + helpers.addResult(results, 3, + 'Unable to query Application Gateway: ' + helpers.addError(applicationGateways), location); + return rcb(); + } + + if (!applicationGateways.data.length) { + helpers.addResult(results, 0, 'No existing Application Gateway found', location); + return rcb(); + } + + applicationGateways.data.forEach(function(appGateway) { + if (!appGateway.id) return; + const diagnosticSettings = helpers.addSource(cache, source, + ['diagnosticSettings', 'listByApplicationGateways', location, appGateway.id]); + + if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { + helpers.addResult(results, 3, 'Unable to query Application Gateway diagnostics settings: ' + helpers.addError(diagnosticSettings), location, appGateway.id); + } else if (!diagnosticSettings.data.length) { + helpers.addResult(results, 2, 'No existing Application Gateway diagnostics settings found', location, appGateway.id); + } else { + var accessLogsEnabled = helpers.diagnosticSettingLogs(diagnosticSettings, 'ApplicationGatewayAccessLog', ['allLogs']); + if (accessLogsEnabled) { + helpers.addResult(results, 0, 'Application Gateway access logs are enabled', location, appGateway.id); + } else { + helpers.addResult(results, 2, 'Application Gateway access logs are not enabled', location, appGateway.id); + } + } + }); + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/applicationGateway/agAccessLogsEnabled.spec.js b/plugins/azure/applicationGateway/agAccessLogsEnabled.spec.js new file mode 100644 index 0000000000..a96b30bd35 --- /dev/null +++ b/plugins/azure/applicationGateway/agAccessLogsEnabled.spec.js @@ -0,0 +1,219 @@ +var expect = require('chai').expect; +var agAccessLogsEnabled = require('./agAccessLogsEnabled'); + +const appGateway = [ + { + "name": "meerab-test", + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/meerab-rg/providers/Microsoft.Network/applicationGateways/meerab-test", + "etag": "W/\"b3bb388c-f5ff-495a-8163-98edbeb32047\"", + "type": "Microsoft.Network/applicationGateways", + "location": "eastus", + "tags": {}, + "provisioningState": "Succeeded", + "resourceGuid": "c166b007-4ecd-45c2-9faa-74664407558b", + "sku": { + "name": "WAF_v2", + "tier": "WAF_v2", + "family": "Generation_1" + }, + } +]; + +const diagnosticSettings = [ + { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/microsoft.network/applicationgateways/meerab-test/providers/microsoft.insights/diagnosticSettings/app-ds", + "type": "Microsoft.Insights/diagnosticSettings", + "name": "app-ds", + "logs": [ + { + "category": "ApplicationGatewayAccessLog", + "categoryGroup": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + { + "category": "ApplicationGatewayFirewallLog", + "categoryGroup": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logAnalyticsDestinationType": null + }, + {}, + { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/microsoft.network/applicationgateways/meerab-test/providers/microsoft.insights/diagnosticSettings/app-ds", + "type": "Microsoft.Insights/diagnosticSettings", + "name": "app-ds", + "logs": [ + { + "category": "ApplicationGatewayAccessLog", + "categoryGroup": null, + "enabled": false, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + ], + "logAnalyticsDestinationType": null + }, +] +const createCache = (applicationGateway, diagnostics) => { + let diagnostic = {}; + if (applicationGateway.length) { + diagnostic[applicationGateway[0].id] = { + data: diagnostics + }; + } + + return { + applicationGateway: { + listAll: { + 'eastus': { + data: applicationGateway + } + } + }, + diagnosticSettings: { + listByApplicationGateways: { + 'eastus': diagnostic + } + } + }; +}; + +const createErrorCache = (key) => { + if (key == 'appGateway') { + return { + applicationGateway: { + listAll: { + 'eastus': {} + } + } + }; + } else if (key === 'noGateway'){ + return { + applicationGateway: { + listAll: { + 'eastus': { + data:{} + } + } + } + }; + }else if (key === 'diagnostic') { + return { + applicationGateway: { + listAll: { + 'eastus': { + data: [appGateway[0]] + } + } + }, + diagnosticSettings: { + listByApplicationGateways: { + 'eastus': {} + } + } + }; + } else { + const appId = (appGateway && appGateway.length) ? appGateway[0].id : null; + const diagnosticSetting = (diagnosticSettings && diagnosticSettings.length) ? diagnosticSettings[0].id : null; + return { + applicationGateway: { + listAll: { + 'eastus': { + data: [appId[0]] + } + } + }, + diagnosticSettings: { + listByApplicationGateways: { + 'eastus': { + data: {} + } + } + } + }; + } +}; + +describe('agAccessLogsEnabled', function() { + describe('run', function() { + it('should give passing result if no Application Gateway found', function(done) { + const cache = createErrorCache('noGateway'); + agAccessLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Application Gateway found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result unable to query Application Gateway:', function(done) { + const cache = createErrorCache('appGateway'); + agAccessLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Application Gateway'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + + it('should give unknown result unable to query Application Gateway diagnostics settings:', function(done) { + const cache = createErrorCache('diagnostic'); + agAccessLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Application Gateway diagnostics settings:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give pass result if no existing Application Gateway diagnostics settings found', function(done) { + const cache = createCache([appGateway[0]],diagnosticSettings[1]); + agAccessLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('No existing Application Gateway diagnostics settings found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give pass result if Application Gateway access logs are enabled', function(done) { + const cache = createCache([appGateway[0]],[diagnosticSettings[0]]); + agAccessLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Application Gateway access logs are enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give pass result if Application Gateway access logs are not enabled', function(done) { + const cache = createCache([appGateway[0]],[diagnosticSettings[2]]); + agAccessLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Application Gateway access logs are not enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + }); +}); + diff --git a/plugins/azure/applicationGateway/agFirewallLogsEnabled.js b/plugins/azure/applicationGateway/agFirewallLogsEnabled.js new file mode 100644 index 0000000000..1befe89a30 --- /dev/null +++ b/plugins/azure/applicationGateway/agFirewallLogsEnabled.js @@ -0,0 +1,59 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Application Gateway Firewall Logs Enabled', + category: 'Application Gateway', + domain: 'Network Access Control', + description: 'Ensures that Application Gateway Firewall Log is enabled.', + more_info: 'Application Gateway logs provide detailed information for events related to a resource and its operations. Firewall logs helps to analyze the requests that are logged through either detection or prevention mode of an application gateway that is configured with the web application firewall.', + recommended_action: 'Ensure that diagnostic setting for Application Gateway Firewall Log is enabled.', + link: 'https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics', + apis: ['applicationGateway:listAll', 'diagnosticSettings:listByApplicationGateways'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + async.each(locations.applicationGateway, (location, rcb) => { + const applicationGateways = helpers.addSource(cache, source, + ['applicationGateway', 'listAll', location]); + + if (!applicationGateways) return rcb(); + + if (applicationGateways.err || !applicationGateways.data) { + helpers.addResult(results, 3, + 'Unable to query Application Gateway: ' + helpers.addError(applicationGateways), location); + return rcb(); + } + + if (!applicationGateways.data.length) { + helpers.addResult(results, 0, 'No existing Application Gateway found', location); + return rcb(); + } + applicationGateways.data.forEach(function(appGateway) { + if (!appGateway.id) return; + + const diagnosticSettings = helpers.addSource(cache, source, + ['diagnosticSettings', 'listByApplicationGateways', location, appGateway.id]); + + if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { + helpers.addResult(results, 3, 'Unable to query Application Gateway diagnostics settings: ' + helpers.addError(diagnosticSettings), location, appGateway.id); + } else if (!diagnosticSettings.data.length) { + helpers.addResult(results, 2, 'No existing Application Gateway diagnostics settings found', location, appGateway.id); + } else { + var accessLogsEnabled = helpers.diagnosticSettingLogs(diagnosticSettings, 'ApplicationGatewayFirewallLog', ['allLogs']); + if (accessLogsEnabled) { + helpers.addResult(results, 0, 'Application Gateway firewall logs are enabled', location, appGateway.id); + } else { + helpers.addResult(results, 2, 'Application Gateway firewall logs are not enabled', location, appGateway.id); + } + } + }); + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/applicationGateway/agFirewallLogsEnabled.spec.js b/plugins/azure/applicationGateway/agFirewallLogsEnabled.spec.js new file mode 100644 index 0000000000..04e9f5710c --- /dev/null +++ b/plugins/azure/applicationGateway/agFirewallLogsEnabled.spec.js @@ -0,0 +1,219 @@ +var expect = require('chai').expect; +var agFirewallLogsEnabled = require('./agFirewallLogsEnabled'); + +const appGateway = [ + { + "name": "meerab-test", + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/meerab-rg/providers/Microsoft.Network/applicationGateways/meerab-test", + "etag": "W/\"b3bb388c-f5ff-495a-8163-98edbeb32047\"", + "type": "Microsoft.Network/applicationGateways", + "location": "eastus", + "tags": {}, + "provisioningState": "Succeeded", + "resourceGuid": "c166b007-4ecd-45c2-9faa-74664407558b", + "sku": { + "name": "WAF_v2", + "tier": "WAF_v2", + "family": "Generation_1" + }, + } +]; + +const diagnosticSettings = [ + { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/microsoft.network/applicationgateways/meerab-test/providers/microsoft.insights/diagnosticSettings/app-ds", + "type": "Microsoft.Insights/diagnosticSettings", + "name": "app-ds", + "logs": [ + { + "category": "ApplicationGatewayAccessLog", + "categoryGroup": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + { + "category": "ApplicationGatewayFirewallLog", + "categoryGroup": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logAnalyticsDestinationType": null + }, + {}, + { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/microsoft.network/applicationgateways/meerab-test/providers/microsoft.insights/diagnosticSettings/app-ds", + "type": "Microsoft.Insights/diagnosticSettings", + "name": "app-ds", + "logs": [ + { + "category": "ApplicationGatewayAccessLog", + "categoryGroup": null, + "enabled": false, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + ], + "logAnalyticsDestinationType": null + }, +] +const createCache = (applicationGateway, diagnostics) => { + let diagnostic = {}; + if (applicationGateway.length) { + diagnostic[applicationGateway[0].id] = { + data: diagnostics + }; + } + + return { + applicationGateway: { + listAll: { + 'eastus': { + data: applicationGateway + } + } + }, + diagnosticSettings: { + listByApplicationGateways: { + 'eastus': diagnostic + } + } + }; +}; + +const createErrorCache = (key) => { + if (key == 'appGateway') { + return { + applicationGateway: { + listAll: { + 'eastus': {} + } + } + }; + } else if (key === 'noGateway'){ + return { + applicationGateway: { + listAll: { + 'eastus': { + data:{} + } + } + } + }; + }else if (key === 'diagnostic') { + return { + applicationGateway: { + listAll: { + 'eastus': { + data: [appGateway[0]] + } + } + }, + diagnosticSettings: { + listByApplicationGateways: { + 'eastus': {} + } + } + }; + } else { + const appId = (appGateway && appGateway.length) ? appGateway[0].id : null; + const diagnosticSetting = (diagnosticSettings && diagnosticSettings.length) ? diagnosticSettings[0].id : null; + return { + applicationGateway: { + listAll: { + 'eastus': { + data: [appId[0]] + } + } + }, + diagnosticSettings: { + listByApplicationGateways: { + 'eastus': { + data: {} + } + } + } + }; + } +}; + +describe('agFirewallLogsEnabled', function() { + describe('run', function() { + it('should give passing result if no Application Gateway found', function(done) { + const cache = createErrorCache('noGateway'); + agFirewallLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Application Gateway found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result unable to query Application Gateway:', function(done) { + const cache = createErrorCache('appGateway'); + agFirewallLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Application Gateway'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + + it('should give unknown result unable to query Application Gateway diagnostics settings:', function(done) { + const cache = createErrorCache('diagnostic'); + agFirewallLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Application Gateway diagnostics settings:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give pass result if no existing Application Gateway diagnostics settings found', function(done) { + const cache = createCache([appGateway[0]],diagnosticSettings[1]); + agFirewallLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('No existing Application Gateway diagnostics settings found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give pass result if Application Gateway firewall logs are enabled', function(done) { + const cache = createCache([appGateway[0]],[diagnosticSettings[0]]); + agFirewallLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Application Gateway firewall logs are enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give pass result if Application Gateway firewall logs are not enabled', function(done) { + const cache = createCache([appGateway[0]],[diagnosticSettings[2]]); + agFirewallLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Application Gateway firewall logs are not enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + }); +}); + From 1b7c3494f5ef41b1feb44a8211614aef01709d35 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 28 Nov 2023 15:08:12 +0500 Subject: [PATCH 074/498] plugins/azure/applicationGateway/agAccessLogsEnabled.js --- plugins/azure/applicationGateway/agAccessLogsEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/applicationGateway/agAccessLogsEnabled.js b/plugins/azure/applicationGateway/agAccessLogsEnabled.js index 0a39243400..cf72676e3f 100644 --- a/plugins/azure/applicationGateway/agAccessLogsEnabled.js +++ b/plugins/azure/applicationGateway/agAccessLogsEnabled.js @@ -6,7 +6,7 @@ module.exports = { category: 'Application Gateway', domain: 'Network Access Control', description: 'Ensures that Application Gateway Access Log is enabled.', - more_info: 'Application Gateway logs provide detailed information for events related to a resource and its operations. Access logs helps to analyze important information includeing the caller\'s IP, requested URL, response latency, return code, and bytes in and out. An access log is collected every 60 seconds.', + more_info: 'Application Gateway logs provide detailed information for events related to a resource and its operations. Access logs helps to analyze important information including the caller\'s IP, requested URL, response latency, return code, and bytes in and out. An access log is collected every 60 seconds.', recommended_action: 'Ensure that diagnostic setting for Application Gateway Access Log is enabled.', link: 'https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics', apis: ['applicationGateway:listAll', 'diagnosticSettings:listByApplicationGateways'], From 515392f6911d04a2bfa57cf86a0be7afe063b6f5 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Tue, 28 Nov 2023 15:11:13 +0500 Subject: [PATCH 075/498] added sql db syncGroupPrivateLink --- exports.js | 3 +- helpers/azure/api.js | 9 +- helpers/azure/resources.js | 5 +- .../sqldatabases/dbSyncGroupPrivateLink.js | 79 +++++++ .../dbSyncGroupPrivateLink.spec.js | 198 ++++++++++++++++++ 5 files changed, 291 insertions(+), 3 deletions(-) create mode 100644 plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js create mode 100644 plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..b0fecbe9b1 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,8 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion': require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'dbSyncGroupPrivateLink': require(__dirname + '/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..c2cc797b5c 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -973,7 +973,14 @@ var tertiarycalls = { url: '{id}/policy?api-version=7.3', vault: true } - } + }, + syncGroups: { + list: { + reliesOnPath: 'databases.listByServer', + properties: ['id'], + url: 'https://management.azure.com/{id}/syncGroups?api-version=2021-11-01' + } + }, }; var specialcalls = { diff --git a/helpers/azure/resources.js b/helpers/azure/resources.js index bc0486c46c..9dd0a4aeea 100644 --- a/helpers/azure/resources.js +++ b/helpers/azure/resources.js @@ -241,5 +241,8 @@ module.exports = { listAppSettings: 'id', getAuthSettings: '', getBackupConfiguration: 'id', - } + }, + syncGroups: { + list: 'id' + }, }; diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js new file mode 100644 index 0000000000..cef81a6b8a --- /dev/null +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js @@ -0,0 +1,79 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'SQL Database Sync Groups - Private Link & Manual Approval', + category: 'SQL Databases', + domain: 'Databases', + description: 'Ensures SQL Database sync groups use private link when SQL DB sync with others databases.', + more_info: 'Using private link for SQL Database sync groups adds an extra layer of security by requiring manual approval for private endpoint connections.', + recommended_action: 'Configure SQL Database sync groups to use private link and mandate manual approval for private endpoint connections.', + link: 'https://learn.microsoft.com/en-us/azure/private-link/private-link-overview', + apis: ['servers:listSql','databases:listByServer','syncGroups:list'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, function(location, rcb) { + var servers = helpers.addSource(cache, source, ['servers', 'listSql', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, 'Unable to query for SQL servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No SQL servers found', location); + return rcb(); + } + + // Loop through servers and check databases + servers.data.forEach(function(server) { + + var databases = helpers.addSource(cache, source, + ['databases', 'listByServer', location, server.id]); + + if (!databases || databases.err || !databases.data) { + helpers.addResult(results, 3, + 'Unable to query for SQL server databases: ' + helpers.addError(databases), location, server.id); + } else { + if (!databases.data.length) { + helpers.addResult(results, 0, + 'No databases found for SQL server', location, server.id); + } else { + databases.data.forEach(function(database) { + + var syncGroups = helpers.addSource(cache, source, ['syncGroups', 'list', location, database.id]); + + if (!syncGroups || syncGroups.err || !syncGroups.data) { + helpers.addResult(results, 3, 'Unable to query for SQL Database sync groups: ' + helpers.addError(syncGroups), location, database.id); + return; + } + if (!syncGroups.data.length) { + helpers.addResult(results, 0, + 'No Database sync group found for SQL database', location, database.id); + } + + syncGroups.data.forEach(function(syncGroup) { + if (syncGroup.usePrivateLinkConnection) { + helpers.addResult(results, 0, 'SQL Database sync group uses private link to sync with other databases', location, syncGroup.id); + } else { + helpers.addResult(results, 2, 'SQL Database sync group does not uses private link to sync with other databases', location, syncGroup.id); + } + }); + }); + } + } + + }); + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js new file mode 100644 index 0000000000..09f3d4b682 --- /dev/null +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js @@ -0,0 +1,198 @@ +var expect = require('chai').expect; +var sqlDatabaseSyncGroups = require('./dbSyncGroupPrivateLink'); + +const servers = [ + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server", + } +]; + +const databases = [ + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database" + } +]; + +const syncGroups = [ + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database/syncGroups/1", + "usePrivateLinkConnection": true + } +]; + +const createCache = (servers, databases, syncGroups, serversErr, databasesErr, syncGroupsErr) => { + const serverId = (servers && servers.length) ? servers[0].id : null; + const databaseId = (databases && databases.length) ? databases[0].id : null; + return { + servers: { + listSql: { + 'eastus': { + err: serversErr, + data: servers + } + } + }, + databases: { + listByServer: { + 'eastus': { + [serverId]: { + err: databasesErr, + data: databases + } + } + } + }, + syncGroups: { + list: { + 'eastus': { + [databaseId]: { + err: syncGroupsErr, + data: syncGroups + } + } + } + } + }; +}; + +describe('sqlDatabaseSyncGroups', function() { + describe('run', function() { + it('should give passing result if no SQL servers found', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No SQL servers found'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + [], + databases, + syncGroups + ); + + sqlDatabaseSyncGroups.run(cache, {}, callback); + }); + + it('should give passing result if no databases found for SQL server', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No databases found for SQL server'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + [], + syncGroups + ); + + sqlDatabaseSyncGroups.run(cache, {}, callback); + }); + + it('should give passing result if SQL Database sync group uses private link', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('SQL Database sync group uses private link to sync with other databases'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + databases, + syncGroups + ); + + sqlDatabaseSyncGroups.run(cache, {}, callback); + }); + + it('should give failing result if SQL Database sync group does not use private link', function(done) { + const callback = (err, results) => { + console.log('here-----',results) + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('SQL Database sync group does not uses private link to sync with other databases'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + databases, + [ + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database/syncGroups/1", + "usePrivateLinkConnection": false + } + ] + ); + + sqlDatabaseSyncGroups.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query for SQL servers', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for SQL servers'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + [], + databases, + syncGroups, + { message: 'unable to query servers' } + ); + + sqlDatabaseSyncGroups.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query for SQL server databases', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for SQL server databases'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + [], + syncGroups, + null, + { message: 'unable to query databases' } + ); + + sqlDatabaseSyncGroups.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query for SQL Database sync groups', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for SQL Database sync groups'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + databases, + [], + null, + null, + { message: 'unable to query sync groups' } + ); + + sqlDatabaseSyncGroups.run(cache, {}, callback); + }); + }); +}); From f53572d9f8742b20e36a451e4d4ebe501fecf773 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Tue, 28 Nov 2023 15:15:24 +0500 Subject: [PATCH 076/498] added sql db transparent data encryption enabled --- exports.js | 3 +- helpers/azure/api.js | 9 +- helpers/azure/resources.js | 5 +- plugins/azure/sqldatabases/dbTDEEnabled.js | 71 +++++++ .../azure/sqldatabases/dbTDEEnabled.spec.js | 197 ++++++++++++++++++ 5 files changed, 282 insertions(+), 3 deletions(-) create mode 100644 plugins/azure/sqldatabases/dbTDEEnabled.js create mode 100644 plugins/azure/sqldatabases/dbTDEEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..2ce161f68d 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,8 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion': require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'dbTDEEnabled': require(__dirname + '/plugins/azure/sqldatabases/dbTDEEnabled.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..c5f94b3ee3 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -973,7 +973,14 @@ var tertiarycalls = { url: '{id}/policy?api-version=7.3', vault: true } - } + }, + transparentDataEncryption: { + list: { + reliesOnPath: 'databases.listByServer', + properties: ['id'], + url: 'https://management.azure.com/{id}/transparentDataEncryption?api-version=2021-11-01' + } + }, }; var specialcalls = { diff --git a/helpers/azure/resources.js b/helpers/azure/resources.js index bc0486c46c..d8deb1b600 100644 --- a/helpers/azure/resources.js +++ b/helpers/azure/resources.js @@ -241,5 +241,8 @@ module.exports = { listAppSettings: 'id', getAuthSettings: '', getBackupConfiguration: 'id', - } + }, + transparentDataEncryption: { + list: 'id' + }, }; diff --git a/plugins/azure/sqldatabases/dbTDEEnabled.js b/plugins/azure/sqldatabases/dbTDEEnabled.js new file mode 100644 index 0000000000..365daff3c7 --- /dev/null +++ b/plugins/azure/sqldatabases/dbTDEEnabled.js @@ -0,0 +1,71 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Enable Transparent Data Encryption on SQL Databases', + category: 'SQL Databases', + domain: 'Databases', + description: 'Enables Transparent Data Encryption (TDE) on SQL databases for enhanced security', + more_info: 'TDE helps protect sensitive data at rest by encrypting the database files.', + recommended_action: 'Enable TDE for SQL databases to enhance data security.', + link: 'https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15', + apis: ['servers:listSql','databases:listByServer','transparentDataEncryption:list'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, function(location, rcb) { + var servers = helpers.addSource(cache, source, ['servers', 'listSql', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, 'Unable to query for SQL servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No SQL servers found', location); + return rcb(); + } + + servers.data.forEach(function(server) { + var databases = helpers.addSource(cache, source, + ['databases', 'listByServer', location, server.id]); + + if (!databases || databases.err || !databases.data) { + helpers.addResult(results, 3, + 'Unable to query for SQL server databases: ' + helpers.addError(databases), location, server.id); + } else { + if (!databases.data.length) { + helpers.addResult(results, 0, + 'No databases found for SQL server', location, server.id); + } else { + databases.data.forEach(function(database) { + + var transparentDataEncryption = helpers.addSource(cache, source, ['transparentDataEncryption', 'list', location, database.id]); + + if (!transparentDataEncryption || transparentDataEncryption.err || !transparentDataEncryption.data || !transparentDataEncryption.data.length) { + helpers.addResult(results, 3, 'Unable to query for SQL Database transparent data encryption: ' + helpers.addError(transparentDataEncryption), location, database.id); + return; + } + + if (transparentDataEncryption.data[0].state.toLowerCase()=='enabled') { + helpers.addResult(results, 0, 'SQL Database transparent data encryption is Enabled', location, database.id); + } else { + helpers.addResult(results, 2, 'SQL Database transparent data encryption is Disabled', location, database.id); + } + }); + } + } + + }); + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/sqldatabases/dbTDEEnabled.spec.js b/plugins/azure/sqldatabases/dbTDEEnabled.spec.js new file mode 100644 index 0000000000..d2d78742f7 --- /dev/null +++ b/plugins/azure/sqldatabases/dbTDEEnabled.spec.js @@ -0,0 +1,197 @@ +var expect = require('chai').expect; +var enableTransparentDataEncryption = require('./dbTDEEnabled'); + +const servers = [ + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server", + } +]; + +const databases = [ + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database" + } +]; + +const transparentDataEncryptionEnabled = [ + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database/transparentDataEncryption/1", + "state": "Enabled" + } +]; + +const createCache = (servers, databases, transparentDataEncryption, serversErr, databasesErr, transparentDataEncryptionErr) => { + const serverId = (servers && servers.length) ? servers[0].id : null; + const databaseId = (databases && databases.length) ? databases[0].id : null; + return { + servers: { + listSql: { + 'eastus': { + err: serversErr, + data: servers + } + } + }, + databases: { + listByServer: { + 'eastus': { + [serverId]: { + err: databasesErr, + data: databases + } + } + } + }, + transparentDataEncryption: { + list: { + 'eastus': { + [databaseId]: { + err: transparentDataEncryptionErr, + data: transparentDataEncryption + } + } + } + } + }; +}; + +describe('enableTransparentDataEncryption', function() { + describe('run', function() { + it('should give passing result if no SQL servers found', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No SQL servers found'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + [], + databases, + transparentDataEncryptionEnabled + ); + + enableTransparentDataEncryption.run(cache, {}, callback); + }); + + it('should give passing result if no databases found for SQL server', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No databases found for SQL server'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + [], + transparentDataEncryptionEnabled + ); + + enableTransparentDataEncryption.run(cache, {}, callback); + }); + + it('should give passing result if SQL Database transparent data encryption is enabled', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('SQL Database transparent data encryption is Enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + databases, + transparentDataEncryptionEnabled + ); + + enableTransparentDataEncryption.run(cache, {}, callback); + }); + + it('should give failing result if SQL Database transparent data encryption is disabled', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('SQL Database transparent data encryption is Disabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + databases, + [ + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database/transparentDataEncryption/1", + "state": "Disabled" + } + ] + ); + + enableTransparentDataEncryption.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query for SQL servers', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for SQL servers'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + [], + databases, + transparentDataEncryptionEnabled, + { message: 'unable to query servers' } + ); + + enableTransparentDataEncryption.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query for SQL server databases', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for SQL server databases'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + [], + transparentDataEncryptionEnabled, + null, + { message: 'unable to query databases' } + ); + + enableTransparentDataEncryption.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query for SQL Database transparent data encryption', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for SQL Database transparent data encryption'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + databases, + [], + null, + null, + { message: 'unable to query transparent data encryption' } + ); + + enableTransparentDataEncryption.run(cache, {}, callback); + }); + }); +}); From 760e98b2530b31fdc3cbc0334af79c5344fb91cf Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Tue, 28 Nov 2023 15:21:20 +0500 Subject: [PATCH 077/498] added sql db enableSecureEnclaves --- exports.js | 3 +- helpers/azure/api.js | 2 +- .../sqldatabases/dbEnableSecureEnclaves.js | 64 ++++++++ .../dbEnableSecureEnclaves.spec.js | 150 ++++++++++++++++++ 4 files changed, 217 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/sqldatabases/dbEnableSecureEnclaves.js create mode 100644 plugins/azure/sqldatabases/dbEnableSecureEnclaves.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..462c69a408 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,8 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion': require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'dbEnableSecureEnclaves': require(__dirname + '/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..7c8465cff7 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -765,7 +765,7 @@ var postcalls = { listByServer: { reliesOnPath: 'servers.listSql', properties: ['id'], - url: 'https://management.azure.com/{id}/databases?api-version=2017-10-01-preview' + url: 'https://management.azure.com/{id}/databases?api-version=2023-02-01-preview' }, sendIntegration: serviceMap['SQL Databases'] }, diff --git a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js new file mode 100644 index 0000000000..e8a0b07301 --- /dev/null +++ b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js @@ -0,0 +1,64 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Enable Always Encrypted with Secure Enclaves for SQL Databases', + category: 'SQL Databases', + domain: 'Databases', + description: 'Enable Always Encrypted with secure enclaves at the database level for enhanced data security.', + more_info: 'Always Encrypted with secure enclaves allows encrypted data to be processed inside a secure enclave for improved security.', + recommended_action: 'Enable Always Encrypted with secure enclaves for the SQL database to enhance data security.', + link: 'https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves-security-features?view=sql-server-ver15', + apis: ['servers:listSql', 'databases:listByServer'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, function(location, rcb) { + var servers = helpers.addSource(cache, source, ['servers', 'listSql', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, 'Unable to query for SQL servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No SQL servers found', location); + return rcb(); + } + + servers.data.forEach(function(server) { + var databases = helpers.addSource(cache, source, + ['databases', 'listByServer', location, server.id]); + + if (!databases || databases.err || !databases.data) { + helpers.addResult(results, 3, + 'Unable to query for SQL server databases: ' + helpers.addError(databases), location, server.id); + } else { + if (!databases.data.length) { + helpers.addResult(results, 0, + 'No databases found for SQL server', location, server.id); + } else { + databases.data.forEach(function(database) { + + if (!database.preferredEnclaveType) { + helpers.addResult(results, 2, 'Always Encrypted with secure enclaves disabled', location, database.id); + } else { + helpers.addResult(results, 0, 'Always Encrypted with secure enclaves enabled', location, database.id); + } + } + ); + } + } + }); + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.spec.js b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.spec.js new file mode 100644 index 0000000000..a293eb062a --- /dev/null +++ b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.spec.js @@ -0,0 +1,150 @@ +var expect = require('chai').expect; +var enableAlwaysEncrypted = require('./dbEnableSecureEnclaves'); + +const servers = [ + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server", + } +]; + +const databases = [ + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + "preferredEnclaveType": "VBS", + }, + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + }, +]; + +const createCache = (servers, databases, serversErr, databasesErr) => { + const serverId = (servers && servers.length) ? servers[0].id : null; + return { + servers: { + listSql: { + 'eastus': { + err: serversErr, + data: servers + } + } + }, + databases: { + listByServer: { + 'eastus': { + [serverId]: { + err: databasesErr, + data: databases + } + } + } + } + }; +}; + +describe('enableAlwaysEncrypted', function() { + describe('run', function() { + it('should give passing result if no SQL servers found', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No SQL servers found'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + [] + ); + + enableAlwaysEncrypted.run(cache, {}, callback); + }); + + it('should give passing result if no databases found for SQL server', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No databases found for SQL server'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + [] + ); + + enableAlwaysEncrypted.run(cache, {}, callback); + }); + + it('should give passing result if Always Encrypted with secure enclaves is enabled for the database', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Always Encrypted with secure enclaves enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + [databases[0]] + ); + + enableAlwaysEncrypted.run(cache, {}, callback); + }); + + it('should give failing result if Always Encrypted with secure enclaves is disabled for the database', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Always Encrypted with secure enclaves disabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + [databases[1]] + ); + + enableAlwaysEncrypted.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query for SQL servers', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for SQL servers'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + [], + [], + { message: 'unable to query servers' } + ); + + enableAlwaysEncrypted.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query for SQL server databases', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for SQL server databases'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + [], + null, + { message: 'unable to query databases' } + ); + + enableAlwaysEncrypted.run(cache, {}, callback); + }); + }); +}); From 9e78a26429e722b34c96781c39e8751861b90f60 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Tue, 28 Nov 2023 15:22:38 +0500 Subject: [PATCH 078/498] added sql db ledgerEnabled --- helpers/azure/api.js | 2 +- plugins/azure/sqldatabases/dbLedgerEnabled.js | 67 ++++++++ .../sqldatabases/dbLedgerEnabled.spec.js | 151 ++++++++++++++++++ 3 files changed, 219 insertions(+), 1 deletion(-) create mode 100644 plugins/azure/sqldatabases/dbLedgerEnabled.js create mode 100644 plugins/azure/sqldatabases/dbLedgerEnabled.spec.js diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..7c8465cff7 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -765,7 +765,7 @@ var postcalls = { listByServer: { reliesOnPath: 'servers.listSql', properties: ['id'], - url: 'https://management.azure.com/{id}/databases?api-version=2017-10-01-preview' + url: 'https://management.azure.com/{id}/databases?api-version=2023-02-01-preview' }, sendIntegration: serviceMap['SQL Databases'] }, diff --git a/plugins/azure/sqldatabases/dbLedgerEnabled.js b/plugins/azure/sqldatabases/dbLedgerEnabled.js new file mode 100644 index 0000000000..ea36dccd8f --- /dev/null +++ b/plugins/azure/sqldatabases/dbLedgerEnabled.js @@ -0,0 +1,67 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Enable Azure Ledger for SQL Databases', + category: 'SQL Databases', + domain: 'Databases', + description: 'Enable Azure ledger to protect the integrity of data for SQL databases.', + more_info: 'Azure ledger helps protect the integrity of data by enabling customers to use cryptographic seals on their data.', + recommended_action: 'Enable Azure ledger for all future tables in the SQL database to enhance data integrity.', + link: 'https://docs.microsoft.com/en-us/azure/sql-database/sql-database-ledger-overview', + apis: ['servers:listSql', 'databases:listByServer'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, function(location, rcb) { + var servers = helpers.addSource(cache, source, ['servers', 'listSql', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, 'Unable to query for SQL servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No SQL servers found', location); + return rcb(); + } + + // Loop through servers and check databases + servers.data.forEach(function(server) { + var databases = helpers.addSource(cache, source, + ['databases', 'listByServer', location, server.id]); + + if (!databases || databases.err || !databases.data) { + helpers.addResult(results, 3, + 'Unable to query for SQL server databases: ' + helpers.addError(databases), location, server.id); + } else { + if (!databases.data.length) { + helpers.addResult(results, 0, + 'No databases found for SQL server', location, server.id); + } else { + // Loop through databases + databases.data.forEach(function(database) { + + if (database.isLedgerOn==true) { + helpers.addResult(results, 0, 'Azure ledger is enabled', location, database.id); + } else { + helpers.addResult(results, 2, 'Azure ledger is disabled', location, database.id); + } + + }); + } + + } + }); + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js b/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js new file mode 100644 index 0000000000..f592c2b369 --- /dev/null +++ b/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js @@ -0,0 +1,151 @@ +var expect = require('chai').expect; +var enableAzureLedger = require('./dbLedgerEnabled'); + +const servers = [ + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server", + } +]; + +const databases = [ + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + "isLedgerOn": true, + }, + { + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + "isLedgerOn": false, + } +]; + +const createCache = (servers, databases, serversErr, databasesErr) => { + const serverId = (servers && servers.length) ? servers[0].id : null; + return { + servers: { + listSql: { + 'eastus': { + err: serversErr, + data: servers + } + } + }, + databases: { + listByServer: { + 'eastus': { + [serverId]: { + err: databasesErr, + data: databases + } + } + } + } + }; +}; + +describe('enableAzureLedger', function() { + describe('run', function() { + it('should give passing result if no SQL servers found', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No SQL servers found'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + [] + ); + + enableAzureLedger.run(cache, {}, callback); + }); + + it('should give passing result if no databases found for SQL server', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No databases found for SQL server'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + [] + ); + + enableAzureLedger.run(cache, {}, callback); + }); + + it('should give passing result if Azure ledger is enabled for the database', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Azure ledger is enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + [databases[0]] + ); + + enableAzureLedger.run(cache, {}, callback); + }); + + it('should give failing result if Azure ledger is not enabled for the database', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Azure ledger is disabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + [databases[1]] + ); + + enableAzureLedger.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query for SQL servers', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for SQL servers'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + [], + [], + { message: 'unable to query servers' } + ); + + enableAzureLedger.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query for SQL server databases', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for SQL server databases'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers, + [], + null, + { message: 'unable to query databases' } + ); + + enableAzureLedger.run(cache, {}, callback); + }); + }); +}); From cb9ba4a821027f1048223a20bdf8c2739e1fbc91 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Tue, 28 Nov 2023 15:22:59 +0500 Subject: [PATCH 079/498] added sql db ledgerEnabled --- exports.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/exports.js b/exports.js index 53c1523d03..15c67dd606 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,8 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion': require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'dbLedgerEnabled': require(__dirname + '/plugins/azure/sqldatabases/dbLedgerEnabled.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), From ab2369a21169b50fa03a123dc1ac70aaf3d6321e Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Tue, 28 Nov 2023 18:24:39 +0500 Subject: [PATCH 080/498] added sql server plugin restrict outbound networking --- exports.js | 4 +- .../sqlserver/restrictOutboundNetworking.js | 50 ++++++++++++ .../restrictOutboundNetworking.spec.js | 80 +++++++++++++++++++ 3 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 plugins/azure/sqlserver/restrictOutboundNetworking.js create mode 100644 plugins/azure/sqlserver/restrictOutboundNetworking.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..55afcf3117 100644 --- a/exports.js +++ b/exports.js @@ -882,7 +882,9 @@ module.exports = { 'serverSendEmailToAdmins' : require(__dirname + '/plugins/azure/sqlserver/serverSendEmailToAdmins.js'), 'sqlServerRecurringScans' : require(__dirname + '/plugins/azure/sqlserver/sqlServerRecurringScans.js'), 'sqlServerSendScanReports' : require(__dirname + '/plugins/azure/sqlserver/sqlServerSendScanReports.js'), - 'sqlServerHasTags' : require(__dirname + '/plugins/azure/sqlserver/sqlServerHasTags.js'), + 'sqlServerHasTags': require(__dirname + '/plugins/azure/sqlserver/sqlServerHasTags.js'), + 'restrictOutboundNetworking': require(__dirname + '/plugins/azure/sqlserver/restrictOutboundNetworking.js'), + 'javaVersion' : require(__dirname + '/plugins/azure/appservice/javaVersion.js'), 'phpVersion' : require(__dirname + '/plugins/azure/appservice/phpVersion.js'), diff --git a/plugins/azure/sqlserver/restrictOutboundNetworking.js b/plugins/azure/sqlserver/restrictOutboundNetworking.js new file mode 100644 index 0000000000..ee250b8d13 --- /dev/null +++ b/plugins/azure/sqlserver/restrictOutboundNetworking.js @@ -0,0 +1,50 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Restrict Outbound Networking for SQL Server', + category: 'SQL Server', + domain: 'Databases', + description: 'Ensure outbound networking restrictions are configured for the Azure SQL logical server.', + more_info: 'Outbound firewall rules limit network traffic from the Azure SQL logical server to a customer-defined list of Azure Storage accounts and Azure SQL logical servers.', + recommended_action: 'Configure outbound networking restrictions to allow access only to specified Azure Storage accounts and Azure SQL logical servers.', + link: 'https://docs.microsoft.com/en-us/azure/azure-sql/database/firewall-configure#configure-outbound-networking-restrictions', + apis: ['servers:listSql'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, function(location, rcb) { + + const servers = helpers.addSource(cache, source, + ['servers', 'listSql', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, + 'Unable to query for SQL servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No SQL servers found', location); + return rcb(); + } + + for (const server of servers.data) { + if (server.restrictOutboundNetworkAccess && server.restrictOutboundNetworkAccess.toLowerCase()=='enabled') { + helpers.addResult(results, 0, 'Outbound networking restrictions are configured for the SQL server', location, server.name); + } else { + helpers.addResult(results, 2, 'Outbound networking restrictions are not configured for the SQL server', location, server.name); + } + } + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/sqlserver/restrictOutboundNetworking.spec.js b/plugins/azure/sqlserver/restrictOutboundNetworking.spec.js new file mode 100644 index 0000000000..4abbba1312 --- /dev/null +++ b/plugins/azure/sqlserver/restrictOutboundNetworking.spec.js @@ -0,0 +1,80 @@ +var expect = require('chai').expect; +var restrictOutboundNetworking = require('./restrictOutboundNetworking'); + +const servers = [ + { + "name": "test-server", + "restrictOutboundNetworkAccess": "Enabled" + } +]; + +const createCache = (servers, serversErr) => { + return { + servers: { + listSql: { + 'eastus': { + err: serversErr, + data: servers + } + } + } + }; +}; + +describe('restrictOutboundNetworking', function () { + describe('run', function () { + it('should give passing result if outbound networking restrictions are configured for the SQL server', function (done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Outbound networking restrictions are configured for the SQL server'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + servers + ); + + restrictOutboundNetworking.run(cache, {}, callback); + }); + + it('should give failing result if outbound networking restrictions are not configured for the SQL server', function (done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Outbound networking restrictions are not configured for the SQL server'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + [ + { + "name": "test-server", + "restrictOutboundNetworkAccess": "Disabled" + } + ] + ); + + restrictOutboundNetworking.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query for SQL servers', function (done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for SQL servers'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + [], + { message: 'unable to query servers' } + ); + + restrictOutboundNetworking.run(cache, {}, callback); + }); + }); +}); From 1bf0efac2a35dcb75d2d26123261810dbab8dd19 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Tue, 28 Nov 2023 18:56:59 +0500 Subject: [PATCH 081/498] updated resource mapping on id --- plugins/azure/sqlserver/restrictOutboundNetworking.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/sqlserver/restrictOutboundNetworking.js b/plugins/azure/sqlserver/restrictOutboundNetworking.js index ee250b8d13..c4a73110a8 100644 --- a/plugins/azure/sqlserver/restrictOutboundNetworking.js +++ b/plugins/azure/sqlserver/restrictOutboundNetworking.js @@ -36,9 +36,9 @@ module.exports = { for (const server of servers.data) { if (server.restrictOutboundNetworkAccess && server.restrictOutboundNetworkAccess.toLowerCase()=='enabled') { - helpers.addResult(results, 0, 'Outbound networking restrictions are configured for the SQL server', location, server.name); + helpers.addResult(results, 0, 'Outbound networking restrictions are configured for the SQL server', location, server.id); } else { - helpers.addResult(results, 2, 'Outbound networking restrictions are not configured for the SQL server', location, server.name); + helpers.addResult(results, 2, 'Outbound networking restrictions are not configured for the SQL server', location, server.id); } } From 30696aafa8de65b877b48d04a316f3be111ea59a Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Mon, 27 Nov 2023 21:40:46 +0500 Subject: [PATCH 082/498] Azure - Namespace Logging Enabed Plugin --- exports.js | 6 +- helpers/azure/api.js | 7 +- .../servicebus/namespaceEncryptionAtRest.js | 53 -------- .../namespaceEncryptionAtRest.spec.js | 118 ------------------ .../azure/servicebus/namespaceLocalAuth.js | 50 -------- .../servicebus/namespaceLocalAuth.spec.js | 90 ------------- .../azure/servicebus/namespaceTlsVersion.js | 50 -------- .../servicebus/namespaceTlsVersion.spec.js | 92 -------------- 8 files changed, 7 insertions(+), 459 deletions(-) delete mode 100644 plugins/azure/servicebus/namespaceEncryptionAtRest.js delete mode 100644 plugins/azure/servicebus/namespaceEncryptionAtRest.spec.js delete mode 100644 plugins/azure/servicebus/namespaceLocalAuth.js delete mode 100644 plugins/azure/servicebus/namespaceLocalAuth.spec.js delete mode 100644 plugins/azure/servicebus/namespaceTlsVersion.js delete mode 100644 plugins/azure/servicebus/namespaceTlsVersion.spec.js diff --git a/exports.js b/exports.js index dd8ffc2354..53c1523d03 100644 --- a/exports.js +++ b/exports.js @@ -989,11 +989,7 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), - - 'namespaceLocalAuth' : require(__dirname + '/plugins/azure/servicebus/namespaceLocalAuth.js'), - 'namespaceTlsVersion' : require(__dirname + '/plugins/azure/servicebus/namespaceTlsVersion.js'), - 'namespaceEncryptionAtRest' : require(__dirname + '/plugins/azure/servicebus/namespaceEncryptionAtRest.js'), + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index fb35e80056..6f26ae5456 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -963,7 +963,12 @@ var tertiarycalls = { reliesOnPath: 'registries.list', properties: ['id'], url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' - } + }, + listByServiceBusNamespaces: { + reliesOnPath: 'serviceBus.listNamespacesBySubscription', + properties: ['id'], + url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' + }, }, backupShortTermRetentionPolicies: { diff --git a/plugins/azure/servicebus/namespaceEncryptionAtRest.js b/plugins/azure/servicebus/namespaceEncryptionAtRest.js deleted file mode 100644 index 2a7278ba83..0000000000 --- a/plugins/azure/servicebus/namespaceEncryptionAtRest.js +++ /dev/null @@ -1,53 +0,0 @@ -var async = require('async'); -var helpers = require('../../../helpers/azure'); - -module.exports = { - title: 'Namespace Encryption At Rest with CMK', - category: 'Service Bus', - domain: 'Application Integration', - description: 'Ensure that Azure Service Bus namespaces are encrypted with CMK.', - more_info: 'Azure Service Bus allows you to encrypt data in your namespaces using customer-managed keys (CMK) instead of using platform-managed keys, which are enabled by default. Using CMK encryption offers enhanced security and compliance, allowing centralized management and control of encryption keys through Azure Key Vault.', - recommended_action: 'Ensure that Azure Service Bus namespaces have CMK encryption enabled.', - link: 'https://learn.microsoft.com/en-us/azure/service-bus-messaging/configure-customer-managed-key', - apis: ['serviceBus:listNamespacesBySubscription'], - - run: function(cache, settings, callback) { - const results = []; - const source = {}; - const locations = helpers.locations(settings.govcloud); - - async.each(locations.serviceBus, function(location, rcb) { - const namespaces = helpers.addSource(cache, source, - ['serviceBus', 'listNamespacesBySubscription', location]); - - if (!namespaces) return rcb(); - - - if (namespaces.err || !namespaces.data) { - helpers.addResult(results, 3, 'Unable to query Service Bus namespaces: ' + helpers.addError(namespaces), location); - return rcb(); - } - - if (!namespaces.data.length) { - helpers.addResult(results, 0, 'No Service Bus namespaces found', location); - return rcb(); - } - - for (let namespace of namespaces.data) { - - if (namespace.sku && namespace.sku.tier && namespace.sku.tier.toLowerCase() !== 'premium') { - helpers.addResult(results, 0, 'Service Bus Namespace is not a premium namespace', location, namespace.id); - } else if (namespace.encryption && Object.keys(namespace.encryption).length) { - helpers.addResult(results, 0, 'Service Bus Namespace is encrypted using CMK', location, namespace.id); - } else { - helpers.addResult(results, 2, 'Service Bus Namespace is not encrypted using CMK', location, namespace.id); - } - } - - rcb(); - }, function() { - // Global checking goes here - callback(null, results, source); - }); - } -}; \ No newline at end of file diff --git a/plugins/azure/servicebus/namespaceEncryptionAtRest.spec.js b/plugins/azure/servicebus/namespaceEncryptionAtRest.spec.js deleted file mode 100644 index 394f71b462..0000000000 --- a/plugins/azure/servicebus/namespaceEncryptionAtRest.spec.js +++ /dev/null @@ -1,118 +0,0 @@ -var expect = require('chai').expect; -var namespaceEncryptionAtRest = require('./namespaceEncryptionAtRest.js'); - -const namespaces = [ - { - sku: { name: 'Premium', tier: 'Premium', capacity: 1 }, - id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test', - name: 'test', - type: 'Microsoft.ServiceBus/Namespaces', - location: 'East US', - publicNetworkAccess: 'Enabled', - disableLocalAuth: false, - provisioningState: 'Succeeded', - status: 'Active' - }, - { - sku: { name: 'Premium', tier: 'Premium', capacity: 1 }, - id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test2', - name: 'test2', - type: 'Microsoft.ServiceBus/Namespaces', - location: 'East US', - publicNetworkAccess: 'Enabled', - disableLocalAuth: true, - provisioningState: 'Succeeded', - status: 'Active', - encryption: { - keySource: 'Microsoft.KeyVault', - requireInfrastructureEncryption: false - }, - }, - { - sku: { name: 'Basic', tier: 'Basic' }, - id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test3', - name: 'test2', - type: 'Microsoft.ServiceBus/Namespaces', - location: 'East US', - publicNetworkAccess: 'Enabled', - disableLocalAuth: true, - provisioningState: 'Succeeded', - status: 'Active' - }, -]; - - -const createCache = (namespaces, err) => { - - return { - serviceBus: { - listNamespacesBySubscription: { - 'eastus': { - data: namespaces, - err: err - } - } - } - }; -}; - -describe('namespaceEncryptionAtRest', function () { - describe('run', function () { - - it('should give a passing result if no Service Bus namespaces are found', function (done) { - const cache = createCache([], null); - namespaceEncryptionAtRest.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('No Service Bus namespaces found'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - it('should give unknown result if unable to query for Service Bus namespaces', function (done) { - const cache = createCache(null, ['error']); - namespaceEncryptionAtRest.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query Service Bus namespaces'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - - it('should give passing result if namespace is not using premium tier', function (done) { - const cache = createCache([namespaces[2]], null); - namespaceEncryptionAtRest.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Service Bus Namespace is not a premium namespace'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - it('should give passing result if namespace is using CMK encryption', function (done) { - const cache = createCache([namespaces[1]], null); - namespaceEncryptionAtRest.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Service Bus Namespace is encrypted using CMK'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - it('should give failing result if namespace is not using CMK encryption', function (done) { - const cache = createCache([namespaces[0]], null); - namespaceEncryptionAtRest.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Service Bus Namespace is not encrypted using CMK'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - }); -}); \ No newline at end of file diff --git a/plugins/azure/servicebus/namespaceLocalAuth.js b/plugins/azure/servicebus/namespaceLocalAuth.js deleted file mode 100644 index 6912a617b6..0000000000 --- a/plugins/azure/servicebus/namespaceLocalAuth.js +++ /dev/null @@ -1,50 +0,0 @@ -var async = require('async'); -var helpers = require('../../../helpers/azure'); - -module.exports = { - title: 'Namespace Local Authentication Disabled', - category: 'Service Bus', - domain: 'Application Integration', - description: 'Ensures local authentication is disabled for Service Bus namespaces.', - more_info: 'For enhanced security, centralized identity management, and seamless integration with Azure\'s authentication and authorization services, it is recommended to rely on Azure Active Directory (Azure AD) and disable local authentication (shared access policies) in Azure Service Bus namespaces.', - recommended_action: 'Ensure that Azure Service Bus namespaces have local authentication disabled.', - link: 'https://learn.microsoft.com/en-us/azure/service-bus-messaging/disable-local-authentication', - apis: ['serviceBus:listNamespacesBySubscription'], - - run: function(cache, settings, callback) { - const results = []; - const source = {}; - const locations = helpers.locations(settings.govcloud); - - async.each(locations.serviceBus, function(location, rcb) { - const namespaces = helpers.addSource(cache, source, - ['serviceBus', 'listNamespacesBySubscription', location]); - - if (!namespaces) return rcb(); - - - if (namespaces.err || !namespaces.data) { - helpers.addResult(results, 3, 'Unable to query Service Bus namespaces: ' + helpers.addError(namespaces), location); - return rcb(); - } - - if (!namespaces.data.length) { - helpers.addResult(results, 0, 'No Service Bus namespaces found', location); - return rcb(); - } - - for (let namespace of namespaces.data) { - if (namespace.disableLocalAuth) { - helpers.addResult(results, 0, 'Service Bus Namespace has local authentication disabled', location, namespace.id); - } else { - helpers.addResult(results, 2, 'Service Bus Namespace has local authentication enabled', location, namespace.id); - } - } - - rcb(); - }, function() { - // Global checking goes here - callback(null, results, source); - }); - } -}; \ No newline at end of file diff --git a/plugins/azure/servicebus/namespaceLocalAuth.spec.js b/plugins/azure/servicebus/namespaceLocalAuth.spec.js deleted file mode 100644 index 2755a180db..0000000000 --- a/plugins/azure/servicebus/namespaceLocalAuth.spec.js +++ /dev/null @@ -1,90 +0,0 @@ -var expect = require('chai').expect; -var namespaceLocalAuth = require('./namespaceLocalAuth.js'); - -const namespaces = [ - { - id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test', - name: 'test', - type: 'Microsoft.ServiceBus/Namespaces', - location: 'East US', - publicNetworkAccess: 'Enabled', - disableLocalAuth: false, - provisioningState: 'Succeeded', - status: 'Active' - }, - { - id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test', - name: 'test2', - type: 'Microsoft.ServiceBus/Namespaces', - location: 'East US', - publicNetworkAccess: 'Enabled', - disableLocalAuth: true, - provisioningState: 'Succeeded', - status: 'Active' - }, -]; - - -const createCache = (namespaces, err) => { - - return { - serviceBus: { - listNamespacesBySubscription: { - 'eastus': { - data: namespaces, - err: err - } - } - } - }; -}; - -describe('namespaceLocalAuth', function () { - describe('run', function () { - - it('should give a passing result if no Service Bus namespaces are found', function (done) { - const cache = createCache([], null); - namespaceLocalAuth.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('No Service Bus namespaces found'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - it('should give unknown result if unable to query for Service Bus namespaces', function (done) { - const cache = createCache(null, ['error']); - namespaceLocalAuth.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query Service Bus namespaces'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - - it('should give passing result if local authenication is disabled for namespace', function (done) { - const cache = createCache([namespaces[1]], null); - namespaceLocalAuth.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Service Bus Namespace has local authentication disabled'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - it('should give failing result if local authentication is enabled for namespace', function (done) { - const cache = createCache([namespaces[0]], null); - namespaceLocalAuth.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Service Bus Namespace has local authentication enabled'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - }); -}); \ No newline at end of file diff --git a/plugins/azure/servicebus/namespaceTlsVersion.js b/plugins/azure/servicebus/namespaceTlsVersion.js deleted file mode 100644 index 32a4df1678..0000000000 --- a/plugins/azure/servicebus/namespaceTlsVersion.js +++ /dev/null @@ -1,50 +0,0 @@ -var async = require('async'); -var helpers = require('../../../helpers/azure'); - -module.exports = { - title: 'Namespace Minimum TLS Version', - category: 'Service Bus', - domain: 'Application Integration', - description: 'Ensures that Azure Service Bus namespace is using the latest TLS version.', - more_info: 'TLS versions 1.0 and 1.1 are known to be susceptible to attacks, and to have other Common Vulnerabilities and Exposures (CVE) weaknesses. So there\'s an industry-wide push toward the exclusive use of Transport Layer Security(TLS) version 1.2 or later.', - recommended_action: 'Ensure that Azure Srvice Bus namespaces are using the latest TLS version', - link: 'https://learn.microsoft.com/en-us/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version', - apis: ['serviceBus:listNamespacesBySubscription'], - - run: function(cache, settings, callback) { - const results = []; - const source = {}; - const locations = helpers.locations(settings.govcloud); - - async.each(locations.serviceBus, function(location, rcb) { - const namespaces = helpers.addSource(cache, source, - ['serviceBus', 'listNamespacesBySubscription', location]); - - if (!namespaces) return rcb(); - - - if (namespaces.err || !namespaces.data) { - helpers.addResult(results, 3, 'Unable to query Service Bus namespaces: ' + helpers.addError(namespaces), location); - return rcb(); - } - - if (!namespaces.data.length) { - helpers.addResult(results, 0, 'No Service Bus namespaces found', location); - return rcb(); - } - - for (let namespace of namespaces.data) { - if (namespace.minimumTlsVersion && (parseFloat(namespace.minimumTlsVersion) >= 1.2)) { - helpers.addResult(results, 0, 'Service Bus namespace is using the latest TLS Version', location, namespace.id); - } else { - helpers.addResult(results, 2, 'Service Bus namespace is not using the latest TLS Version', location, namespace.id); - } - } - - rcb(); - }, function() { - // Global checking goes here - callback(null, results, source); - }); - } -}; \ No newline at end of file diff --git a/plugins/azure/servicebus/namespaceTlsVersion.spec.js b/plugins/azure/servicebus/namespaceTlsVersion.spec.js deleted file mode 100644 index 43ca872ba7..0000000000 --- a/plugins/azure/servicebus/namespaceTlsVersion.spec.js +++ /dev/null @@ -1,92 +0,0 @@ -var expect = require('chai').expect; -var namespaceTlsVersion = require('./namespaceTlsVersion.js'); - -const namespaces = [ - { - id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test', - name: 'test', - type: 'Microsoft.ServiceBus/Namespaces', - location: 'East US', - publicNetworkAccess: 'Enabled', - disableLocalAuth: false, - provisioningState: 'Succeeded', - status: 'Active', - minimumTlsVersion: '1.1' - }, - { - id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test', - name: 'test2', - type: 'Microsoft.ServiceBus/Namespaces', - location: 'East US', - publicNetworkAccess: 'Enabled', - disableLocalAuth: true, - provisioningState: 'Succeeded', - status: 'Active', - minimumTlsVersion: '1.2' - }, -]; - - -const createCache = (namespaces, err) => { - - return { - serviceBus: { - listNamespacesBySubscription: { - 'eastus': { - data: namespaces, - err: err - } - } - } - }; -}; - -describe('namespaceTlsVersion', function () { - describe('run', function () { - - it('should give a passing result if no Service Bus namespaces are found', function (done) { - const cache = createCache([], null); - namespaceTlsVersion.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('No Service Bus namespaces found'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - it('should give unknown result if unable to query for Service Bus namespaces', function (done) { - const cache = createCache(null, ['error']); - namespaceTlsVersion.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query Service Bus namespaces'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - - it('should give passing result if namespace is using the latest tls version', function (done) { - const cache = createCache([namespaces[1]], null); - namespaceTlsVersion.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Service Bus namespace is using the latest TLS Version'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - it('should give failing result if namespace is not using the latest tls version', function (done) { - const cache = createCache([namespaces[0]], null); - namespaceTlsVersion.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Service Bus namespace is not using the latest TLS Version'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - }); -}); \ No newline at end of file From 83c9715a7e5726ab32d60aa62c313730fe2bf474 Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Wed, 29 Nov 2023 10:49:21 +0500 Subject: [PATCH 083/498] Azure - Service Bus Namespace Encryption Plugin --- exports.js | 5 +- .../servicebus/namespaceEncryptionAtRest.js | 53 ++++++++ .../namespaceEncryptionAtRest.spec.js | 118 ++++++++++++++++++ 3 files changed, 175 insertions(+), 1 deletion(-) create mode 100644 plugins/azure/servicebus/namespaceEncryptionAtRest.js create mode 100644 plugins/azure/servicebus/namespaceEncryptionAtRest.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..dc53ccd93b 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,10 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + + 'namespaceEncryptionAtRest' : require(__dirname + '/plugins/azure/servicebus/namespaceEncryptionAtRest.js'), + }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/servicebus/namespaceEncryptionAtRest.js b/plugins/azure/servicebus/namespaceEncryptionAtRest.js new file mode 100644 index 0000000000..2a7278ba83 --- /dev/null +++ b/plugins/azure/servicebus/namespaceEncryptionAtRest.js @@ -0,0 +1,53 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Namespace Encryption At Rest with CMK', + category: 'Service Bus', + domain: 'Application Integration', + description: 'Ensure that Azure Service Bus namespaces are encrypted with CMK.', + more_info: 'Azure Service Bus allows you to encrypt data in your namespaces using customer-managed keys (CMK) instead of using platform-managed keys, which are enabled by default. Using CMK encryption offers enhanced security and compliance, allowing centralized management and control of encryption keys through Azure Key Vault.', + recommended_action: 'Ensure that Azure Service Bus namespaces have CMK encryption enabled.', + link: 'https://learn.microsoft.com/en-us/azure/service-bus-messaging/configure-customer-managed-key', + apis: ['serviceBus:listNamespacesBySubscription'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.serviceBus, function(location, rcb) { + const namespaces = helpers.addSource(cache, source, + ['serviceBus', 'listNamespacesBySubscription', location]); + + if (!namespaces) return rcb(); + + + if (namespaces.err || !namespaces.data) { + helpers.addResult(results, 3, 'Unable to query Service Bus namespaces: ' + helpers.addError(namespaces), location); + return rcb(); + } + + if (!namespaces.data.length) { + helpers.addResult(results, 0, 'No Service Bus namespaces found', location); + return rcb(); + } + + for (let namespace of namespaces.data) { + + if (namespace.sku && namespace.sku.tier && namespace.sku.tier.toLowerCase() !== 'premium') { + helpers.addResult(results, 0, 'Service Bus Namespace is not a premium namespace', location, namespace.id); + } else if (namespace.encryption && Object.keys(namespace.encryption).length) { + helpers.addResult(results, 0, 'Service Bus Namespace is encrypted using CMK', location, namespace.id); + } else { + helpers.addResult(results, 2, 'Service Bus Namespace is not encrypted using CMK', location, namespace.id); + } + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/servicebus/namespaceEncryptionAtRest.spec.js b/plugins/azure/servicebus/namespaceEncryptionAtRest.spec.js new file mode 100644 index 0000000000..394f71b462 --- /dev/null +++ b/plugins/azure/servicebus/namespaceEncryptionAtRest.spec.js @@ -0,0 +1,118 @@ +var expect = require('chai').expect; +var namespaceEncryptionAtRest = require('./namespaceEncryptionAtRest.js'); + +const namespaces = [ + { + sku: { name: 'Premium', tier: 'Premium', capacity: 1 }, + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test', + name: 'test', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: false, + provisioningState: 'Succeeded', + status: 'Active' + }, + { + sku: { name: 'Premium', tier: 'Premium', capacity: 1 }, + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test2', + name: 'test2', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: true, + provisioningState: 'Succeeded', + status: 'Active', + encryption: { + keySource: 'Microsoft.KeyVault', + requireInfrastructureEncryption: false + }, + }, + { + sku: { name: 'Basic', tier: 'Basic' }, + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test3', + name: 'test2', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: true, + provisioningState: 'Succeeded', + status: 'Active' + }, +]; + + +const createCache = (namespaces, err) => { + + return { + serviceBus: { + listNamespacesBySubscription: { + 'eastus': { + data: namespaces, + err: err + } + } + } + }; +}; + +describe('namespaceEncryptionAtRest', function () { + describe('run', function () { + + it('should give a passing result if no Service Bus namespaces are found', function (done) { + const cache = createCache([], null); + namespaceEncryptionAtRest.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No Service Bus namespaces found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for Service Bus namespaces', function (done) { + const cache = createCache(null, ['error']); + namespaceEncryptionAtRest.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Service Bus namespaces'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + + it('should give passing result if namespace is not using premium tier', function (done) { + const cache = createCache([namespaces[2]], null); + namespaceEncryptionAtRest.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Service Bus Namespace is not a premium namespace'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if namespace is using CMK encryption', function (done) { + const cache = createCache([namespaces[1]], null); + namespaceEncryptionAtRest.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Service Bus Namespace is encrypted using CMK'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if namespace is not using CMK encryption', function (done) { + const cache = createCache([namespaces[0]], null); + namespaceEncryptionAtRest.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Service Bus Namespace is not encrypted using CMK'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From e519c1b153f13af4dff387fe500e321acf6bb585 Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Wed, 29 Nov 2023 10:53:03 +0500 Subject: [PATCH 084/498] Azure - Service Bus Namespace TLS Version Plugin --- exports.js | 5 +- .../azure/servicebus/namespaceTlsVersion.js | 50 ++++++++++ .../servicebus/namespaceTlsVersion.spec.js | 92 +++++++++++++++++++ 3 files changed, 146 insertions(+), 1 deletion(-) create mode 100644 plugins/azure/servicebus/namespaceTlsVersion.js create mode 100644 plugins/azure/servicebus/namespaceTlsVersion.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..357c1eb640 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,10 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + + 'namespaceTlsVersion' : require(__dirname + '/plugins/azure/servicebus/namespaceTlsVersion.js'), + }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/servicebus/namespaceTlsVersion.js b/plugins/azure/servicebus/namespaceTlsVersion.js new file mode 100644 index 0000000000..32a4df1678 --- /dev/null +++ b/plugins/azure/servicebus/namespaceTlsVersion.js @@ -0,0 +1,50 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Namespace Minimum TLS Version', + category: 'Service Bus', + domain: 'Application Integration', + description: 'Ensures that Azure Service Bus namespace is using the latest TLS version.', + more_info: 'TLS versions 1.0 and 1.1 are known to be susceptible to attacks, and to have other Common Vulnerabilities and Exposures (CVE) weaknesses. So there\'s an industry-wide push toward the exclusive use of Transport Layer Security(TLS) version 1.2 or later.', + recommended_action: 'Ensure that Azure Srvice Bus namespaces are using the latest TLS version', + link: 'https://learn.microsoft.com/en-us/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version', + apis: ['serviceBus:listNamespacesBySubscription'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.serviceBus, function(location, rcb) { + const namespaces = helpers.addSource(cache, source, + ['serviceBus', 'listNamespacesBySubscription', location]); + + if (!namespaces) return rcb(); + + + if (namespaces.err || !namespaces.data) { + helpers.addResult(results, 3, 'Unable to query Service Bus namespaces: ' + helpers.addError(namespaces), location); + return rcb(); + } + + if (!namespaces.data.length) { + helpers.addResult(results, 0, 'No Service Bus namespaces found', location); + return rcb(); + } + + for (let namespace of namespaces.data) { + if (namespace.minimumTlsVersion && (parseFloat(namespace.minimumTlsVersion) >= 1.2)) { + helpers.addResult(results, 0, 'Service Bus namespace is using the latest TLS Version', location, namespace.id); + } else { + helpers.addResult(results, 2, 'Service Bus namespace is not using the latest TLS Version', location, namespace.id); + } + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/servicebus/namespaceTlsVersion.spec.js b/plugins/azure/servicebus/namespaceTlsVersion.spec.js new file mode 100644 index 0000000000..43ca872ba7 --- /dev/null +++ b/plugins/azure/servicebus/namespaceTlsVersion.spec.js @@ -0,0 +1,92 @@ +var expect = require('chai').expect; +var namespaceTlsVersion = require('./namespaceTlsVersion.js'); + +const namespaces = [ + { + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test', + name: 'test', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: false, + provisioningState: 'Succeeded', + status: 'Active', + minimumTlsVersion: '1.1' + }, + { + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test', + name: 'test2', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: true, + provisioningState: 'Succeeded', + status: 'Active', + minimumTlsVersion: '1.2' + }, +]; + + +const createCache = (namespaces, err) => { + + return { + serviceBus: { + listNamespacesBySubscription: { + 'eastus': { + data: namespaces, + err: err + } + } + } + }; +}; + +describe('namespaceTlsVersion', function () { + describe('run', function () { + + it('should give a passing result if no Service Bus namespaces are found', function (done) { + const cache = createCache([], null); + namespaceTlsVersion.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No Service Bus namespaces found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for Service Bus namespaces', function (done) { + const cache = createCache(null, ['error']); + namespaceTlsVersion.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Service Bus namespaces'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + + it('should give passing result if namespace is using the latest tls version', function (done) { + const cache = createCache([namespaces[1]], null); + namespaceTlsVersion.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Service Bus namespace is using the latest TLS Version'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if namespace is not using the latest tls version', function (done) { + const cache = createCache([namespaces[0]], null); + namespaceTlsVersion.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Service Bus namespace is not using the latest TLS Version'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From f62960188080e989ea889e4dd92d0378063ee340 Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Wed, 29 Nov 2023 10:54:59 +0500 Subject: [PATCH 085/498] Azure - Service Bus Namespace Local Authentication Plugin --- exports.js | 4 +- .../azure/servicebus/namespaceLocalAuth.js | 50 +++++++++++ .../servicebus/namespaceLocalAuth.spec.js | 90 +++++++++++++++++++ 3 files changed, 143 insertions(+), 1 deletion(-) create mode 100644 plugins/azure/servicebus/namespaceLocalAuth.js create mode 100644 plugins/azure/servicebus/namespaceLocalAuth.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..2781d110ea 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,9 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + + 'namespaceLocalAuth' : require(__dirname + '/plugins/azure/servicebus/namespaceLocalAuth.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/servicebus/namespaceLocalAuth.js b/plugins/azure/servicebus/namespaceLocalAuth.js new file mode 100644 index 0000000000..6912a617b6 --- /dev/null +++ b/plugins/azure/servicebus/namespaceLocalAuth.js @@ -0,0 +1,50 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Namespace Local Authentication Disabled', + category: 'Service Bus', + domain: 'Application Integration', + description: 'Ensures local authentication is disabled for Service Bus namespaces.', + more_info: 'For enhanced security, centralized identity management, and seamless integration with Azure\'s authentication and authorization services, it is recommended to rely on Azure Active Directory (Azure AD) and disable local authentication (shared access policies) in Azure Service Bus namespaces.', + recommended_action: 'Ensure that Azure Service Bus namespaces have local authentication disabled.', + link: 'https://learn.microsoft.com/en-us/azure/service-bus-messaging/disable-local-authentication', + apis: ['serviceBus:listNamespacesBySubscription'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.serviceBus, function(location, rcb) { + const namespaces = helpers.addSource(cache, source, + ['serviceBus', 'listNamespacesBySubscription', location]); + + if (!namespaces) return rcb(); + + + if (namespaces.err || !namespaces.data) { + helpers.addResult(results, 3, 'Unable to query Service Bus namespaces: ' + helpers.addError(namespaces), location); + return rcb(); + } + + if (!namespaces.data.length) { + helpers.addResult(results, 0, 'No Service Bus namespaces found', location); + return rcb(); + } + + for (let namespace of namespaces.data) { + if (namespace.disableLocalAuth) { + helpers.addResult(results, 0, 'Service Bus Namespace has local authentication disabled', location, namespace.id); + } else { + helpers.addResult(results, 2, 'Service Bus Namespace has local authentication enabled', location, namespace.id); + } + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/servicebus/namespaceLocalAuth.spec.js b/plugins/azure/servicebus/namespaceLocalAuth.spec.js new file mode 100644 index 0000000000..2755a180db --- /dev/null +++ b/plugins/azure/servicebus/namespaceLocalAuth.spec.js @@ -0,0 +1,90 @@ +var expect = require('chai').expect; +var namespaceLocalAuth = require('./namespaceLocalAuth.js'); + +const namespaces = [ + { + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test', + name: 'test', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: false, + provisioningState: 'Succeeded', + status: 'Active' + }, + { + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test', + name: 'test2', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: true, + provisioningState: 'Succeeded', + status: 'Active' + }, +]; + + +const createCache = (namespaces, err) => { + + return { + serviceBus: { + listNamespacesBySubscription: { + 'eastus': { + data: namespaces, + err: err + } + } + } + }; +}; + +describe('namespaceLocalAuth', function () { + describe('run', function () { + + it('should give a passing result if no Service Bus namespaces are found', function (done) { + const cache = createCache([], null); + namespaceLocalAuth.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No Service Bus namespaces found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for Service Bus namespaces', function (done) { + const cache = createCache(null, ['error']); + namespaceLocalAuth.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Service Bus namespaces'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + + it('should give passing result if local authenication is disabled for namespace', function (done) { + const cache = createCache([namespaces[1]], null); + namespaceLocalAuth.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Service Bus Namespace has local authentication disabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if local authentication is enabled for namespace', function (done) { + const cache = createCache([namespaces[0]], null); + namespaceLocalAuth.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Service Bus Namespace has local authentication enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From 7bdf4c338abc1748139b2e01c39bbcc5313ee2bb Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Mon, 27 Nov 2023 23:42:05 +0500 Subject: [PATCH 086/498] Azure - Postgres Flexible Server SCRAM Enabled Plugin --- exports.js | 1 + helpers/azure/api.js | 14 +- .../flexibleServerSCRAMEnabled.js | 62 +++++++ .../flexibleServerSCRAMEnabled.spec.js | 165 ++++++++++++++++++ 4 files changed, 240 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/postgresqlserver/flexibleServerSCRAMEnabled.js create mode 100644 plugins/azure/postgresqlserver/flexibleServerSCRAMEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..ea4e832859 100644 --- a/exports.js +++ b/exports.js @@ -816,6 +816,7 @@ module.exports = { 'postgresqlServerHasTags' : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlServerHasTags.js'), 'postgresqlInfraDoubleEncryption': require(__dirname + '/plugins/azure/postgresqlserver/postgresqlInfraDoubleEncryption.js'), 'azureServicesAccessDisabled' : require(__dirname + '/plugins/azure/postgresqlserver/azureServicesAccessDisabled.js'), + 'flexibleServerSCRAMEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/flexibleServerSCRAMEnabled.js'), 'openOracleAutoDataWarehouse' : require(__dirname + '/plugins/azure/networksecuritygroups/openOracleAutoDataWarehouse.js'), 'networkWatcherEnabled' : require(__dirname + '/plugins/azure/networksecuritygroups/networkWatcherEnabled.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..d1e667931c 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -418,6 +418,9 @@ var calls = { }, listPostgres: { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DBforPostgreSQL/servers?api-version=2017-12-01' + }, + listPostgresFlexibleServer: { + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DBforPostgreSQL/flexibleServers?api-version=2022-12-01' } }, databaseAccounts: { @@ -546,6 +549,7 @@ var postcalls = { url: 'https://management.azure.com/{id}/securityAlertPolicies?api-version=2017-03-01-preview' } }, + advancedThreatProtectionSettings: { listByServer: { reliesOnPath: 'servers.listSql', @@ -593,7 +597,12 @@ var postcalls = { reliesOnPath: 'servers.listMysqlFlexibleServer', properties: ['id'], url: 'https://management.azure.com/{id}/configurations?api-version=2021-05-01' - } + }, + listByPostgresServer: { + reliesOnPath: 'servers.listPostgresFlexibleServer', + properties: ['id'], + url: 'https://management.azure.com/{id}/configurations?api-version=2022-12-01' + }, }, serverAdministrators: { list: { @@ -973,7 +982,8 @@ var tertiarycalls = { url: '{id}/policy?api-version=7.3', vault: true } - } + }, + }; var specialcalls = { diff --git a/plugins/azure/postgresqlserver/flexibleServerSCRAMEnabled.js b/plugins/azure/postgresqlserver/flexibleServerSCRAMEnabled.js new file mode 100644 index 0000000000..9d027fb791 --- /dev/null +++ b/plugins/azure/postgresqlserver/flexibleServerSCRAMEnabled.js @@ -0,0 +1,62 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'PostgreSQL Flexible Server SCRAM Enabled', + category: 'PostgreSQL Server', + domain: 'Databases', + description: 'Ensure PostgreSQL flexible servers are using SCRAM authentication protocol for password encryption.', + more_info: 'Using SCRAM (Salted Challenge Response Authentication Mechanism) enhances authentication security in PostgreSQL by defending against common password-based vulnerabilities, bolstering protection against credential interception and replay attacks.', + recommended_action: 'Modify PostgreSQL flexible server to use SCRAM for password encryption instead of MD5.', + link: 'https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-connect-scram', + apis: ['servers:listPostgresFlexibleServer', 'flexibleServersConfigurations:listByPostgresServer'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, (location, rcb) => { + const servers = helpers.addSource(cache, source, + ['servers', 'listPostgresFlexibleServer', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, + 'Unable to query for PostgreSQL flexible servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No existing PostgreSQL flexible servers found', location); + return rcb(); + } + + for (var flexibleServer of servers.data) { + const configurations = helpers.addSource(cache, source, + ['flexibleServersConfigurations', 'listByPostgresServer', location, flexibleServer.id]); + + if (!configurations || configurations.err || !configurations.data) { + helpers.addResult(results, 3, + 'Unable to query for configuration' + helpers.addError(configurations), location, flexibleServer.id); + continue; + } + + var configuration = configurations.data.find(config => { + return (config.name == 'password_encryption'); + }); + + if (configuration && configuration.value && configuration.value.toUpperCase().includes('SCRAM')) { + helpers.addResult(results, 0, 'PostgreSQL flexible server is using SCRAM authentication protocol', location, flexibleServer.id); + } else { + helpers.addResult(results, 2, 'PostgreSQL flexible server is not using SCRAM authentication protocol', location, flexibleServer.id); + } + } + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/postgresqlserver/flexibleServerSCRAMEnabled.spec.js b/plugins/azure/postgresqlserver/flexibleServerSCRAMEnabled.spec.js new file mode 100644 index 0000000000..a014d0819b --- /dev/null +++ b/plugins/azure/postgresqlserver/flexibleServerSCRAMEnabled.spec.js @@ -0,0 +1,165 @@ +var expect = require('chai').expect; +var auth = require('./flexibleServerSCRAMEnabled'); + +const servers = [ + { + "id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-server", + "type": "Microsoft.DBforPostgreSQL/flexibleServers" + }, +] + +const configurations = [ + { + id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/meerab-rg/providers/Microsoft.DBforPostgreSQL/flexibleServers/testfs/configurations/password_encryption', + name: 'password_encryption', + type: 'Microsoft.DBforPostgreSQL/flexibleServers/configurations', + value: 'SCRAM-SHA-256', + description: 'Determines the algorithm to use to encrypt the password..', + defaultValue: 'md5', + dataType: 'Enumeration', + allowedValues: 'md5,scram-sha-256', + source: 'user-override', + isDynamicConfig: true, + isReadOnly: false, + isConfigPendingRestart: false + }, + + { + id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/meerab-rg/providers/Microsoft.DBforPostgreSQL/flexibleServers/testfs/configurations/password_encryption', + name: 'password_encryption', + type: 'Microsoft.DBforPostgreSQL/flexibleServers/configurations', + value: 'md5', + description: 'Determines the algorithm to use to encrypt the password..', + defaultValue: 'md5', + dataType: 'Enumeration', + allowedValues: 'md5,scram-sha-256', + source: 'user-override', + isDynamicConfig: true, + isReadOnly: false, + isConfigPendingRestart: false + } + + +] + +const createCache = (err, list, configuration) => { + return { + servers: { + listPostgresFlexibleServer: { + 'eastus': { + err: err, + data: list + } + } + }, + flexibleServersConfigurations: { + listByPostgresServer: { + 'eastus': configuration + } + } + } +}; + +describe('flexibleServerSCRAMEnabled', function() { + describe('run', function() { + it('should PASS if no existing servers found', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing PostgreSQL flexible servers found'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + null, + [], + {} + ); + + auth.run(cache, {}, callback); + }); + + it('should give UNKNOWN if unable to query for PostgreSQL flexible Servers', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + null, + null, + {} + ); + + auth.run(cache, {}, callback); + }) + + it('should give UNKNOWN if unable to query for configurations', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + null, + servers, + {} + ); + + auth.run(cache, {}, callback); + }) + + it('should FAIL if PostgreSQL server is not using SCRAM', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('PostgreSQL flexible server is not using SCRAM authentication protocol'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + null, + servers, + { + "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-server": { + data: [configurations[1]] + } + } + ); + + auth.run(cache, {}, callback); + }); + + it('should PASS if PostgreSQL server is using SCRAM', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('PostgreSQL flexible server is using SCRAM authentication protocol'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + null, + servers, + { + "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-server": { + data: [configurations[0]] + } + } + ); + + auth.run(cache, {}, callback); + }); + + + }) +}) \ No newline at end of file From d06b606beea95e95fa061504a1d665bd1dfd8ed3 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Wed, 29 Nov 2023 15:32:38 +0500 Subject: [PATCH 087/498] added sql server plugin audit microsoft support operations --- exports.js | 3 +- helpers/azure/api.js | 7 + helpers/azure/resources.js | 3 + .../auditMicrosoftOperationsEnabled.js | 57 +++++++++ .../auditMicrosoftOperationsEnabled.spec.js | 120 ++++++++++++++++++ 5 files changed, 189 insertions(+), 1 deletion(-) create mode 100644 plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js create mode 100644 plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..6735ab9db6 100644 --- a/exports.js +++ b/exports.js @@ -882,7 +882,8 @@ module.exports = { 'serverSendEmailToAdmins' : require(__dirname + '/plugins/azure/sqlserver/serverSendEmailToAdmins.js'), 'sqlServerRecurringScans' : require(__dirname + '/plugins/azure/sqlserver/sqlServerRecurringScans.js'), 'sqlServerSendScanReports' : require(__dirname + '/plugins/azure/sqlserver/sqlServerSendScanReports.js'), - 'sqlServerHasTags' : require(__dirname + '/plugins/azure/sqlserver/sqlServerHasTags.js'), + 'sqlServerHasTags': require(__dirname + '/plugins/azure/sqlserver/sqlServerHasTags.js'), + 'auditMicrosoftOperationsEnabled':require(__dirname + '/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js'), 'javaVersion' : require(__dirname + '/plugins/azure/appservice/javaVersion.js'), 'phpVersion' : require(__dirname + '/plugins/azure/appservice/phpVersion.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..94fd61c201 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -973,6 +973,13 @@ var tertiarycalls = { url: '{id}/policy?api-version=7.3', vault: true } + }, + devOpsAuditingSettings: { + list: { + reliesOnPath: 'servers.listSql', + properties: ['id'], + url: 'https://management.azure.com/{id}/devOpsAuditingSettings?api-version=2021-11-01' + } } }; diff --git a/helpers/azure/resources.js b/helpers/azure/resources.js index bc0486c46c..f90bd2f053 100644 --- a/helpers/azure/resources.js +++ b/helpers/azure/resources.js @@ -241,5 +241,8 @@ module.exports = { listAppSettings: 'id', getAuthSettings: '', getBackupConfiguration: 'id', + }, + devOpsAuditingSettings:{ + list:'id' } }; diff --git a/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js b/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js new file mode 100644 index 0000000000..0cf81baa59 --- /dev/null +++ b/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js @@ -0,0 +1,57 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Auditing of Microsoft Support Operations', + category: 'SQL Server', + domain: 'Databases', + description: 'Ensure auditing of Microsoft support operations is enabled on SQL server.', + more_info: 'Enabling this option captures Microsoft support engineers (DevOps) operations for enhanced monitoring and troubleshooting.', + recommended_action: 'Enable the option to capture Microsoft support operations and write them to a selected Storage account, Log Analytics workspace, or Event Hub.', + link: 'https://docs.microsoft.com/en-us/azure/azure-sql/database/security-overview-auditing?tabs=azure-powershell#configure-azure-sql-auditing', + apis: ['servers:listSql', 'devOpsAuditingSettings:list'], + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, function(location, rcb) { + + const servers = helpers.addSource(cache, source, + ['servers', 'listSql', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, + 'Unable to query for SQL servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No SQL servers found', location); + return rcb(); + } + + for (const server of servers.data) { + const devOpsAuditingSettings = helpers.addSource(cache, source, + ['devOpsAuditingSettings', 'list', location, server.id]); + + if (!devOpsAuditingSettings || devOpsAuditingSettings.err || !devOpsAuditingSettings.data) { + helpers.addResult(results, 3, + 'Unable to query Auditing Policies: ' + helpers.addError(devOpsAuditingSettings), location, server.id); + } else { + if (devOpsAuditingSettings.data[0].state.toLowerCase()=='enabled') { + helpers.addResult(results, 0, 'Auditing of Microsoft support operations is enabled on the SQL server', location, server.name); + } else { + helpers.addResult(results, 2, 'Auditing of Microsoft support operations is not enabled on the SQL server', location, server.name); + } + } + } + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.spec.js b/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.spec.js new file mode 100644 index 0000000000..633d50fb95 --- /dev/null +++ b/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.spec.js @@ -0,0 +1,120 @@ +// Import necessary modules and the code to be tested +var assert = require('assert'); +var expect = require('chai').expect; +var auditSupportOperations = require('./auditMicrosoftOperationsEnabled'); + +// Function to create a sample cache +const createCache = (err, list, get) => { + return { + servers: { + listSql: { + 'eastus': { + err: err, + data: list + } + } + }, + devOpsAuditingSettings: { + list: { + 'eastus': get + } + } + } +}; + +// Test suite +describe('Auditing of Microsoft Support Operations', function() { + describe('run', function() { + it('should give passing result if no SQL servers found', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No SQL servers found'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + null, + [], + {} + ); + + auditSupportOperations.run(cache, {}, callback); + }); + + it('should give passing result if auditing of support operations is enabled', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Auditing of Microsoft support operations is enabled on the SQL server'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + null, + [ + { + "id": "/subscriptions/subscription-id/resourceGroups/resource-group/providers/Microsoft.Sql/servers/sql-server", + "name": "sql-server", + "type": "Microsoft.Sql/servers" + } + ], + { + '/subscriptions/subscription-id/resourceGroups/resource-group/providers/Microsoft.Sql/servers/sql-server': { + data: [ + { + "id": "/subscriptions/subscription-id/resourceGroups/resource-group/providers/Microsoft.Sql/servers/sql-server/auditingSettings/Default", + "name": "Default", + "type": "Microsoft.Sql/servers/auditingSettings", + "state": "Enabled", + "error": false, + "location": "eastus" + } + ] + } + } + ); + + auditSupportOperations.run(cache, {}, callback); + }); + + it('should give failing result if auditing of support operations is not enabled', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Auditing of Microsoft support operations is not enabled on the SQL server'); + expect(results[0].region).to.equal('eastus'); + done(); + }; + + const cache = createCache( + null, + [ + { + "id": "/subscriptions/subscription-id/resourceGroups/resource-group/providers/Microsoft.Sql/servers/sql-server", + "name": "sql-server", + "type": "Microsoft.Sql/servers" + } + ], + { + '/subscriptions/subscription-id/resourceGroups/resource-group/providers/Microsoft.Sql/servers/sql-server': { + data: [ + { + "id": "/subscriptions/subscription-id/resourceGroups/resource-group/providers/Microsoft.Sql/servers/sql-server/auditingSettings/Default", + "name": "Default", + "type": "Microsoft.Sql/servers/auditingSettings", + "state": "Disabled", + "error": false, + "location": "eastus" + } + ] + } + } + ); + + auditSupportOperations.run(cache, {}, callback); + }); + }); +}); From c786d3aee59b392ca8c861d654cd82e379238ead Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 29 Nov 2023 16:58:08 +0500 Subject: [PATCH 088/498] SAAS-20297/ag-Request-body-inspection --- exports.js | 2 + .../agRequestBodyInspection.js | 50 +++++++++ .../agRequestBodyInspection.spec.js | 105 ++++++++++++++++++ 3 files changed, 157 insertions(+) create mode 100644 plugins/azure/applicationGateway/agRequestBodyInspection.js create mode 100644 plugins/azure/applicationGateway/agRequestBodyInspection.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..4eebc44566 100644 --- a/exports.js +++ b/exports.js @@ -976,6 +976,8 @@ module.exports = { 'agWafEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agWafEnabled'), 'agPreventionModeEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agPreventionModeEnabled.js'), + 'agRequestBodyInspection' : require(__dirname + '/plugins/azure/applicationGateway/agRequestBodyInspection'), + 'subscriptionHasTags' : require(__dirname + '/plugins/azure/subscription/subscriptionHasTags.js'), 'rgHasTags' : require(__dirname + '/plugins/azure/resourceGroup/rgHasTags.js'), diff --git a/plugins/azure/applicationGateway/agRequestBodyInspection.js b/plugins/azure/applicationGateway/agRequestBodyInspection.js new file mode 100644 index 0000000000..5a8fa52a64 --- /dev/null +++ b/plugins/azure/applicationGateway/agRequestBodyInspection.js @@ -0,0 +1,50 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Application Gateway Request Body Inspection', + category: 'Application Gateway', + domain: 'Network Access Control', + description: 'Ensures that request body inspection is enabled for Application Gateway WAF policy.', + more_info: 'Application Gateway WAF policy with disabled request body inspection doesn\'t evaluate the contents of an HTTP message\'s body. Enabling it allows us to inspect properties that may not be evaluated in the HTTP headers, cookies, or URI.', + recommended_action: 'Modify application gateway WAF policy and enable request body inspection in policy settings.', + link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection', + apis: ['wafPolicies:listAll'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.wafPolicies, (location, rcb) => { + + var wafPolicies = helpers.addSource(cache, source, + ['wafPolicies', 'listAll', location]); + + if (!wafPolicies) return rcb(); + + if (wafPolicies.err || !wafPolicies.data) { + helpers.addResult(results, 3, 'Unable to query for Application Gateway WAF policies: ' + helpers.addError(wafPolicies), location); + return rcb(); + } + if (!wafPolicies.data.length) { + helpers.addResult(results, 0, 'No existing WAF policies found', location); + return rcb(); + } + + for (let policy of wafPolicies.data) { + if (!policy.id) continue; + + if (policy.policySettings && policy.policySettings.requestBodyCheck) { + helpers.addResult(results, 0, 'Application gateway WAF policy has request body inspection enabled', location, policy.id); + } else { + helpers.addResult(results, 2, 'Application gateway WAF policy does not have request body inspection enabled', location, policy.id); + } + } + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/applicationGateway/agRequestBodyInspection.spec.js b/plugins/azure/applicationGateway/agRequestBodyInspection.spec.js new file mode 100644 index 0000000000..4f82936f8a --- /dev/null +++ b/plugins/azure/applicationGateway/agRequestBodyInspection.spec.js @@ -0,0 +1,105 @@ +var expect = require('chai').expect; +var agRequestBodyInspection = require('./agRequestBodyInspection.js'); + +const wafPolicy = [ + { + "name": 'test-vnet', + "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', + "type": 'Microsoft.Network/waf', + "tags": { "key": "value" }, + "location": 'eastus', + "provisioningState": 'Succeeded', + "virtualNetworkPeerings": [], + "enableDdosProtection": true, + "policySettings":{ + "mode": "prevention", + "requestBodyCheck": true + } + }, + { + "name": 'test-vnet', + "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', + "type": 'Microsoft.Network/waf', + "tags": {}, + "location": 'eastus', + "provisioningState": 'Succeeded', + "virtualNetworkPeerings": [], + "enableDdosProtection": false, + "policySettings":{ + "mode": "prevention", + "requestBodyCheck": false + } + } +]; + +const createCache = (waf) => { + return { + wafPolicies: { + listAll: { + 'eastus': { + data: waf + } + } + } + }; +}; + +const createErrorCache = () => { + return { + wafPolicies: { + listAll: { + 'eastus': {} + } + } + }; +}; + +describe('agRequestBodyInspection', function() { + describe('run', function() { + it('should give passing result if no WAF policy found', function(done) { + const cache = createCache([]); + agRequestBodyInspection.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing WAF policies found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if Application gateway WAF policy does not have request body inspection enabled', function(done) { + const cache = createCache([wafPolicy[1]]); + agRequestBodyInspection.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Application gateway WAF policy does not have request body inspection enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + + it('should give unknown result if Unable to query for WAF policy', function(done) { + const cache = createErrorCache(); + agRequestBodyInspection.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Application Gateway WAF policies'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if Application gateway WAF policy has request body inspection enabled', function(done) { + const cache = createCache([wafPolicy[0]]); + agRequestBodyInspection.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Application gateway WAF policy has request body inspection enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + }); +}); \ No newline at end of file From 7609352041028a450767b421909f5dd0199b07c2 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 29 Nov 2023 17:23:57 +0500 Subject: [PATCH 089/498] Apply suggestions from code review --- plugins/azure/frontdoor/botProtectionEnabled.js | 6 +++--- plugins/azure/frontdoor/botProtectionEnabled.spec.js | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/plugins/azure/frontdoor/botProtectionEnabled.js b/plugins/azure/frontdoor/botProtectionEnabled.js index 1a4857b58e..e567a46f4d 100644 --- a/plugins/azure/frontdoor/botProtectionEnabled.js +++ b/plugins/azure/frontdoor/botProtectionEnabled.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Content Delivery', description: 'Ensure that Bot Protection for Azure Front Door WAF policy is enabled.', more_info: 'Azure Web Application Firewall (WAF) for Front Door provides bot rules to protect from bad bots and to block or log requests from known malicious IP addresses.', - recommended_action: 'Ensure that WAF policy has Bot Protection rule set enabled.', + recommended_action: 'Modify Front Door WAF policy and add bot protection rule set in managed rules.', link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-policy-configure-bot-protection?pivots=portal', apis: ['afdWafPolicies:listAll'], @@ -40,9 +40,9 @@ module.exports = { policy.managedRules.managedRuleSets.find(ruleset => ruleset.ruleSetType.toLowerCase() == 'microsoft_botmanagerruleset') : false; if (found) { - helpers.addResult(results, 0, 'Front Door profile WAF policy has bot protection enabled', location, policy.id); + helpers.addResult(results, 0, 'Front Door WAF policy has bot protection enabled', location, policy.id); } else { - helpers.addResult(results, 2, 'Front Door profile WAF policy does not have bot protection enabled', location, policy.id); + helpers.addResult(results, 2, 'Front Door WAF policy does not have bot protection enabled', location, policy.id); } } diff --git a/plugins/azure/frontdoor/botProtectionEnabled.spec.js b/plugins/azure/frontdoor/botProtectionEnabled.spec.js index 62160a9ac0..4a7934300c 100644 --- a/plugins/azure/frontdoor/botProtectionEnabled.spec.js +++ b/plugins/azure/frontdoor/botProtectionEnabled.spec.js @@ -99,7 +99,7 @@ describe('botProtectionEnabled', function () { botProtectionEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Front Door profile WAF policy has bot protection enabled'); + expect(results[0].message).to.include('Front Door WAF policy has bot protection enabled'); expect(results[0].region).to.equal('global'); done(); }); @@ -110,7 +110,7 @@ describe('botProtectionEnabled', function () { botProtectionEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Front Door profile WAF policy does not have bot protection enabled'); + expect(results[0].message).to.include('Front Door WAF policy does not have bot protection enabled'); expect(results[0].region).to.equal('global'); done(); }); From eff8ab0708a0891eafb7c0850dae7fb382c264a5 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 29 Nov 2023 17:28:21 +0500 Subject: [PATCH 090/498] Apply suggestions from code review --- plugins/azure/frontdoor/frontDoorHttpsOnly.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/frontdoor/frontDoorHttpsOnly.js b/plugins/azure/frontdoor/frontDoorHttpsOnly.js index 503491cb46..e18d4b9743 100644 --- a/plugins/azure/frontdoor/frontDoorHttpsOnly.js +++ b/plugins/azure/frontdoor/frontDoorHttpsOnly.js @@ -5,9 +5,9 @@ module.exports = { title: 'Front Door HTTPS only', category: 'Front Door', domain: 'Content Delivery', - description: 'Ensures HTTPS Only is enabled for Front Door Classic profile, redirecting all HTTP traffic to HTTPS.', + description: 'Ensures HTTPS Only is enabled for Front Door classic profile, redirecting all HTTP traffic to HTTPS.', more_info: 'By using the HTTPS only protocol, you ensure that your sensitive data is delivered securely via TLS/SSL encryption.', - recommended_action: 'Ensure that Front Door (classic) under the frontend hosts section has HTTP to HTTPS redirect rule.', + recommended_action: 'Modify the Front Door classic profile and add HTTP to HTTPS redirect rule under the frontend hosts section.', link: 'https://learn.microsoft.com/en-us/azure/frontdoor/front-door-how-to-redirect-https', apis: ['classicFrontDoors:list'], From 95a55bda184b539ba0918921f3cc7bc5ee7fef53 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 29 Nov 2023 17:36:13 +0500 Subject: [PATCH 091/498] Apply suggestions from code review --- plugins/azure/frontdoor/frontDoorWafEnabled.js | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/plugins/azure/frontdoor/frontDoorWafEnabled.js b/plugins/azure/frontdoor/frontDoorWafEnabled.js index 570b1401d9..c71af215f6 100644 --- a/plugins/azure/frontdoor/frontDoorWafEnabled.js +++ b/plugins/azure/frontdoor/frontDoorWafEnabled.js @@ -5,9 +5,9 @@ module.exports = { title: 'Front Door Waf Enabled', category: 'Front Door', domain: 'Content Delivery', - description: 'Ensure that WAF is enabled for Azure Front Door premium profile.', + description: 'Ensure that Web Application Firewall (WAF) is enabled for Azure Front Door premium and standard profiles.', more_info: 'WAF actively inspects incoming requests to the front door and blocks requests that are determined to be malicious based on a set of rules.', - recommended_action: 'Ensure that Azure Front Door premium profile has WAF policy attached in security policies section.', + recommended_action: 'Modify the Azure Front Door profile and attach WAF policy under security policies section.', link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-policy-settings', apis: ['profiles:list', 'afdSecurityPolicies:listByProfile',], @@ -34,9 +34,8 @@ module.exports = { var frontDoorPremium = false; profiles.data.forEach(function(profile) { - if (!profile.id || !profile.sku || profile.sku.name.toLowerCase() != 'premium_azurefrontdoor') return; + if (!profile.id) return; - frontDoorPremium = true; const afdSecurityPolicies = helpers.addSource(cache, source, ['afdSecurityPolicies', 'listByProfile', location, profile.id]); if (!afdSecurityPolicies || afdSecurityPolicies.err || !afdSecurityPolicies.data) { @@ -50,9 +49,6 @@ module.exports = { } }); - if (!frontDoorPremium) { - helpers.addResult(results, 0, 'No existing Front Door profiles found', location); - } rcb(); }, function() { callback(null, results, source); From 7e0e149853ce7c414c5686654a2a664f4e5e9776 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 29 Nov 2023 17:36:29 +0500 Subject: [PATCH 092/498] Update plugins/azure/frontdoor/frontDoorWafEnabled.js --- plugins/azure/frontdoor/frontDoorWafEnabled.js | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/azure/frontdoor/frontDoorWafEnabled.js b/plugins/azure/frontdoor/frontDoorWafEnabled.js index c71af215f6..721f95f996 100644 --- a/plugins/azure/frontdoor/frontDoorWafEnabled.js +++ b/plugins/azure/frontdoor/frontDoorWafEnabled.js @@ -31,7 +31,6 @@ module.exports = { return rcb(); } - var frontDoorPremium = false; profiles.data.forEach(function(profile) { if (!profile.id) return; From 67f1470f0c7596e89c0c1b742049bd49970970a6 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 29 Nov 2023 17:36:50 +0500 Subject: [PATCH 093/498] Update plugins/azure/frontdoor/frontDoorWafEnabled.js --- plugins/azure/frontdoor/frontDoorWafEnabled.js | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/azure/frontdoor/frontDoorWafEnabled.js b/plugins/azure/frontdoor/frontDoorWafEnabled.js index 721f95f996..7f4ac9957e 100644 --- a/plugins/azure/frontdoor/frontDoorWafEnabled.js +++ b/plugins/azure/frontdoor/frontDoorWafEnabled.js @@ -37,6 +37,7 @@ module.exports = { const afdSecurityPolicies = helpers.addSource(cache, source, ['afdSecurityPolicies', 'listByProfile', location, profile.id]); + if (!afdSecurityPolicies || afdSecurityPolicies.err || !afdSecurityPolicies.data) { helpers.addResult(results, 3, 'Unable to query Front Door security policies : ' + helpers.addError(afdSecurityPolicies), location, profile.id); } else { From ffa7ecf75a00eb3cc714de2e7ed505dbf0a42975 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 29 Nov 2023 17:47:00 +0500 Subject: [PATCH 094/498] Apply suggestions from code review --- .../frontdoor/frontDoorRequestBodyInspection.js | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js index 28955459ab..5175a83d21 100644 --- a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js +++ b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js @@ -5,9 +5,9 @@ module.exports = { title: 'Front Door Request Body Inspection', category: 'Front Door', domain: 'Content Delivery', - description: 'Ensures that request body inspection is enabled for Azure Front Door premium WAF policy.', - more_info: 'Web Application Firewalls associated to Azure Front Doors premium that have request body inspection enabled, allows to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI.', - recommended_action: 'Ensure that request body inspection in policy settings for Azure Front Door WAF policy is enabled.', + description: 'Ensures that request body inspection is enabled for Azure Front Door WAF policy.', + more_info: 'Web Application Firewalls associated to Azure Front Doors that have request body inspection enabled, allows to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI.', + recommended_action: 'Modify Front Door WAF policy and enable request body inspection in policy settings.', link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection', apis: ['afdWafPolicies:listAll'], @@ -34,9 +34,8 @@ module.exports = { var frontDoorWafPolicies = false; for (let policy of afdWafPolicies.data) { - if (!policy.id || !policy.sku || policy.sku.name.toLowerCase() != 'premium_azurefrontdoor') continue; + if (!policy.id) continue; - frontDoorWafPolicies = true; if (policy.policySettings && policy.policySettings.requestBodyCheck && policy.policySettings.requestBodyCheck.toLowerCase() == 'enabled') { @@ -46,10 +45,6 @@ module.exports = { } } - if (!frontDoorWafPolicies) { - helpers.addResult(results, 0, 'No existing Front Door WAF policies found', location); - } - rcb(); }, function() { callback(null, results, source); From 9a14be78c8e8413c1cc0e3bc6baaf78b63d5feed Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 29 Nov 2023 17:47:10 +0500 Subject: [PATCH 095/498] Update plugins/azure/frontdoor/frontDoorRequestBodyInspection.js --- plugins/azure/frontdoor/frontDoorRequestBodyInspection.js | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js index 5175a83d21..bf1f5ba1b7 100644 --- a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js +++ b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js @@ -32,7 +32,6 @@ module.exports = { return rcb(); } - var frontDoorWafPolicies = false; for (let policy of afdWafPolicies.data) { if (!policy.id) continue; From dfe0d7ef56a2d78b7bb9801ea9c768014bfb9425 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 29 Nov 2023 17:59:08 +0500 Subject: [PATCH 096/498] Apply suggestions from code review --- plugins/azure/frontdoor/frontDoorWafDetectionMode.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/frontdoor/frontDoorWafDetectionMode.js b/plugins/azure/frontdoor/frontDoorWafDetectionMode.js index 71abb7ada8..747a740429 100644 --- a/plugins/azure/frontdoor/frontDoorWafDetectionMode.js +++ b/plugins/azure/frontdoor/frontDoorWafDetectionMode.js @@ -6,7 +6,7 @@ module.exports = { category: 'Front Door', domain: 'Content Delivery', description: 'Ensure that WAF policy for Azure Front Door is set to Detection mode.', - more_info: 'Azure Web Application Firewall (WAF) on Azure Front Door provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. It monitors and logs the request and its matched WAF rule to WAF logs.', + more_info: 'Web Application Firewall (WAF) on Front Door provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. It monitors and logs the request and its matched WAF rule to WAF logs.', recommended_action: 'Modify Front Door WAF policy and enable prevention mode.', link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview', apis: ['afdWafPolicies:listAll'], From e7e87c863b1fe8524d7fc0cf54ce2dd7b8bcc514 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 29 Nov 2023 18:27:16 +0500 Subject: [PATCH 097/498] Renaming --- exports.js | 2 +- ...omain.js => frontDoorAzureManagedDomain.js} | 10 +++++----- ....js => frontDoorAzureManagedDomain.spec.js} | 18 +++++++++--------- 3 files changed, 15 insertions(+), 15 deletions(-) rename plugins/azure/frontdoor/{frontDoorDnsManagedDomain.js => frontDoorAzureManagedDomain.js} (88%) rename plugins/azure/frontdoor/{frontDoorDnsManagedDomain.spec.js => frontDoorAzureManagedDomain.spec.js} (92%) diff --git a/exports.js b/exports.js index 24948beaa4..b74bfef4bf 100644 --- a/exports.js +++ b/exports.js @@ -990,7 +990,7 @@ module.exports = { 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), - 'frontDoorDnsManagedDomain' : require(__dirname + '/plugins/azure/frontdoor/frontDoorDnsManagedDomain.js') + 'frontDoorAzureManagedDomain' : require(__dirname + '/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js') }, github: { diff --git a/plugins/azure/frontdoor/frontDoorDnsManagedDomain.js b/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js similarity index 88% rename from plugins/azure/frontdoor/frontDoorDnsManagedDomain.js rename to plugins/azure/frontdoor/frontDoorAzureManagedDomain.js index fc716b2bfe..e5b8769539 100644 --- a/plugins/azure/frontdoor/frontDoorDnsManagedDomain.js +++ b/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js @@ -2,12 +2,12 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Front Door Domain Managed DNS', + title: 'Front Door Azure Managed DNS', category: 'Front Door', domain: 'Content Delivery', - description: 'Ensures that Front Door Standard and Premium profile custom domains are configured to use Azure Managed DNS', + description: 'Ensures that Front Door standard and premium profile custom domains are configured to use Azure Managed DNS', more_info: 'Azure Managed DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure.', - recommended_action: 'Ensure that Non-Azure validated domains for Front Door Standard and Premium are using Azure Managed DNS.', + recommended_action: 'Ensure that Non-Azure validated domains for Front Door profiles are using Azure Managed DNS.', link: 'https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain?tabs=powershell#azure-front-door-managed-certificates-for-non-azure-pre-validated-domains', apis: ['profiles:list', 'customDomain:listByFrontDoorProfiles'], @@ -54,10 +54,10 @@ module.exports = { if (failingDomains.length){ helpers.addResult(results, 2, - `Front Door Profile domains are not using Azure managed DNS ${failingDomains.join(', ')}`, location, profile.id); + `Front Door profile custom domains are not using Azure managed DNS: ${failingDomains.join(', ')}`, location, profile.id); } else { helpers.addResult(results, 0, - 'Front Door Profile domains are using Azure managed DNS', location, profile.id); + 'Front Door profile custom domains are using Azure managed DNS', location, profile.id); } } }); diff --git a/plugins/azure/frontdoor/frontDoorDnsManagedDomain.spec.js b/plugins/azure/frontdoor/frontDoorAzureManagedDomain.spec.js similarity index 92% rename from plugins/azure/frontdoor/frontDoorDnsManagedDomain.spec.js rename to plugins/azure/frontdoor/frontDoorAzureManagedDomain.spec.js index 7efb78dba6..5a30b4b3f6 100644 --- a/plugins/azure/frontdoor/frontDoorDnsManagedDomain.spec.js +++ b/plugins/azure/frontdoor/frontDoorAzureManagedDomain.spec.js @@ -1,5 +1,5 @@ var expect = require('chai').expect; -var frontDoorDnsManagedDomain = require('./frontDoorDnsManagedDomain.js'); +var frontDoorAzureManagedDomain = require('./frontDoorAzureManagedDomain.js'); const profiles = [ { @@ -171,12 +171,12 @@ const createErrorCache = (key) => { } }; -describe('frontDoorDnsManagedDomain', function () { +describe('frontDoorAzureManagedDomain', function () { describe('run', function () { it('should give unknown if Unable to query Azure Front Door profiles:', function (done) { const cache = createErrorCache('profile'); - frontDoorDnsManagedDomain.run(cache, {}, (err, results) => { + frontDoorAzureManagedDomain.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].message).to.include('Unable to query Azure Front Door profiles'); @@ -188,7 +188,7 @@ describe('frontDoorDnsManagedDomain', function () { it('should give unknown if Unable to query Front Door custom domains:', function (done) { const cache = createErrorCache('customDomains'); - frontDoorDnsManagedDomain.run(cache, {}, (err, results) => { + frontDoorAzureManagedDomain.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].message).to.include('Unable to query Front Door custom domains:'); @@ -199,7 +199,7 @@ describe('frontDoorDnsManagedDomain', function () { it('should give pass if No existing Front Door custom domains found', function (done) { const cache = createCache([profiles[0]], customDomain[1]); - frontDoorDnsManagedDomain.run(cache, {}, (err, results) => { + frontDoorAzureManagedDomain.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('No existing Front Door custom domains found'); @@ -210,10 +210,10 @@ describe('frontDoorDnsManagedDomain', function () { it('should give pass result if AFD profile custom domain is using Azure managed DNS', function (done) { const cache = createCache([profiles[2]], [customDomain[0]]); - frontDoorDnsManagedDomain.run(cache, {}, (err, results) => { + frontDoorAzureManagedDomain.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Front Door Profile domains are using Azure managed DNS'); + expect(results[0].message).to.include('Front Door profile custom domains are using Azure managed DNS'); expect(results[0].region).to.equal('global'); done(); }); @@ -221,10 +221,10 @@ describe('frontDoorDnsManagedDomain', function () { it('should give fail result if AFD profile custom domain is not using Azure managed DNS', function (done) { const cache = createCache([profiles[2]], [customDomain[2]]); - frontDoorDnsManagedDomain.run(cache, {}, (err, results) => { + frontDoorAzureManagedDomain.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Front Door Profile domains are not using Azure managed DNS'); + expect(results[0].message).to.include('Front Door profile custom domains are not using Azure managed DNS:'); expect(results[0].region).to.equal('global'); done(); }); From 1e1f9791f91add309d51643dfb8a024e32942e67 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 29 Nov 2023 18:27:56 +0500 Subject: [PATCH 098/498] Update exports.js --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index b74bfef4bf..674c01eb0b 100644 --- a/exports.js +++ b/exports.js @@ -1480,4 +1480,4 @@ module.exports = { 'securityNotificationsEnabled' : require(__dirname + '/plugins/alibaba/securitycenter/securityNotificationsEnabled.js'), 'vulnerabilityScanEnabled' : require(__dirname + '/plugins/alibaba/securitycenter/vulnerabilityScanEnabled.js') } -}; \ No newline at end of file +}; From bcd84bbe106c918978eea8887bf7550c4b3c5daf Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 29 Nov 2023 18:33:08 +0500 Subject: [PATCH 099/498] linting --- plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.js | 8 ++++---- .../azure/frontdoor/frontDoorWafDefaultRateLimit.spec.js | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.js b/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.js index cf0937f92f..7dd3e6c1e1 100644 --- a/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.js +++ b/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Content Delivery', description: 'Ensures that Front Door WAF policy has rate limit custom rule configured.', more_info: 'Rate limiting enables you to detect and block abnormally high levels of traffic from any socket IP address. By using Azure Web Application Firewall in Azure Front Door, you can mitigate some types of denial-of-service attacks.', - recommended_action: 'Ensures that Front Door WAF policy has default rate limit custom rule configured.', + recommended_action: 'Modify the Front Door WAF policy and add default rate limit custom rule.', link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-rate-limit', apis: ['afdWafPolicies:listAll'], @@ -35,12 +35,12 @@ module.exports = { for (let policy of afdWafPolicies.data) { if (!policy.id) continue; var found = policy.customRules && policy.customRules.rules? - policy.customRules.rules.find(rule => rule.ruleType.toLowerCase() == 'ratelimitrule' && rule.action.toLowerCase() == 'block') : 'false' + policy.customRules.rules.find(rule => rule.ruleType.toLowerCase() == 'ratelimitrule' && rule.action.toLowerCase() == 'block') : 'false'; if (found) { - helpers.addResult(results, 0, 'Front Door profile WAF policy has rate limit custom rule configured', location, policy.id); + helpers.addResult(results, 0, 'Front Door WAF policy has rate limit custom rule configured', location, policy.id); } else { - helpers.addResult(results, 2, 'Front Door profile WAF policy does not have rate limit custom rule configured', location, policy.id); + helpers.addResult(results, 2, 'Front Door WAF policy does not have rate limit custom rule configured', location, policy.id); } } diff --git a/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.spec.js b/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.spec.js index f357affd2f..ae789f5fa0 100644 --- a/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.spec.js +++ b/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.spec.js @@ -127,12 +127,12 @@ const createErrorCache = () => { describe('frontDoorWafDefaultRateLimit', function () { describe('run', function () { - it('should give pass result front door profile waf policy has rate limit custom rule configured', function (done) { + it('should give pass result front door waf policy has rate limit custom rule configured', function (done) { const cache = createCache([afdWafPolicies[0]]); frontDoorWafDefaultRateLimit.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Front Door profile WAF policy has rate limit custom rule configured'); + expect(results[0].message).to.include('Front Door WAF policy has rate limit custom rule configured'); expect(results[0].region).to.equal('global'); done(); }); @@ -149,12 +149,12 @@ describe('frontDoorWafDefaultRateLimit', function () { }); }); - it('should give fail result if front door profile WAF policy does not have rate limit custom rule configured', function (done) { + it('should give fail result if front door WAF policy does not have rate limit custom rule configured', function (done) { const cache = createCache([afdWafPolicies[1]]); frontDoorWafDefaultRateLimit.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Front Door profile WAF policy does not have rate limit custom rule configured'); + expect(results[0].message).to.include('Front Door WAF policy does not have rate limit custom rule configured'); expect(results[0].region).to.equal('global'); done(); }); From 1e6bcb3200bb0ea18e750b87b6744d7ab01e453c Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Thu, 30 Nov 2023 00:06:47 +0500 Subject: [PATCH 100/498] ams identity enabled --- exports.js | 4 +- helpers/azure/api.js | 12 ++ helpers/azure/locations.js | 3 +- .../amsManagedIdentityEnabled.js | 62 +++++++++ .../amsManagedIdentityEnabled.spec.js | 120 ++++++++++++++++++ 5 files changed, 199 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/mediaServices/amsManagedIdentityEnabled.js create mode 100644 plugins/azure/mediaServices/amsManagedIdentityEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..d8928aacb0 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,9 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + + 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js') }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..26c0931e13 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -465,6 +465,11 @@ var calls = { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01' } }, + mediaServices:{ + listAll: { + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Media/mediaservices?api-version=2023-01-01' + } + }, // For CIEM groups: { list: { @@ -910,6 +915,13 @@ var postcalls = { properties: ['id'], url: 'https://management.azure.com/{id}/configurations?api-version=2017-12-01' } + }, + mediaServices: { + get: { + reliesOnPath: 'mediaServices.listAll', + properties: ['id'], + url: 'https://management.azure.com/{id}?api-version=2023-01-01' + } } }; diff --git a/helpers/azure/locations.js b/helpers/azure/locations.js index 46dd902f36..b4a9b1a8a7 100644 --- a/helpers/azure/locations.js +++ b/helpers/azure/locations.js @@ -118,5 +118,6 @@ module.exports = { bastionHosts: locations, applications: ['global'], eventGrid: locations, - eventHub: locations + eventHub: locations, + mediaServices: locations }; diff --git a/plugins/azure/mediaServices/amsManagedIdentityEnabled.js b/plugins/azure/mediaServices/amsManagedIdentityEnabled.js new file mode 100644 index 0000000000..a18c4c6609 --- /dev/null +++ b/plugins/azure/mediaServices/amsManagedIdentityEnabled.js @@ -0,0 +1,62 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Azure Media Service Managed Identity Enabled', + category: 'Media Services', + domain: 'Identity and Access Management', + description: 'Ensure that Azure Media Services have managed identity enabled.', + more_info: 'Enabling managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.', + link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/concept-managed-identities', + recommended_action: 'Remove Azure Media Services accounts and create a new account with managed identity enabled.', + apis: ['mediaServices:listAll', 'mediaServices:get'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.mediaServices, function(location, rcb){ + var mediaServices = helpers.addSource(cache, source, + ['mediaServices', 'listAll', location]); + + if (!mediaServices) return rcb(); + + if (mediaServices.err || !mediaServices.data) { + helpers.addResult(results, 3, 'Unable to query for Media Services: ' + helpers.addError(mediaServices), location); + return rcb(); + } + + if (!mediaServices.data.length) { + helpers.addResult(results, 0, 'No existing Media Services found', location); + return rcb(); + } + + for (let mediaService of mediaServices.data) { + if (!mediaService.id) continue; + + var getMediaService = helpers.addSource(cache, source, + ['mediaServices', 'get', location, mediaService.id]); + + if (!getMediaService || getMediaService.err || !getMediaService.data) { + helpers.addResult(results, 3, `Unable to query for Media Service: ${helpers.addError(getMediaService)}`, + location, mediaService.id); + continue; + } + + if (getMediaService.data.identity && getMediaService.data.identity.type + && (getMediaService.data.identity.type.toLowerCase() === 'userassigned' || + getMediaService.data.identity.type.toLowerCase() === 'systemassigned')) { + + helpers.addResult(results, 0, 'Managed Identity is enabled for Azure Media Service account', location, mediaService.id); + } else { + helpers.addResult(results, 2, 'Managed Identity is not enabled for Azure Media Service account', location, mediaService.id); + } + } + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/mediaServices/amsManagedIdentityEnabled.spec.js b/plugins/azure/mediaServices/amsManagedIdentityEnabled.spec.js new file mode 100644 index 0000000000..a28fd9dd40 --- /dev/null +++ b/plugins/azure/mediaServices/amsManagedIdentityEnabled.spec.js @@ -0,0 +1,120 @@ +var expect = require('chai').expect; +var amsManagedIdentityEnabled = require('./amsManagedIdentityEnabled'); + +const mediaServices = [ + { + "name": 'test', + "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Media/mediaservices/test', + "type": 'Microsoft.Media/mediaservices', + "location": 'eastus', + "publicNetworkAccess": 'Enabled', + "provisioningState": 'Succeeded', + "privateEndpointConnections": [], + "minimumTlsVersion": 'Tls12' + } +]; + +const getMediaService = [ + { + "name": 'test', + "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Media/mediaservices/test', + "type": 'Microsoft.Media/mediaservices', + "location": 'eastus', + "publicNetworkAccess": 'Enabled', + "provisioningState": 'Succeeded', + "privateEndpointConnections": [], + "minimumTlsVersion": 'Tls12' + }, + { + "name": 'test', + "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Media/mediaservices/test', + "type": 'Microsoft.Media/mediaservices', + "location": 'eastus', + "publicNetworkAccess": 'Enabled', + "provisioningState": 'Succeeded', + "privateEndpointConnections": [], + "minimumTlsVersion": 'Tls12', + "identity": { + "type": "UserAssigned", + } + } +]; + +const createCache = (ams, ds) => { + const id = (ams && ams.length) ? ams[0].id : null; + return { + mediaServices: { + listAll: { + 'eastus': { + data: ams + } + }, + get: { + 'eastus': { + [id]: { + data: ds + } + } + } + }, + }; +}; + +describe('amsManagedIdentityEnabled', function() { + describe('run', function() { + it('should give passing result if no media services found', function(done) { + const cache = createCache([], null); + amsManagedIdentityEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Media Services found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for media services', function(done) { + const cache = createCache(null, null); + amsManagedIdentityEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Media Services:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to get media service', function(done) { + const cache = createCache([mediaServices[0]], null); + amsManagedIdentityEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Media Service'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if managed identity is not enabled', function(done) { + const cache = createCache([mediaServices[0]], getMediaService[0]); + amsManagedIdentityEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Managed Identity is not enabled for Azure Media Service account'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if classic API enabled', function(done) { + const cache = createCache([mediaServices[0]], getMediaService[1]); + amsManagedIdentityEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Managed Identity is enabled for Azure Media Service account'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From 0fc0890f5382f7eb2d9c455316df5b583fa9b42a Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Thu, 30 Nov 2023 01:03:24 +0500 Subject: [PATCH 101/498] content key policy exists --- exports.js | 4 +- helpers/azure/api.js | 13 +++ helpers/azure/locations.js | 3 +- .../mediaServices/amsContentKeyPolicy.js | 58 ++++++++++ .../mediaServices/amsContentKeyPolicy.spec.js | 108 ++++++++++++++++++ 5 files changed, 184 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/mediaServices/amsContentKeyPolicy.js create mode 100644 plugins/azure/mediaServices/amsContentKeyPolicy.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..eaff86dc2c 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,9 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + + 'amsContentKeyPolicy' : require(__dirname + '/plugins/azure/mediaServices/amsContentKeyPolicy.js') }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..1d613d333c 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -456,6 +456,12 @@ var calls = { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.EventHub/namespaces?api-version=2022-10-01-preview' } }, + mediaServices:{ + listAll: { + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Media/mediaservices?api-version=2023-01-01' + } + + }, // For CIEM aad: { listRoleAssignments: { @@ -910,6 +916,13 @@ var postcalls = { properties: ['id'], url: 'https://management.azure.com/{id}/configurations?api-version=2017-12-01' } + }, + mediaServices: { + listContentKeyPolicies: { + reliesOnPath: 'mediaServices.listAll', + properties: ['id'], + url: 'https://management.azure.com/{id}/contentKeyPolicies?api-version=2023-01-01' + } } }; diff --git a/helpers/azure/locations.js b/helpers/azure/locations.js index 46dd902f36..0b182e74e1 100644 --- a/helpers/azure/locations.js +++ b/helpers/azure/locations.js @@ -118,5 +118,6 @@ module.exports = { bastionHosts: locations, applications: ['global'], eventGrid: locations, - eventHub: locations + eventHub: locations, + mediaServices: locations, }; diff --git a/plugins/azure/mediaServices/amsContentKeyPolicy.js b/plugins/azure/mediaServices/amsContentKeyPolicy.js new file mode 100644 index 0000000000..0d84ce6aae --- /dev/null +++ b/plugins/azure/mediaServices/amsContentKeyPolicy.js @@ -0,0 +1,58 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Azure Media Services Content Key Policy Exists', + category: 'Media Services', + domain: 'Media Service Configuration', + description: 'Ensure that Microsoft Azure Media Services have Content Key Policy configured.', + more_info: 'A Content Key Policy in Azure Media Services dictates how content keys, ensuring secure asset access, are delivered to end clients. It allows setting requirements or restrictions that keys with specific configurations must meet before being delivered to clients.', + link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/drm-content-key-policy-concept', + recommended_action: 'Modify media service account and add a content key policy.', + apis: ['mediaServices:listAll', 'mediaServices:listContentKeyPolicies'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.mediaServices, function(location, rcb){ + var mediaServices = helpers.addSource(cache, source, + ['mediaServices', 'listAll', location]); + + if (!mediaServices) return rcb(); + + if (mediaServices.err || !mediaServices.data) { + helpers.addResult(results, 3, 'Unable to query for Media Services: ' + helpers.addError(mediaServices), location); + return rcb(); + } + + if (!mediaServices.data.length) { + helpers.addResult(results, 0, 'No existing Media Services found', location); + return rcb(); + } + + for (let mediaService of mediaServices.data) { + if (!mediaService.id) continue; + + var listContentKeyPolicies = helpers.addSource(cache, source, + ['mediaServices', 'listContentKeyPolicies', location, mediaService.id]); + + if (!listContentKeyPolicies || listContentKeyPolicies.err || !listContentKeyPolicies.data) { + helpers.addResult(results, 3, `Unable to query for Content Key Policy: ${helpers.addError(listContentKeyPolicies)}`, + location, mediaService.id); + continue; + } + if (listContentKeyPolicies.data.length > 0) { + helpers.addResult(results, 0, 'Azure Media Service has content key policy configured', location, mediaService.id); + } else { + helpers.addResult(results, 2, 'Azure Media Service does not have content key policy configured', location, mediaService.id); + } + } + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/mediaServices/amsContentKeyPolicy.spec.js b/plugins/azure/mediaServices/amsContentKeyPolicy.spec.js new file mode 100644 index 0000000000..f7319c64e7 --- /dev/null +++ b/plugins/azure/mediaServices/amsContentKeyPolicy.spec.js @@ -0,0 +1,108 @@ +var expect = require('chai').expect; +var amsContentKeyPolicy = require('./amsContentKeyPolicy'); + +const mediaServices = [ + { + "name": 'test', + "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Media/mediaservices/test', + "type": 'Microsoft.Media/mediaservices', + "location": 'eastus', + "publicNetworkAccess": 'Enabled', + "provisioningState": 'Succeeded', + "privateEndpointConnections": [], + "minimumTlsVersion": 'Tls12' + } +]; + +const listContentKeyPolicies = [ + { + "name": "PolicyWithClearKeyOptionAndTokenRestriction", + "id": "/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Media/mediaservices/test/contentKeyPolicies/PolicyWithClearKeyOptionAndTokenRestriction", + "type": "Microsoft.Media/mediaservices/contentKeyPolicies", + "properties": { + "policyId": "8352435b-ebea-4681-aae7-e19277771f64", + "created": "2017-12-01T00:00:00Z", + "lastModified": "2017-11-01T00:00:00Z", + "description": "A policy with one ClearKey option and Open Restriction." + } + } +]; + +const createCache = (ams, cp) => { + const id = (ams && ams.length) ? ams[0].id : null; + return { + mediaServices: { + listAll: { + 'eastus': { + data: ams + } + }, + listContentKeyPolicies: { + 'eastus': { + [id]: { + data: cp + } + } + } + }, + }; +}; + +describe('amsContentKeyPolicy', function() { + describe('run', function() { + it('should give passing result if no media services found', function(done) { + const cache = createCache([], null); + amsContentKeyPolicy.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Media Services found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for media services', function(done) { + const cache = createCache(null, null); + amsContentKeyPolicy.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Media Services:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to get media service', function(done) { + const cache = createCache([mediaServices[0]], null); + amsContentKeyPolicy.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Content Key Policy'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if content key policy exist', function(done) { + const cache = createCache([mediaServices[0]], [listContentKeyPolicies[1]]); + amsContentKeyPolicy.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Azure Media Service has content key policy configured'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if content key policy not exist', function(done) { + const cache = createCache([mediaServices[0]], []); + amsContentKeyPolicy.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Azure Media Service does not have content key policy configured'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From 4207d9bb9d4287914bbfad872777c25ab733d5a8 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Thu, 30 Nov 2023 14:29:00 +0500 Subject: [PATCH 102/498] added plugin for azure vm security type check --- exports.js | 3 +- helpers/azure/api.js | 2 +- .../azure/virtualmachines/vmSecurityType.js | 49 +++++++++++ .../virtualmachines/vmSecurityType.spec.js | 83 +++++++++++++++++++ 4 files changed, 135 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/virtualmachines/vmSecurityType.js create mode 100644 plugins/azure/virtualmachines/vmSecurityType.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..0239c298d5 100644 --- a/exports.js +++ b/exports.js @@ -745,7 +745,8 @@ module.exports = { 'vmScaleSetHasTags' : require(__dirname + '/plugins/azure/virtualmachines/vmScaleSetHasTags.js'), 'snapshotByokEncryptionEnabled' : require(__dirname + '/plugins/azure/virtualmachines/snapshotByokEncryptionEnabled.js'), 'systemAssignedIdentityEnabled' : require(__dirname + '/plugins/azure/virtualmachines/systemAssignedIdentityEnabled.js'), - 'vmWindowsAntiMalwareExtension' : require(__dirname + '/plugins/azure/virtualmachines/vmWindowsAntiMalwareExtension.js'), + 'vmWindowsAntiMalwareExtension': require(__dirname + '/plugins/azure/virtualmachines/vmWindowsAntiMalwareExtension.js'), + 'vmSecurityType': require(__dirname + '/plugins/azure/virtualmachines/vmSecurityType.js'), 'bastionHostExists' : require(__dirname + '/plugins/azure/bastion/bastionHostExists.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..7424534cd5 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -200,7 +200,7 @@ var calls = { }, virtualMachines: { listAll: { - url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachines?api-version=2019-12-01', + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachines?api-version=2023-07-01', paginate: 'nextLink' } }, diff --git a/plugins/azure/virtualmachines/vmSecurityType.js b/plugins/azure/virtualmachines/vmSecurityType.js new file mode 100644 index 0000000000..2897fe141a --- /dev/null +++ b/plugins/azure/virtualmachines/vmSecurityType.js @@ -0,0 +1,49 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Select Trusted Launch for Azure VMs', + category: 'Virtual Machines', + domain: 'Compute', + description: 'Ensure Trusted Launch is selected for Azure virtual machines (VM) to enhance security against advanced and persistent attack techniques.', + more_info: 'Trusted Launch provides additional security features on Gen 2 virtual machines, offering defense against sophisticated threats.', + recommended_action: 'Enable Trusted Launch for Azure virtual machines to leverage coordinated infrastructure technologies for enhanced security.', + link: 'https://docs.microsoft.com/en-us/azure/security/benchmark/azure-benchmark', + apis: ['virtualMachines:listAll'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.virtualMachines, function(location, rcb) { + var virtualMachines = helpers.addSource(cache, source, + ['virtualMachines', 'listAll', location]); + + if (!virtualMachines) return rcb(); + + if (virtualMachines.err || !virtualMachines.data) { + helpers.addResult(results, 3, 'Unable to query for virtual machines: ' + helpers.addError(virtualMachines), location); + return rcb(); + } + + if (!virtualMachines.data.length) { + helpers.addResult(results, 0, 'No existing Virtual Machines found', location); + return rcb(); + } + + virtualMachines.data.forEach(virtualMachine => { + if (virtualMachine.securityProfile && virtualMachine.securityProfile.securityType == 'TrustedLaunch') { + helpers.addResult(results, 0, 'Trusted Launch is selected as security type for Azure Virtual Machine', location, virtualMachine.id); + } else { + helpers.addResult(results, 2, 'Trusted Launch is not selected as security type for Azure Virtual Machine', location, virtualMachine.id); + } + + }); + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/virtualmachines/vmSecurityType.spec.js b/plugins/azure/virtualmachines/vmSecurityType.spec.js new file mode 100644 index 0000000000..618adf5343 --- /dev/null +++ b/plugins/azure/virtualmachines/vmSecurityType.spec.js @@ -0,0 +1,83 @@ +var expect = require('chai').expect; +var selectTrustedLaunch = require('./vmSecurityType'); + +const virtualMachines = [ + { + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE_GROUP/providers/Microsoft.Compute/virtualMachines/test-vm', + 'name': 'test-vm', + 'type': 'Microsoft.Compute/virtualMachines', + 'securityProfile': { + 'securityType': 'TrustedLaunch' + } + }, + { + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE_GROUP/providers/Microsoft.Compute/virtualMachines/test-vm-2', + 'name': 'test-vm-2', + 'type': 'Microsoft.Compute/virtualMachines', + 'securityProfile': { + 'securityType': 'NotTrustedLaunch' + } + } +]; + +const createCache = (virtualMachines) => { + let vm = {}; + if (virtualMachines) { + vm['data'] = virtualMachines; + } + return { + virtualMachines: { + listAll: { + 'eastus': vm + } + } + }; +}; + +describe('selectTrustedLaunch', function() { + describe('run', function() { + it('should give passing result if no virtual machines', function(done) { + const cache = createCache([]); + selectTrustedLaunch.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Virtual Machines found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for virtual machines', function(done) { + const cache = createCache(null); + selectTrustedLaunch.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for virtual machines'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if Trusted Launch is selected', function(done) { + const cache = createCache([virtualMachines[0]]); + selectTrustedLaunch.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Trusted Launch is selected as security type for Azure Virtual Machine'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if Trusted Launch is not selected', function(done) { + const cache = createCache([virtualMachines[1]]); + selectTrustedLaunch.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Trusted Launch is not selected as security type for Azure Virtual Machine'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); From a5d1ed21e01cdb18b49c689d478c848b826c9268 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Thu, 30 Nov 2023 15:26:02 +0500 Subject: [PATCH 103/498] added azure vm plugin vmVTPMEnabled --- exports.js | 3 +- helpers/azure/api.js | 2 +- .../azure/virtualmachines/vmVTPMEnabled.js | 48 ++++++++++ .../virtualmachines/vmVTPMEnabled.spec.js | 87 +++++++++++++++++++ 4 files changed, 138 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/virtualmachines/vmVTPMEnabled.js create mode 100644 plugins/azure/virtualmachines/vmVTPMEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..9f943c4b5b 100644 --- a/exports.js +++ b/exports.js @@ -745,7 +745,8 @@ module.exports = { 'vmScaleSetHasTags' : require(__dirname + '/plugins/azure/virtualmachines/vmScaleSetHasTags.js'), 'snapshotByokEncryptionEnabled' : require(__dirname + '/plugins/azure/virtualmachines/snapshotByokEncryptionEnabled.js'), 'systemAssignedIdentityEnabled' : require(__dirname + '/plugins/azure/virtualmachines/systemAssignedIdentityEnabled.js'), - 'vmWindowsAntiMalwareExtension' : require(__dirname + '/plugins/azure/virtualmachines/vmWindowsAntiMalwareExtension.js'), + 'vmWindowsAntiMalwareExtension': require(__dirname + '/plugins/azure/virtualmachines/vmWindowsAntiMalwareExtension.js'), + 'vmVTPMEnabled': require(__dirname + '/plugins/azure/virtualmachines/vmVTPMEnabled.js'), 'bastionHostExists' : require(__dirname + '/plugins/azure/bastion/bastionHostExists.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..7424534cd5 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -200,7 +200,7 @@ var calls = { }, virtualMachines: { listAll: { - url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachines?api-version=2019-12-01', + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachines?api-version=2023-07-01', paginate: 'nextLink' } }, diff --git a/plugins/azure/virtualmachines/vmVTPMEnabled.js b/plugins/azure/virtualmachines/vmVTPMEnabled.js new file mode 100644 index 0000000000..463fcf5fd9 --- /dev/null +++ b/plugins/azure/virtualmachines/vmVTPMEnabled.js @@ -0,0 +1,48 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Select vTPM for Azure VMs', + category: 'Virtual Machines', + domain: 'Compute', + description: 'Ensure Virtual Trusted Platform Module (vTPM) is enabled for Azure virtual machines (VM) to validate boot integrity, securely store keys and secrets, and support advanced threat detection.', + more_info: 'vTPM is TPM2.0 compliant and enhances security by validating VM boot integrity and providing a secure storage mechanism for keys and secrets.', + recommended_action: 'Enable vTPM for Azure virtual machines to leverage advanced security features and support Guest Attestation in Azure Security Center.', + link: 'https://docs.microsoft.com/en-us/azure/security/azure-security-vm-tpm', + apis: ['virtualMachines:listAll'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.virtualMachines, function(location, rcb) { + var virtualMachines = helpers.addSource(cache, source, + ['virtualMachines', 'listAll', location]); + + if (!virtualMachines) return rcb(); + + if (virtualMachines.err || !virtualMachines.data) { + helpers.addResult(results, 3, 'Unable to query for virtual machines: ' + helpers.addError(virtualMachines), location); + return rcb(); + } + + if (!virtualMachines.data.length) { + helpers.addResult(results, 0, 'No existing Virtual Machines found', location); + return rcb(); + } + + virtualMachines.data.forEach(virtualMachine => { + if (virtualMachine.securityProfile && virtualMachine.securityProfile.uefiSettings.vTpmEnabled) { + helpers.addResult(results, 0, 'vTPM is selected for Azure Virtual Machine', location, virtualMachine.id); + } else { + helpers.addResult(results, 2, 'vTPM is not selected for Azure Virtual Machine', location, virtualMachine.id); + } + }); + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/virtualmachines/vmVTPMEnabled.spec.js b/plugins/azure/virtualmachines/vmVTPMEnabled.spec.js new file mode 100644 index 0000000000..c9dc7cab57 --- /dev/null +++ b/plugins/azure/virtualmachines/vmVTPMEnabled.spec.js @@ -0,0 +1,87 @@ +var expect = require('chai').expect; +var selectVTPM = require('./vmVTPMEnabled'); + +const virtualMachines = [ + { + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE_GROUP/providers/Microsoft.Compute/virtualMachines/test-vm', + 'name': 'test-vm', + 'type': 'Microsoft.Compute/virtualMachines', + 'securityProfile': { + 'uefiSettings': { + 'vTpmEnabled': true + } + } + }, + { + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE_GROUP/providers/Microsoft.Compute/virtualMachines/test-vm-2', + 'name': 'test-vm-2', + 'type': 'Microsoft.Compute/virtualMachines', + 'securityProfile': { + 'uefiSettings': { + 'vTpmEnabled': false + } + } + } +]; + +const createCache = (virtualMachines) => { + let vm = {}; + if (virtualMachines) { + vm['data'] = virtualMachines; + } + return { + virtualMachines: { + listAll: { + 'eastus': vm + } + } + }; +}; + +describe('selectVTPM', function() { + describe('run', function() { + it('should give passing result if no virtual machines', function(done) { + const cache = createCache([]); + selectVTPM.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Virtual Machines found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for virtual machines', function(done) { + const cache = createCache(null); + selectVTPM.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for virtual machines'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if vTPM is selected', function(done) { + const cache = createCache([virtualMachines[0]]); + selectVTPM.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('vTPM is selected for Azure Virtual Machine'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if vTPM is not selected', function(done) { + const cache = createCache([virtualMachines[1]]); + selectVTPM.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('vTPM is not selected for Azure Virtual Machine'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); From a28ec06424295841acb497fec47ce1652bc263ba Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Thu, 30 Nov 2023 15:52:40 +0500 Subject: [PATCH 104/498] SAAS-20297/ag-ssl-policy --- exports.js | 2 + .../azure/applicationGateway/agSslPolicy.js | 54 ++++++++++ .../applicationGateway/agSslPolicy.spec.js | 101 ++++++++++++++++++ 3 files changed, 157 insertions(+) create mode 100644 plugins/azure/applicationGateway/agSslPolicy.js create mode 100644 plugins/azure/applicationGateway/agSslPolicy.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..33c3b8d529 100644 --- a/exports.js +++ b/exports.js @@ -975,7 +975,9 @@ module.exports = { 'enableDefenderForKeyVaults' : require(__dirname + '/plugins/azure/defender/enableDefenderForKeyVaults.js'), 'agWafEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agWafEnabled'), + 'agSslPolicy' : require(__dirname + '/plugins/azure/applicationGateway/agSslPolicy'), 'agPreventionModeEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agPreventionModeEnabled.js'), + 'subscriptionHasTags' : require(__dirname + '/plugins/azure/subscription/subscriptionHasTags.js'), 'rgHasTags' : require(__dirname + '/plugins/azure/resourceGroup/rgHasTags.js'), diff --git a/plugins/azure/applicationGateway/agSslPolicy.js b/plugins/azure/applicationGateway/agSslPolicy.js new file mode 100644 index 0000000000..14dcdf2c1d --- /dev/null +++ b/plugins/azure/applicationGateway/agSslPolicy.js @@ -0,0 +1,54 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Application Gateway SSL Policy', + category: 'Application Gateway', + domain: 'Network Access Control', + description: 'Ensures that Application Gateway is using minimum TLS version of TLSv1_2', + more_info: 'Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and encrypted.', + recommended_action: 'Modify Application Gateway with latest SSL policy which supports minimum TLS version', + link: 'https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview', + apis: ['applicationGateway:listAll'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + const recommendedSSLPolicies = ['AppGwSslPolicy20170401S', 'AppGwSslPolicy20220101' , 'AppGwSslPolicy20220101S']; + async.each(locations.applicationGateway, (location, rcb) => { + + var appGateways = helpers.addSource(cache, source, + ['applicationGateway', 'listAll', location]); + + if (!appGateways) return rcb(); + + if (appGateways.err || !appGateways.data) { + helpers.addResult(results, 3, 'Unable to query for Application Gateway: ' + helpers.addError(appGateways), location); + return rcb(); + } + + if (!appGateways.data.length) { + helpers.addResult(results, 0, 'No existing Application Gateway found', location); + return rcb(); + } + + for (let appGateway of appGateways.data) { + if (!appGateway.id) continue; + + const sslPolicy = appGateway.sslPolicy? appGateway.sslPolicy : ''; + if ((sslPolicy.policyType == 'Predefined' && sslPolicy.policyName && recommendedSSLPolicies.indexOf(sslPolicy.policyName) > -1) || + (sslPolicy.policyType == 'Custom' && sslPolicy.minProtocolVersion && sslPolicy.minProtocolVersion.toLowerCase() == 'tlsv1_2')) { + helpers.addResult(results, 0, 'Application Gateway is using SSL policy which supports TLSV1_2', location, appGateway.id); + + } else { + helpers.addResult(results, 2, 'Application Gateway is using SSL policy which does not support TLSV1_2', location, appGateway.id); + } + } + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/applicationGateway/agSslPolicy.spec.js b/plugins/azure/applicationGateway/agSslPolicy.spec.js new file mode 100644 index 0000000000..17a0192738 --- /dev/null +++ b/plugins/azure/applicationGateway/agSslPolicy.spec.js @@ -0,0 +1,101 @@ +var expect = require('chai').expect; +var agSslPolicy = require('./agSslPolicy'); + +const appGateway = [ + { "sku": { + "tier": "WAF_v2" + }, + "name": 'test-gateway', + "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Network/applicationGateways/test-gateway",', + "type": "Microsoft.Network/applicationGateways", + "location": "eastus", + "sslPolicy": { + "policyType": "Predefined", + "policyName": "AppGwSslPolicy20220101" + }, + }, + { + "sku": { + "tier": "WAF_v2" + }, + "name": 'test-gateway', + "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Network/applicationGateways/test",', + "type": "Microsoft.Network/applicationGateways", + "location": "eastus", + "sslPolicy": { + "policyType": "Predefined", + "policyName": "AppGwSslPolicy20150101" + }, + } +]; + +const createCache = (gt) => { + return { + applicationGateway: { + listAll: { + 'eastus': { + data: gt + } + } + } + }; +}; + +const createErrorCache = () => { + return { + applicationGateway: { + listAll: { + 'eastus': {} + } + } + }; +}; + +describe('agSslPolicy', function() { + describe('run', function() { + it('should give passing result if no Application Gateway found', function(done) { + const cache = createCache([]); + agSslPolicy.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Application Gateway found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if Application Gateway is using ssl policy which does not supports minimum TLS version', function(done) { + const cache = createCache([appGateway[1]]); + agSslPolicy.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('SSL policy which does not support TLSV1_2'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if Unable to query for Application Gateway', function(done) { + const cache = createErrorCache(); + agSslPolicy.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Application Gateway:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if Application Gateway is using ssl policy which supports minimum TLS version', function(done) { + const cache = createCache([appGateway[0]]); + agSslPolicy.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('SSL policy which supports TLSV1_2'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); + From 188573ffe68cbbb91ef2f798bc8f7947f47e8093 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Thu, 30 Nov 2023 15:53:54 +0500 Subject: [PATCH 105/498] added azure vm plugin secureBootEnabled --- exports.js | 3 +- helpers/azure/api.js | 2 +- .../virtualmachines/vmSecureBootEnabled.js | 49 +++++++++++ .../vmSecureBootEnabled.spec.js | 87 +++++++++++++++++++ 4 files changed, 139 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/virtualmachines/vmSecureBootEnabled.js create mode 100644 plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..6aec686b46 100644 --- a/exports.js +++ b/exports.js @@ -745,7 +745,8 @@ module.exports = { 'vmScaleSetHasTags' : require(__dirname + '/plugins/azure/virtualmachines/vmScaleSetHasTags.js'), 'snapshotByokEncryptionEnabled' : require(__dirname + '/plugins/azure/virtualmachines/snapshotByokEncryptionEnabled.js'), 'systemAssignedIdentityEnabled' : require(__dirname + '/plugins/azure/virtualmachines/systemAssignedIdentityEnabled.js'), - 'vmWindowsAntiMalwareExtension' : require(__dirname + '/plugins/azure/virtualmachines/vmWindowsAntiMalwareExtension.js'), + 'vmWindowsAntiMalwareExtension': require(__dirname + '/plugins/azure/virtualmachines/vmWindowsAntiMalwareExtension.js'), + 'vmSecureBootEnabled':require(__dirname + '/plugins/azure/virtualmachines/vmSecureBootEnabled.js'), 'bastionHostExists' : require(__dirname + '/plugins/azure/bastion/bastionHostExists.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..7424534cd5 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -200,7 +200,7 @@ var calls = { }, virtualMachines: { listAll: { - url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachines?api-version=2019-12-01', + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachines?api-version=2023-07-01', paginate: 'nextLink' } }, diff --git a/plugins/azure/virtualmachines/vmSecureBootEnabled.js b/plugins/azure/virtualmachines/vmSecureBootEnabled.js new file mode 100644 index 0000000000..3cd9fa10f3 --- /dev/null +++ b/plugins/azure/virtualmachines/vmSecureBootEnabled.js @@ -0,0 +1,49 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Select Secure Boot for Azure VMs', + category: 'Virtual Machines', + domain: 'Compute', + description: 'Ensure Secure Boot is enabled for Azure virtual machines (VM) to protect against boot kits, rootkits, and kernel-level malware.', + more_info: 'Secure Boot helps protect VMs by ensuring that only signed and trusted components are allowed to execute during the boot process.', + recommended_action: 'Enable Secure Boot for Azure virtual machines to enhance security and protect against advanced threats during the boot process.', + link: 'https://docs.microsoft.com/en-us/azure/virtual-machines/security-secure-boot', + apis: ['virtualMachines:listAll'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.virtualMachines, function(location, rcb) { + var virtualMachines = helpers.addSource(cache, source, + ['virtualMachines', 'listAll', location]); + + if (!virtualMachines) return rcb(); + + if (virtualMachines.err || !virtualMachines.data) { + helpers.addResult(results, 3, 'Unable to query for virtual machines: ' + helpers.addError(virtualMachines), location); + return rcb(); + } + + if (!virtualMachines.data.length) { + helpers.addResult(results, 0, 'No existing Virtual Machines found', location); + return rcb(); + } + + virtualMachines.data.forEach(virtualMachine => { + if (virtualMachine.securityProfile && virtualMachine.securityProfile.uefiSettings.secureBootEnabled) { + helpers.addResult(results, 0, 'Secure Boot is selected for Azure Virtual Machine', location, virtualMachine.id); + } else { + helpers.addResult(results, 2, 'Secure Boot is not selected for Azure Virtual Machine', location, virtualMachine.id); + + } + }); + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js b/plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js new file mode 100644 index 0000000000..e6141a3bf5 --- /dev/null +++ b/plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js @@ -0,0 +1,87 @@ +var expect = require('chai').expect; +var selectSecureBoot = require('./vmSecureBootEnabled'); + +const virtualMachines = [ + { + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE_GROUP/providers/Microsoft.Compute/virtualMachines/test-vm', + 'name': 'test-vm', + 'type': 'Microsoft.Compute/virtualMachines', + 'securityProfile': { + 'uefiSettings': { + 'secureBootEnabled': true + } + } + }, + { + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE_GROUP/providers/Microsoft.Compute/virtualMachines/test-vm-2', + 'name': 'test-vm-2', + 'type': 'Microsoft.Compute/virtualMachines', + 'securityProfile': { + 'uefiSettings': { + 'secureBootEnabled': false + } + } + } +]; + +const createCache = (virtualMachines) => { + let vm = {}; + if (virtualMachines) { + vm['data'] = virtualMachines; + } + return { + virtualMachines: { + listAll: { + 'eastus': vm + } + } + }; +}; + +describe('selectSecureBoot', function() { + describe('run', function() { + it('should give passing result if no virtual machines', function(done) { + const cache = createCache([]); + selectSecureBoot.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Virtual Machines found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for virtual machines', function(done) { + const cache = createCache(null); + selectSecureBoot.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for virtual machines'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if Secure Boot is selected', function(done) { + const cache = createCache([virtualMachines[0]]); + selectSecureBoot.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Secure Boot is selected for Azure Virtual Machine'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if Secure Boot is not selected', function(done) { + const cache = createCache([virtualMachines[1]]); + selectSecureBoot.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Secure Boot is not selected for Azure Virtual Machine'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); From 2be20f1e3441781b0037e3c15d2026ebfc6d1663 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 30 Nov 2023 15:55:07 +0500 Subject: [PATCH 106/498] Apply suggestions from code review --- plugins/azure/applicationGateway/agSslPolicy.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/plugins/azure/applicationGateway/agSslPolicy.js b/plugins/azure/applicationGateway/agSslPolicy.js index 14dcdf2c1d..2a676565b7 100644 --- a/plugins/azure/applicationGateway/agSslPolicy.js +++ b/plugins/azure/applicationGateway/agSslPolicy.js @@ -5,9 +5,9 @@ module.exports = { title: 'Application Gateway SSL Policy', category: 'Application Gateway', domain: 'Network Access Control', - description: 'Ensures that Application Gateway is using minimum TLS version of TLSv1_2', + description: 'Ensures that Application Gateway is using minimum TLS version of TLSv1_2.', more_info: 'Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and encrypted.', - recommended_action: 'Modify Application Gateway with latest SSL policy which supports minimum TLS version', + recommended_action: 'Modify Application Gateway with latest SSL policy which supports minimum TLS version.', link: 'https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview', apis: ['applicationGateway:listAll'], @@ -16,6 +16,7 @@ module.exports = { const source = {}; const locations = helpers.locations(settings.govcloud); const recommendedSSLPolicies = ['AppGwSslPolicy20170401S', 'AppGwSslPolicy20220101' , 'AppGwSslPolicy20220101S']; + async.each(locations.applicationGateway, (location, rcb) => { var appGateways = helpers.addSource(cache, source, From 06ac0f86a70cf1c0d25af47a253fb0d07428c7d9 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 30 Nov 2023 15:56:17 +0500 Subject: [PATCH 107/498] Update plugins/azure/applicationGateway/agSslPolicy.js --- plugins/azure/applicationGateway/agSslPolicy.js | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/azure/applicationGateway/agSslPolicy.js b/plugins/azure/applicationGateway/agSslPolicy.js index 2a676565b7..c9e7d54dd9 100644 --- a/plugins/azure/applicationGateway/agSslPolicy.js +++ b/plugins/azure/applicationGateway/agSslPolicy.js @@ -41,7 +41,6 @@ module.exports = { if ((sslPolicy.policyType == 'Predefined' && sslPolicy.policyName && recommendedSSLPolicies.indexOf(sslPolicy.policyName) > -1) || (sslPolicy.policyType == 'Custom' && sslPolicy.minProtocolVersion && sslPolicy.minProtocolVersion.toLowerCase() == 'tlsv1_2')) { helpers.addResult(results, 0, 'Application Gateway is using SSL policy which supports TLSV1_2', location, appGateway.id); - } else { helpers.addResult(results, 2, 'Application Gateway is using SSL policy which does not support TLSV1_2', location, appGateway.id); } From 00ea418dfea0eeb8b6b23bec8fa1097d6a64bf81 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Thu, 30 Nov 2023 15:57:04 +0500 Subject: [PATCH 108/498] SAAS-20297/ag-ssl-policy --- plugins/azure/applicationGateway/agSslPolicy.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/plugins/azure/applicationGateway/agSslPolicy.js b/plugins/azure/applicationGateway/agSslPolicy.js index c9e7d54dd9..72da44eecc 100644 --- a/plugins/azure/applicationGateway/agSslPolicy.js +++ b/plugins/azure/applicationGateway/agSslPolicy.js @@ -18,7 +18,6 @@ module.exports = { const recommendedSSLPolicies = ['AppGwSslPolicy20170401S', 'AppGwSslPolicy20220101' , 'AppGwSslPolicy20220101S']; async.each(locations.applicationGateway, (location, rcb) => { - var appGateways = helpers.addSource(cache, source, ['applicationGateway', 'listAll', location]); @@ -40,7 +39,7 @@ module.exports = { const sslPolicy = appGateway.sslPolicy? appGateway.sslPolicy : ''; if ((sslPolicy.policyType == 'Predefined' && sslPolicy.policyName && recommendedSSLPolicies.indexOf(sslPolicy.policyName) > -1) || (sslPolicy.policyType == 'Custom' && sslPolicy.minProtocolVersion && sslPolicy.minProtocolVersion.toLowerCase() == 'tlsv1_2')) { - helpers.addResult(results, 0, 'Application Gateway is using SSL policy which supports TLSV1_2', location, appGateway.id); + helpers.addResult(results, 0, 'Application Gateway is using SSL policy which supports TLSV1_2', location, appGateway.id); } else { helpers.addResult(results, 2, 'Application Gateway is using SSL policy which does not support TLSV1_2', location, appGateway.id); } From 0144f465f491c1e17b20d1b57a15c14c94c1de91 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 30 Nov 2023 15:59:32 +0500 Subject: [PATCH 109/498] Update plugins/azure/applicationGateway/agSslPolicy.spec.js --- plugins/azure/applicationGateway/agSslPolicy.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/applicationGateway/agSslPolicy.spec.js b/plugins/azure/applicationGateway/agSslPolicy.spec.js index 17a0192738..359f20a507 100644 --- a/plugins/azure/applicationGateway/agSslPolicy.spec.js +++ b/plugins/azure/applicationGateway/agSslPolicy.spec.js @@ -91,7 +91,7 @@ describe('agSslPolicy', function() { agSslPolicy.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('SSL policy which supports TLSV1_2'); + expect(results[0].message).to.include('SSL policy which supports TLSV1_2'); expect(results[0].region).to.equal('eastus'); done(); }); From cb7d0b7f953d623580fe3370f469951239aabade Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Thu, 30 Nov 2023 19:08:13 +0500 Subject: [PATCH 110/498] added azure vm plugin diskDeleteConfig --- exports.js | 3 +- helpers/azure/api.js | 2 +- .../virtualmachines/vmDiskDeleteConfig.js | 47 ++++++++++ .../vmDiskDeleteConfig.spec.js | 87 +++++++++++++++++++ 4 files changed, 137 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/virtualmachines/vmDiskDeleteConfig.js create mode 100644 plugins/azure/virtualmachines/vmDiskDeleteConfig.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..e87951d775 100644 --- a/exports.js +++ b/exports.js @@ -745,7 +745,8 @@ module.exports = { 'vmScaleSetHasTags' : require(__dirname + '/plugins/azure/virtualmachines/vmScaleSetHasTags.js'), 'snapshotByokEncryptionEnabled' : require(__dirname + '/plugins/azure/virtualmachines/snapshotByokEncryptionEnabled.js'), 'systemAssignedIdentityEnabled' : require(__dirname + '/plugins/azure/virtualmachines/systemAssignedIdentityEnabled.js'), - 'vmWindowsAntiMalwareExtension' : require(__dirname + '/plugins/azure/virtualmachines/vmWindowsAntiMalwareExtension.js'), + 'vmWindowsAntiMalwareExtension': require(__dirname + '/plugins/azure/virtualmachines/vmWindowsAntiMalwareExtension.js'), + 'vmDiskDeleteConfig' : require(__dirname + '/plugins/azure/virtualmachines/vmDiskDeleteConfig.js'), 'bastionHostExists' : require(__dirname + '/plugins/azure/bastion/bastionHostExists.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..7424534cd5 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -200,7 +200,7 @@ var calls = { }, virtualMachines: { listAll: { - url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachines?api-version=2019-12-01', + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachines?api-version=2023-07-01', paginate: 'nextLink' } }, diff --git a/plugins/azure/virtualmachines/vmDiskDeleteConfig.js b/plugins/azure/virtualmachines/vmDiskDeleteConfig.js new file mode 100644 index 0000000000..e2b042cd54 --- /dev/null +++ b/plugins/azure/virtualmachines/vmDiskDeleteConfig.js @@ -0,0 +1,47 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Automatically Delete Disks on VM Termination', + category: 'Virtual Machines', + domain: 'Compute', + description: 'Enable the option to automatically delete disks when the associated VM is terminated to ensure all confidential information is wiped.', + more_info: 'Disks persist independently from VMs. Enabling this option ensures that all disks associated with a VM are deleted automatically when the VM is terminated, enhancing security.', + recommended_action: 'Configure VMs to automatically delete disks when the VM is terminated to enhance security and prevent lingering confidential information.', + link: 'https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/disk-delete', + apis: ['virtualMachines:listAll'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.virtualMachines, function(location, rcb) { + var virtualMachines = helpers.addSource(cache, source, + ['virtualMachines', 'listAll', location]); + + if (!virtualMachines) return rcb(); + + if (virtualMachines.err || !virtualMachines.data) { + helpers.addResult(results, 3, 'Unable to query for virtual machines: ' + helpers.addError(virtualMachines), location); + return rcb(); + } + + if (!virtualMachines.data.length) { + helpers.addResult(results, 0, 'No existing Virtual Machines found', location); + return rcb(); + } + + virtualMachines.data.forEach(virtualMachine => { + if (virtualMachine.storageProfile && virtualMachine.storageProfile.osDisk && virtualMachine.storageProfile.osDisk.deleteOption=='Delete') { + helpers.addResult(results, 0, 'Automatically delete disks with VM is configured', location, virtualMachine.id); + } else { + helpers.addResult(results, 2, 'Automatically delete disks with VM is not configured', location, virtualMachine.id); + } + }); + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/virtualmachines/vmDiskDeleteConfig.spec.js b/plugins/azure/virtualmachines/vmDiskDeleteConfig.spec.js new file mode 100644 index 0000000000..150a3e1000 --- /dev/null +++ b/plugins/azure/virtualmachines/vmDiskDeleteConfig.spec.js @@ -0,0 +1,87 @@ +var expect = require('chai').expect; +var autoDeleteDisks = require('./vmDiskDeleteConfig'); + +const virtualMachines = [ + { + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE_GROUP/providers/Microsoft.Compute/virtualMachines/test-vm', + 'name': 'test-vm', + 'type': 'Microsoft.Compute/virtualMachines', + 'storageProfile': { + 'osDisk': { + 'deleteOption': 'Delete' + } + } + }, + { + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE_GROUP/providers/Microsoft.Compute/virtualMachines/test-vm-2', + 'name': 'test-vm-2', + 'type': 'Microsoft.Compute/virtualMachines', + 'storageProfile': { + 'osDisk': { + 'deleteOption': 'Detach' + } + } + } +]; + +const createCache = (virtualMachines) => { + let vm = {}; + if (virtualMachines) { + vm['data'] = virtualMachines; + } + return { + virtualMachines: { + listAll: { + 'eastus': vm + } + } + }; +}; + +describe('autoDeleteDisks', function() { + describe('run', function() { + it('should give passing result if no virtual machines', function(done) { + const cache = createCache([]); + autoDeleteDisks.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Virtual Machines found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for virtual machines', function(done) { + const cache = createCache(null); + autoDeleteDisks.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for virtual machines'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if auto-delete disks is configured', function(done) { + const cache = createCache([virtualMachines[0]]); + autoDeleteDisks.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Automatically delete disks with VM is configured'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if auto-delete disks is not configured', function(done) { + const cache = createCache([virtualMachines[1]]); + autoDeleteDisks.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Automatically delete disks with VM is not configured'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); From 044a6df5a230f3b0e81222b00420647e924af99d Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 30 Nov 2023 20:11:40 +0500 Subject: [PATCH 111/498] Apply suggestions from code review --- plugins/azure/redisCache/redisCachePrivateEndpoint.spec.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/plugins/azure/redisCache/redisCachePrivateEndpoint.spec.js b/plugins/azure/redisCache/redisCachePrivateEndpoint.spec.js index 9d82e13c35..b424fbed54 100644 --- a/plugins/azure/redisCache/redisCachePrivateEndpoint.spec.js +++ b/plugins/azure/redisCache/redisCachePrivateEndpoint.spec.js @@ -48,6 +48,7 @@ describe('redisCachePrivateEndpoint', function() { plugin.run(cache, {}, callback); }); + it('should give unknown result if unable to query for redis caches', function(done) { const callback = (err, results) => { expect(results.length).to.equal(1); @@ -61,6 +62,7 @@ describe('redisCachePrivateEndpoint', function() { plugin.run(cache, {}, callback); }); + it('should give passing result if redis cache is only accessible through private endpoint', function(done) { const callback = (err, results) => { expect(results.length).to.equal(1); From 6ca376b8ecea90f164f4dac244d350158c9029db Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 30 Nov 2023 20:23:03 +0500 Subject: [PATCH 112/498] Update plugins/azure/applicationGateway/agSslPolicy.spec.js --- plugins/azure/applicationGateway/agSslPolicy.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/applicationGateway/agSslPolicy.spec.js b/plugins/azure/applicationGateway/agSslPolicy.spec.js index 359f20a507..d50a3b1fde 100644 --- a/plugins/azure/applicationGateway/agSslPolicy.spec.js +++ b/plugins/azure/applicationGateway/agSslPolicy.spec.js @@ -69,7 +69,7 @@ describe('agSslPolicy', function() { agSslPolicy.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('SSL policy which does not support TLSV1_2'); + expect(results[0].message).to.include('SSL policy which does not support TLSV1_2'); expect(results[0].region).to.equal('eastus'); done(); }); From f9ff23c7558df7932dcb592b03da92fecd2d9378 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 30 Nov 2023 20:44:36 +0500 Subject: [PATCH 113/498] Apply suggestions from code review --- plugins/azure/servicebus/namespaceEncryptionAtRest.js | 2 +- plugins/azure/servicebus/namespaceEncryptionAtRest.spec.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/servicebus/namespaceEncryptionAtRest.js b/plugins/azure/servicebus/namespaceEncryptionAtRest.js index 2a7278ba83..3fe976455e 100644 --- a/plugins/azure/servicebus/namespaceEncryptionAtRest.js +++ b/plugins/azure/servicebus/namespaceEncryptionAtRest.js @@ -29,7 +29,7 @@ module.exports = { } if (!namespaces.data.length) { - helpers.addResult(results, 0, 'No Service Bus namespaces found', location); + helpers.addResult(results, 0, 'No existing Service Bus namespaces found', location); return rcb(); } diff --git a/plugins/azure/servicebus/namespaceEncryptionAtRest.spec.js b/plugins/azure/servicebus/namespaceEncryptionAtRest.spec.js index 394f71b462..1c43c0922c 100644 --- a/plugins/azure/servicebus/namespaceEncryptionAtRest.spec.js +++ b/plugins/azure/servicebus/namespaceEncryptionAtRest.spec.js @@ -64,7 +64,7 @@ describe('namespaceEncryptionAtRest', function () { namespaceEncryptionAtRest.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('No Service Bus namespaces found'); + expect(results[0].message).to.include('No existing Service Bus namespaces found'); expect(results[0].region).to.equal('eastus'); done(); }); From 8d483984893049b0f4eba8bdc968f34a6fdc9cc2 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 30 Nov 2023 20:52:44 +0500 Subject: [PATCH 114/498] Apply suggestions from code review --- plugins/azure/servicebus/namespaceTlsVersion.js | 2 +- plugins/azure/servicebus/namespaceTlsVersion.spec.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/servicebus/namespaceTlsVersion.js b/plugins/azure/servicebus/namespaceTlsVersion.js index 32a4df1678..4a48e05b0c 100644 --- a/plugins/azure/servicebus/namespaceTlsVersion.js +++ b/plugins/azure/servicebus/namespaceTlsVersion.js @@ -29,7 +29,7 @@ module.exports = { } if (!namespaces.data.length) { - helpers.addResult(results, 0, 'No Service Bus namespaces found', location); + helpers.addResult(results, 0, 'No existing Service Bus namespaces found', location); return rcb(); } diff --git a/plugins/azure/servicebus/namespaceTlsVersion.spec.js b/plugins/azure/servicebus/namespaceTlsVersion.spec.js index 43ca872ba7..28042a559a 100644 --- a/plugins/azure/servicebus/namespaceTlsVersion.spec.js +++ b/plugins/azure/servicebus/namespaceTlsVersion.spec.js @@ -49,7 +49,7 @@ describe('namespaceTlsVersion', function () { namespaceTlsVersion.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('No Service Bus namespaces found'); + expect(results[0].message).to.include('No existing Service Bus namespaces found'); expect(results[0].region).to.equal('eastus'); done(); }); From afd24c56b745b0ba10575e78e88cb4fcf54ebb63 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 30 Nov 2023 20:54:44 +0500 Subject: [PATCH 115/498] Update exports.js --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index 357c1eb640..1cb1d9a952 100644 --- a/exports.js +++ b/exports.js @@ -991,7 +991,7 @@ module.exports = { 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), - 'namespaceTlsVersion' : require(__dirname + '/plugins/azure/servicebus/namespaceTlsVersion.js'), + 'namespaceTlsVersion' : require(__dirname + '/plugins/azure/servicebus/namespaceTlsVersion.js'), }, github: { From adc4ca7d175483970d5262e51e882a8563a69ea3 Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Fri, 1 Dec 2023 03:06:31 +0500 Subject: [PATCH 116/498] Update plugins/azure/frontdoor/frontDoorHttpsOnly.js --- plugins/azure/frontdoor/frontDoorHttpsOnly.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/frontdoor/frontDoorHttpsOnly.js b/plugins/azure/frontdoor/frontDoorHttpsOnly.js index e18d4b9743..e573dc4b9c 100644 --- a/plugins/azure/frontdoor/frontDoorHttpsOnly.js +++ b/plugins/azure/frontdoor/frontDoorHttpsOnly.js @@ -33,7 +33,7 @@ module.exports = { return rcb(); } - classicFrontDoors.data.forEach(function(frontDoor) { + classicFrontDoors.data.forEach(frontDoor => { if (!frontDoor.id || !frontDoor.routingRules) return; var ruleFound = false; From d4e2e047aea52dba6dc949862f40457e3183d603 Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Fri, 1 Dec 2023 03:06:37 +0500 Subject: [PATCH 117/498] Update plugins/azure/frontdoor/frontDoorHttpsOnly.js --- plugins/azure/frontdoor/frontDoorHttpsOnly.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/frontdoor/frontDoorHttpsOnly.js b/plugins/azure/frontdoor/frontDoorHttpsOnly.js index e573dc4b9c..8a1739a387 100644 --- a/plugins/azure/frontdoor/frontDoorHttpsOnly.js +++ b/plugins/azure/frontdoor/frontDoorHttpsOnly.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Content Delivery', description: 'Ensures HTTPS Only is enabled for Front Door classic profile, redirecting all HTTP traffic to HTTPS.', more_info: 'By using the HTTPS only protocol, you ensure that your sensitive data is delivered securely via TLS/SSL encryption.', - recommended_action: 'Modify the Front Door classic profile and add HTTP to HTTPS redirect rule under the frontend hosts section.', + recommended_action: 'Modify the Front Door classic profile and add HTTP to HTTPS redirect rule under the frontend hosts section.', link: 'https://learn.microsoft.com/en-us/azure/frontdoor/front-door-how-to-redirect-https', apis: ['classicFrontDoors:list'], From 700f313419dcfb911308d6d936d01e11bca3392e Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Fri, 1 Dec 2023 03:12:49 +0500 Subject: [PATCH 118/498] Update plugins/azure/frontdoor/frontDoorRequestBodyInspection.js --- plugins/azure/frontdoor/frontDoorRequestBodyInspection.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js index bf1f5ba1b7..bd733bce74 100644 --- a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js +++ b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js @@ -6,7 +6,7 @@ module.exports = { category: 'Front Door', domain: 'Content Delivery', description: 'Ensures that request body inspection is enabled for Azure Front Door WAF policy.', - more_info: 'Web Application Firewalls associated to Azure Front Doors that have request body inspection enabled, allows to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI.', + more_info: 'Web Application Firewalls associated to Azure Front Doors that have request body inspection enabled allow to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI.', recommended_action: 'Modify Front Door WAF policy and enable request body inspection in policy settings.', link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection', apis: ['afdWafPolicies:listAll'], From 1ad0ab8f2858ce2d3cf13a93e205f1221d8e1e42 Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Fri, 1 Dec 2023 03:32:03 +0500 Subject: [PATCH 119/498] Update plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js --- .../azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js b/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js index acd140fd9f..a9fc448e6f 100644 --- a/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js +++ b/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js @@ -14,7 +14,7 @@ const listPostgres = [ 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1', 'name': 'server1', 'type': 'Microsoft.DBforPostgreSQL/servers', - 'administratorLogin': 'Aquaadmin', + 'administratorLogin': 'test', 'storageProfile': { 'storageMB': 5120, 'backupRetentionDays': 7, From b71f99ba53d487362fb5b92d88f66d11957638e2 Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Fri, 1 Dec 2023 03:32:56 +0500 Subject: [PATCH 120/498] Update plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js --- .../azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js b/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js index a9fc448e6f..5eb3b7c0ae 100644 --- a/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js +++ b/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js @@ -46,7 +46,7 @@ const listPostgres = [ 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1', 'name': 'server1', 'type': 'Microsoft.DBforPostgreSQL/servers', - 'administratorLogin': 'Aquaadmin', + 'administratorLogin': 'test', 'storageProfile': { 'storageMB': 5120, 'backupRetentionDays': 7, From 76ad6d4eec60a3f1bd2aafe056cc0fc048fd7044 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Fri, 1 Dec 2023 12:45:53 +0500 Subject: [PATCH 121/498] fixed --- .../postgresqlserver/postgresqlTlsVersion.js | 22 ++++--------------- .../postgresqlTlsVersion.spec.js | 4 ++-- 2 files changed, 6 insertions(+), 20 deletions(-) diff --git a/plugins/azure/postgresqlserver/postgresqlTlsVersion.js b/plugins/azure/postgresqlserver/postgresqlTlsVersion.js index c2d0917274..cf591c7dda 100644 --- a/plugins/azure/postgresqlserver/postgresqlTlsVersion.js +++ b/plugins/azure/postgresqlserver/postgresqlTlsVersion.js @@ -7,29 +7,15 @@ module.exports = { domain: 'Databases', description: 'Ensures Microsoft Azure PostgreSQL Servers do not allow outdated TLS certificate versions.', more_info: 'TLS 1.2 or higher should be used for all TLS connections to Microsoft Azure PostgreSQL server. This setting applies to all databases associated with the server.', - recommended_action: 'Modify PostgreSQL server to set desired minimum TLS version.', + recommended_action: 'Modify PostgreSQL server to use TLS version 1.2 or higher.', link: 'https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-tls-configurations', apis: ['servers:listPostgres'], - settings: { - postgresql_server_min_tls_version: { - name: 'PostgreSQL Server Minimum TLS Version', - description: 'Minimum desired TLS version for Microsoft Azure PostgreSQL servers', - regex: '^(1.0|1.1|1.2)$', - default: '1.2' - } - }, run: function(cache, settings, callback) { var results = []; var source = {}; var locations = helpers.locations(settings.govcloud); - var config = { - postgresql_server_min_tls_version: settings.postgresql_server_min_tls_version || this.settings.postgresql_server_min_tls_version.default - }; - - var desiredVersion = parseFloat(config.postgresql_server_min_tls_version); - async.each(locations.servers, function(location, rcb) { var servers = helpers.addSource(cache, source, ['servers', 'listPostgres', location]); @@ -57,13 +43,13 @@ module.exports = { location, server.id); } else { var numericTlsVersion = parseFloat(server.minimalTlsVersion.replace('TLS', '').replace('_', '.')); - if (numericTlsVersion >= desiredVersion) { + if (numericTlsVersion >= 1.2) { helpers.addResult(results, 0, - `PostgreSQL server is using TLS version ${server.minimalTlsVersion} which is equal to or higher than desired TLS version ${config.postgresql_server_min_tls_version}`, + `PostgreSQL server is using TLS version ${server.minimalTlsVersion} which is equal to or higher than 1.2`, location, server.id); } else { helpers.addResult(results, 2, - `PostgreSQL server is using TLS version ${server.minimalTlsVersion} which is less than desired TLS version ${config.postgresql_server_min_tls_version}`, + `PostgreSQL server is using TLS version ${server.minimalTlsVersion} which is less than 1.2`, location, server.id); } diff --git a/plugins/azure/postgresqlserver/postgresqlTlsVersion.spec.js b/plugins/azure/postgresqlserver/postgresqlTlsVersion.spec.js index 27db3616e4..4c4f639e8b 100644 --- a/plugins/azure/postgresqlserver/postgresqlTlsVersion.spec.js +++ b/plugins/azure/postgresqlserver/postgresqlTlsVersion.spec.js @@ -130,7 +130,7 @@ describe('postgresqlTlsVersion', function() { postgresqlTlsVersion.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('less than desired TLS version'); + expect(results[0].message).to.include('which is less than 1.2'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -141,7 +141,7 @@ describe('postgresqlTlsVersion', function() { postgresqlTlsVersion.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('equal to or higher than desired TLS version'); + expect(results[0].message).to.include('which is equal to or higher than 1.2'); expect(results[0].region).to.equal('eastus'); done(); }); From e39df97625f01e3d960c2c6dddae25da68f20cdb Mon Sep 17 00:00:00 2001 From: fatima99s Date: Fri, 1 Dec 2023 12:50:20 +0500 Subject: [PATCH 122/498] fixed --- exports.js | 2 +- ...ionAtRestWithCMK.js => postgresqlCMKEncrypted.js} | 2 +- ...ithCMK.spec.js => postgresqlCMKEncrypted.spec.js} | 12 ++++++------ 3 files changed, 8 insertions(+), 8 deletions(-) rename plugins/azure/postgresqlserver/{postgresqlEncryptionAtRestWithCMK.js => postgresqlCMKEncrypted.js} (98%) rename plugins/azure/postgresqlserver/{postgresqlEncryptionAtRestWithCMK.spec.js => postgresqlCMKEncrypted.spec.js} (90%) diff --git a/exports.js b/exports.js index f705bbd11c..4aebbe9c44 100644 --- a/exports.js +++ b/exports.js @@ -806,7 +806,7 @@ module.exports = { 'logRetentionDays' : require(__dirname + '/plugins/azure/postgresqlserver/logRetentionDays.js'), 'connectionThrottlingEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/connectionThrottlingEnabled.js'), 'logDurationEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/logDurationEnabled.js'), - 'postgresqlCMKEncrypted' : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlEncryptionAtRestWithCMK.js'), + 'postgresqlCMKEncrypted' : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlCMKEncrypted.js'), 'logDisconnectionsEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/logDisconnectionsEnabled.js'), 'logConnectionsEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/logConnectionsEnabled.js'), 'logCheckpointsEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/logCheckpointsEnabled.js'), diff --git a/plugins/azure/postgresqlserver/postgresqlEncryptionAtRestWithCMK.js b/plugins/azure/postgresqlserver/postgresqlCMKEncrypted.js similarity index 98% rename from plugins/azure/postgresqlserver/postgresqlEncryptionAtRestWithCMK.js rename to plugins/azure/postgresqlserver/postgresqlCMKEncrypted.js index 3475add9b0..e0a2843ca2 100644 --- a/plugins/azure/postgresqlserver/postgresqlEncryptionAtRestWithCMK.js +++ b/plugins/azure/postgresqlserver/postgresqlCMKEncrypted.js @@ -35,7 +35,7 @@ module.exports = { for (let server of servers.data) { if (!server.id) continue; - if (server.byokEnforcement && server.byokEnforcement == 'Enabled') { + if (server.byokEnforcement && server.byokEnforcement.toLowerCase() === 'enabled') { helpers.addResult(results, 0, 'PostgreSQL server is encrypted using CMK', location, server.id); } else { helpers.addResult(results, 2, 'PostgreSQL server is not encrypted using CMK', location, server.id); diff --git a/plugins/azure/postgresqlserver/postgresqlEncryptionAtRestWithCMK.spec.js b/plugins/azure/postgresqlserver/postgresqlCMKEncrypted.spec.js similarity index 90% rename from plugins/azure/postgresqlserver/postgresqlEncryptionAtRestWithCMK.spec.js rename to plugins/azure/postgresqlserver/postgresqlCMKEncrypted.spec.js index bab800d5e7..43341f6d6f 100644 --- a/plugins/azure/postgresqlserver/postgresqlEncryptionAtRestWithCMK.spec.js +++ b/plugins/azure/postgresqlserver/postgresqlCMKEncrypted.spec.js @@ -1,5 +1,5 @@ var expect = require('chai').expect; -var postgresqlEncryptionAtRestWithCMK = require('./postgresqlEncryptionAtRestWithCMK'); +var postgresqlCMKEncrypted = require('./postgresqlCMKEncrypted'); const listPostgres = [ { @@ -80,11 +80,11 @@ const createCache = (listPostgres) => { }; }; -describe('postgresqlEncryptionAtRestWithCMK', function() { +describe('postgresqlCMKEncrypted', function() { describe('run', function() { it('should give passing result if no servers', function(done) { const cache = createCache({}); - postgresqlEncryptionAtRestWithCMK.run(cache, {}, (err, results) => { + postgresqlCMKEncrypted.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('No existing PostgreSQL Servers found'); @@ -95,7 +95,7 @@ describe('postgresqlEncryptionAtRestWithCMK', function() { it('should give failing result if PostgreSQL Server is not encrypted using CMK', function(done) { const cache = createCache([listPostgres[0]]); - postgresqlEncryptionAtRestWithCMK.run(cache, {}, (err, results) => { + postgresqlCMKEncrypted.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); expect(results[0].message).to.include('PostgreSQL server is not encrypted using CMK'); @@ -106,7 +106,7 @@ describe('postgresqlEncryptionAtRestWithCMK', function() { it('should give passing result if PostgreSQL Server is encrypted using CMK', function(done) { const cache = createCache([listPostgres[1]]); - postgresqlEncryptionAtRestWithCMK.run(cache, {}, (err, results) => { + postgresqlCMKEncrypted.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('PostgreSQL server is encrypted using CMK'); @@ -116,7 +116,7 @@ describe('postgresqlEncryptionAtRestWithCMK', function() { }); it('should give UnKnown result if unable to query postgreSQL Server', function(done) { const cache = createCache(null); - postgresqlEncryptionAtRestWithCMK.run(cache, {}, (err, results) => { + postgresqlCMKEncrypted.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].message).to.include('Unable to query for PostgreSQL Servers:'); From 3217427c2ebe2d0eb1ef1efe232fd76274e76d0e Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Fri, 1 Dec 2023 14:12:05 +0500 Subject: [PATCH 123/498] Update plugins/azure/postgresqlserver/postgresqlCMKEncrypted.js --- plugins/azure/postgresqlserver/postgresqlCMKEncrypted.js | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/azure/postgresqlserver/postgresqlCMKEncrypted.js b/plugins/azure/postgresqlserver/postgresqlCMKEncrypted.js index e0a2843ca2..127cf63008 100644 --- a/plugins/azure/postgresqlserver/postgresqlCMKEncrypted.js +++ b/plugins/azure/postgresqlserver/postgresqlCMKEncrypted.js @@ -35,6 +35,7 @@ module.exports = { for (let server of servers.data) { if (!server.id) continue; + if (server.byokEnforcement && server.byokEnforcement.toLowerCase() === 'enabled') { helpers.addResult(results, 0, 'PostgreSQL server is encrypted using CMK', location, server.id); } else { From 5af11d4137091abff9274bbf3d4a7435944ad1cd Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Fri, 1 Dec 2023 14:16:37 +0500 Subject: [PATCH 124/498] lint issue --- plugins/azure/mediaServices/amsContentKeyPolicy.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/mediaServices/amsContentKeyPolicy.js b/plugins/azure/mediaServices/amsContentKeyPolicy.js index 0d84ce6aae..c56d698054 100644 --- a/plugins/azure/mediaServices/amsContentKeyPolicy.js +++ b/plugins/azure/mediaServices/amsContentKeyPolicy.js @@ -44,7 +44,7 @@ module.exports = { continue; } if (listContentKeyPolicies.data.length > 0) { - helpers.addResult(results, 0, 'Azure Media Service has content key policy configured', location, mediaService.id); + helpers.addResult(results, 0, 'Azure Media Service has content key policy configured', location, mediaService.id); } else { helpers.addResult(results, 2, 'Azure Media Service does not have content key policy configured', location, mediaService.id); } From 4fdff9d6d29189b1db1c942e021a8a77955090b5 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Fri, 1 Dec 2023 14:19:16 +0500 Subject: [PATCH 125/498] lint issues --- plugins/azure/mediaServices/amsClassicApiDisabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/mediaServices/amsClassicApiDisabled.js b/plugins/azure/mediaServices/amsClassicApiDisabled.js index 3966348a3a..5a9b6baddb 100644 --- a/plugins/azure/mediaServices/amsClassicApiDisabled.js +++ b/plugins/azure/mediaServices/amsClassicApiDisabled.js @@ -45,7 +45,7 @@ module.exports = { } if (getMediaService.data.identity) { - helpers.addResult(results, 0, 'Classic API is disabled for the Media Service account', location, mediaService.id); + helpers.addResult(results, 0, 'Classic API is disabled for the Media Service account', location, mediaService.id); } else { helpers.addResult(results, 2, 'Classic API is enabled for the Media Service account', location, mediaService.id); } From c1b88fc7537c53a7d5f91678db3993d3cf6588ea Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 1 Dec 2023 14:25:39 +0500 Subject: [PATCH 126/498] requested-changes --- .../azure/frontdoor/botProtectionEnabled.js | 2 +- .../frontdoor/botProtectionEnabled.spec.js | 25 +++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/plugins/azure/frontdoor/botProtectionEnabled.js b/plugins/azure/frontdoor/botProtectionEnabled.js index e567a46f4d..181f1be254 100644 --- a/plugins/azure/frontdoor/botProtectionEnabled.js +++ b/plugins/azure/frontdoor/botProtectionEnabled.js @@ -37,7 +37,7 @@ module.exports = { var found = policy.managedRules && policy.managedRules.managedRuleSets ? - policy.managedRules.managedRuleSets.find(ruleset => ruleset.ruleSetType.toLowerCase() == 'microsoft_botmanagerruleset') : false; + policy.managedRules.managedRuleSets.find(ruleset => ruleset.ruleSetType && ruleset.ruleSetType.toLowerCase() == 'microsoft_botmanagerruleset') : false; if (found) { helpers.addResult(results, 0, 'Front Door WAF policy has bot protection enabled', location, policy.id); diff --git a/plugins/azure/frontdoor/botProtectionEnabled.spec.js b/plugins/azure/frontdoor/botProtectionEnabled.spec.js index 4a7934300c..6b5048d234 100644 --- a/plugins/azure/frontdoor/botProtectionEnabled.spec.js +++ b/plugins/azure/frontdoor/botProtectionEnabled.spec.js @@ -80,7 +80,8 @@ const createCache = (afdWafPolicies) => { }; }; -const createErrorCache = () => { +const createErrorCache = (key) => { + if (key == 'noAfd') { return { afdWafPolicies: { listAll: { @@ -90,6 +91,15 @@ const createErrorCache = () => { } } }; + } else { + return { + afdWafPolicies: { + listAll: { + 'global': {} + } + } + }; + } }; describe('botProtectionEnabled', function () { describe('run', function () { @@ -117,7 +127,7 @@ describe('botProtectionEnabled', function () { }); it('should give pass result if no existing front door waf policy found', function (done) { - const cache = createErrorCache(); + const cache = createErrorCache('noAfd'); botProtectionEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); @@ -127,5 +137,16 @@ describe('botProtectionEnabled', function () { }); }); + it('should give unknown result if Unable to query for Front Door WAF policies:', function (done) { + const cache = createErrorCache(); + botProtectionEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Front Door WAF policies:'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + }); }); \ No newline at end of file From 3f410452d6399fcde0c2fe5ed39c39d7ca35e2f9 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 1 Dec 2023 14:48:54 +0500 Subject: [PATCH 127/498] Fixed-requested-changes --- helpers/azure/api.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helpers/azure/api.js b/helpers/azure/api.js index fe962aabf7..b9bfff1bdb 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -913,7 +913,7 @@ var postcalls = { }, afdSecurityPolicies: { listByProfile: { - reliesOnPath: 'profiles.listPostgres', + reliesOnPath: 'profiles.list', properties: ['id'], url: 'https://management.azure.com/subscriptions/{id}/securityPolicies?api-version=2023-05-01' From bc8f6e2a3e657b8a8cc72067dcd4e71c8a995cee Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 1 Dec 2023 15:04:51 +0500 Subject: [PATCH 128/498] Fixed-requested-changes --- plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.js b/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.js index 7dd3e6c1e1..8d1da824c4 100644 --- a/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.js +++ b/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.js @@ -35,7 +35,7 @@ module.exports = { for (let policy of afdWafPolicies.data) { if (!policy.id) continue; var found = policy.customRules && policy.customRules.rules? - policy.customRules.rules.find(rule => rule.ruleType.toLowerCase() == 'ratelimitrule' && rule.action.toLowerCase() == 'block') : 'false'; + policy.customRules.rules.find(rule => rule.ruleType && rule.ruleType.toLowerCase() == 'ratelimitrule' && rule.action && rule.action.toLowerCase() == 'block') : false; if (found) { helpers.addResult(results, 0, 'Front Door WAF policy has rate limit custom rule configured', location, policy.id); From f2882b0bd5406d19fb3fd67d1f14e2caa715d8a9 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 1 Dec 2023 15:08:59 +0500 Subject: [PATCH 129/498] Update plugins/azure/frontdoor/frontDoorAzureManagedDomain.js --- plugins/azure/frontdoor/frontDoorAzureManagedDomain.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js b/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js index e5b8769539..100fddec7a 100644 --- a/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js +++ b/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js @@ -6,7 +6,7 @@ module.exports = { category: 'Front Door', domain: 'Content Delivery', description: 'Ensures that Front Door standard and premium profile custom domains are configured to use Azure Managed DNS', - more_info: 'Azure Managed DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure.', + more_info: 'DNS domains in Azure DNS are hosted on the Azure global network of DNS name servers. This system uses Anycast networking so that each DNS query is answered by the closest available DNS server. Azure DNS provides fast performance and high availability for your domain.', recommended_action: 'Ensure that Non-Azure validated domains for Front Door profiles are using Azure Managed DNS.', link: 'https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain?tabs=powershell#azure-front-door-managed-certificates-for-non-azure-pre-validated-domains', apis: ['profiles:list', 'customDomain:listByFrontDoorProfiles'], From ceb6f706af42d13393e7bf144a57428f6a30ac05 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 1 Dec 2023 15:21:23 +0500 Subject: [PATCH 130/498] Simplified-Logic --- plugins/azure/frontdoor/frontDoorAzureManagedDomain.js | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js b/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js index 100fddec7a..96c62c2064 100644 --- a/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js +++ b/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js @@ -16,6 +16,7 @@ module.exports = { const source = {}; const locations = helpers.locations(settings.govcloud); async.each(locations.profiles, (location, rcb) => { + const profiles = helpers.addSource(cache, source, ['profiles', 'list', location]); @@ -37,7 +38,7 @@ module.exports = { if (!profile.id || profile.kind != 'frontdoor') return; frontDoorProfile = true; - var failingDomains = {}; + var failingDomains = []; const customDomains = helpers.addSource(cache, source, ['customDomain', 'listByFrontDoorProfiles', location, profile.id]); if (!customDomains || customDomains.err || !customDomains.data) { @@ -46,11 +47,8 @@ module.exports = { } else if (!customDomains.data.length) { helpers.addResult(results, 0, 'No existing Front Door custom domains found', location, profile.id); } else { - failingDomains = customDomains.data.filter(customDomain => { - return (!customDomain.azureDnsZone); - }).map(function(customDomain) { - return customDomain.name; - }); + failingDomains = customDomains.data.filter(customDomain => !customDomain.azureDnsZone) + .map(customDomain => customDomain.name); if (failingDomains.length){ helpers.addResult(results, 2, From 5102b95769729b34c1c86d53496d199a61a32493 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 1 Dec 2023 15:21:43 +0500 Subject: [PATCH 131/498] Update plugins/azure/frontdoor/frontDoorAzureManagedDomain.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/frontdoor/frontDoorAzureManagedDomain.js | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js b/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js index 96c62c2064..cad8e9cf99 100644 --- a/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js +++ b/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js @@ -41,6 +41,7 @@ module.exports = { var failingDomains = []; const customDomains = helpers.addSource(cache, source, ['customDomain', 'listByFrontDoorProfiles', location, profile.id]); + if (!customDomains || customDomains.err || !customDomains.data) { helpers.addResult(results, 3, 'Unable to query Front Door custom domains: ' + helpers.addError(customDomains), location, profile.id); From 37237af1eb83da53ebacdc9932eb7237211eda64 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 1 Dec 2023 15:24:03 +0500 Subject: [PATCH 132/498] Linting --- plugins/azure/frontdoor/frontDoorAzureManagedDomain.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js b/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js index cad8e9cf99..740c242892 100644 --- a/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js +++ b/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js @@ -49,7 +49,7 @@ module.exports = { helpers.addResult(results, 0, 'No existing Front Door custom domains found', location, profile.id); } else { failingDomains = customDomains.data.filter(customDomain => !customDomain.azureDnsZone) - .map(customDomain => customDomain.name); + .map(customDomain => customDomain.name); if (failingDomains.length){ helpers.addResult(results, 2, From 062040f89bed6d26adee032200502f3d41ace8cd Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 1 Dec 2023 15:47:49 +0500 Subject: [PATCH 133/498] added-spec-for-custom-policy --- .../applicationGateway/agSslPolicy.spec.js | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/plugins/azure/applicationGateway/agSslPolicy.spec.js b/plugins/azure/applicationGateway/agSslPolicy.spec.js index d50a3b1fde..61573f310b 100644 --- a/plugins/azure/applicationGateway/agSslPolicy.spec.js +++ b/plugins/azure/applicationGateway/agSslPolicy.spec.js @@ -26,6 +26,18 @@ const appGateway = [ "policyType": "Predefined", "policyName": "AppGwSslPolicy20150101" }, + }, + { "sku": { + "tier": "WAF_v2" + }, + "name": 'test-gateway', + "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Network/applicationGateways/test-gateway",', + "type": "Microsoft.Network/applicationGateways", + "location": "eastus", + "sslPolicy": { + "policyType": "Custom", + "minProtocolVersion": "TLSV1_2" + }, } ]; @@ -96,6 +108,17 @@ describe('agSslPolicy', function() { done(); }); }); + + it('should give passing result if Application Gateway is using custom ssl policy which supports minimum TLS version', function(done) { + const cache = createCache([appGateway[2]]); + agSslPolicy.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('SSL policy which supports TLSV1_2'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); }); }); From f4ede63dd0f655c5a6190f13f424f5c0df3344ab Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 1 Dec 2023 15:48:31 +0500 Subject: [PATCH 134/498] Update plugins/azure/applicationGateway/agSslPolicy.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/applicationGateway/agSslPolicy.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/applicationGateway/agSslPolicy.js b/plugins/azure/applicationGateway/agSslPolicy.js index 72da44eecc..414114c7d1 100644 --- a/plugins/azure/applicationGateway/agSslPolicy.js +++ b/plugins/azure/applicationGateway/agSslPolicy.js @@ -37,8 +37,8 @@ module.exports = { if (!appGateway.id) continue; const sslPolicy = appGateway.sslPolicy? appGateway.sslPolicy : ''; - if ((sslPolicy.policyType == 'Predefined' && sslPolicy.policyName && recommendedSSLPolicies.indexOf(sslPolicy.policyName) > -1) || - (sslPolicy.policyType == 'Custom' && sslPolicy.minProtocolVersion && sslPolicy.minProtocolVersion.toLowerCase() == 'tlsv1_2')) { + if (sslPolicy.policyType && ((sslPolicy.policyType == 'Predefined' && sslPolicy.policyName && recommendedSSLPolicies.indexOf(sslPolicy.policyName) > -1) || + (sslPolicy.policyType == 'Custom' && sslPolicy.minProtocolVersion && sslPolicy.minProtocolVersion.toLowerCase() == 'tlsv1_2'))) { helpers.addResult(results, 0, 'Application Gateway is using SSL policy which supports TLSV1_2', location, appGateway.id); } else { helpers.addResult(results, 2, 'Application Gateway is using SSL policy which does not support TLSV1_2', location, appGateway.id); From c6338a74d51e4d479f449a3befa0996fc201c04d Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 1 Dec 2023 15:54:03 +0500 Subject: [PATCH 135/498] Apply suggestions from code review --- plugins/azure/servicebus/namespaceLocalAuth.js | 2 +- plugins/azure/servicebus/namespaceLocalAuth.spec.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/servicebus/namespaceLocalAuth.js b/plugins/azure/servicebus/namespaceLocalAuth.js index 6912a617b6..4f1b2daddc 100644 --- a/plugins/azure/servicebus/namespaceLocalAuth.js +++ b/plugins/azure/servicebus/namespaceLocalAuth.js @@ -29,7 +29,7 @@ module.exports = { } if (!namespaces.data.length) { - helpers.addResult(results, 0, 'No Service Bus namespaces found', location); + helpers.addResult(results, 0, 'No existing Service Bus namespaces found', location); return rcb(); } diff --git a/plugins/azure/servicebus/namespaceLocalAuth.spec.js b/plugins/azure/servicebus/namespaceLocalAuth.spec.js index 2755a180db..e48d05f7f3 100644 --- a/plugins/azure/servicebus/namespaceLocalAuth.spec.js +++ b/plugins/azure/servicebus/namespaceLocalAuth.spec.js @@ -47,7 +47,7 @@ describe('namespaceLocalAuth', function () { namespaceLocalAuth.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('No Service Bus namespaces found'); + expect(results[0].message).to.include('No existing Service Bus namespaces found'); expect(results[0].region).to.equal('eastus'); done(); }); From bd302049f73f3dbf1c8cf67e31e045d72d9f332b Mon Sep 17 00:00:00 2001 From: fatima99s Date: Fri, 1 Dec 2023 17:11:34 +0500 Subject: [PATCH 136/498] Azure/postgresFlexibleServerPrivateAccess --- exports.js | 1 + helpers/azure/api.js | 8 ++ .../flexibleServerPrivateAccess.js | 76 +++++++++++ .../flexibleServerPrivateAccess.spec.js | 125 ++++++++++++++++++ 4 files changed, 210 insertions(+) create mode 100644 plugins/azure/postgresqlserver/flexibleServerPrivateAccess.js create mode 100644 plugins/azure/postgresqlserver/flexibleServerPrivateAccess.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..dc177474b6 100644 --- a/exports.js +++ b/exports.js @@ -816,6 +816,7 @@ module.exports = { 'postgresqlServerHasTags' : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlServerHasTags.js'), 'postgresqlInfraDoubleEncryption': require(__dirname + '/plugins/azure/postgresqlserver/postgresqlInfraDoubleEncryption.js'), 'azureServicesAccessDisabled' : require(__dirname + '/plugins/azure/postgresqlserver/azureServicesAccessDisabled.js'), + 'flexibleServerPrivateAccess' : require(__dirname + '/plugins/azure/postgresqlserver/flexibleServerPrivateAccess'), 'openOracleAutoDataWarehouse' : require(__dirname + '/plugins/azure/networksecuritygroups/openOracleAutoDataWarehouse.js'), 'networkWatcherEnabled' : require(__dirname + '/plugins/azure/networksecuritygroups/networkWatcherEnabled.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..8c77e4fe21 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -418,6 +418,9 @@ var calls = { }, listPostgres: { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DBforPostgreSQL/servers?api-version=2017-12-01' + }, + listPostgresFlexibleServer: { + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DBforPostgreSQL/flexibleServers?api-version=2022-12-01' } }, databaseAccounts: { @@ -798,6 +801,11 @@ var postcalls = { reliesOnPath: 'servers.listPostgres', properties: ['id'], url: 'https://management.azure.com/{id}/firewallRules?api-version=2017-12-01' + }, + listByFlexibleServerPostgres: { + reliesOnPath: 'servers.listPostgresFlexibleServer', + properties: ['id'], + url: 'https://management.azure.com/{id}/firewallRules?api-version=2022-12-01' } }, outboundFirewallRules: { diff --git a/plugins/azure/postgresqlserver/flexibleServerPrivateAccess.js b/plugins/azure/postgresqlserver/flexibleServerPrivateAccess.js new file mode 100644 index 0000000000..0c00643e38 --- /dev/null +++ b/plugins/azure/postgresqlserver/flexibleServerPrivateAccess.js @@ -0,0 +1,76 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'PostgreSQL Flexible Server Services Access Disabled', + category: 'PostgreSQL Server', + domain: 'Databases', + description: 'Ensure that PostgreSQL flexible servers do not allow access to other Azure services.', + more_info: 'To secure your PostgreSQL flexible server, it is recommended to disable public network access. Instead, configure firewall rules to allow connections from specific network ranges or utilize VNET rules for access from designated virtual networks. This helps prevent unauthorized access from Azure services outside your subscription.', + recommended_action: 'Disable public network access for PostgreSQL database servers.', + link: 'https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-firewall-rules', + apis: ['servers:listPostgresFlexibleServer', 'firewallRules:listByFlexibleServerPostgres'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, (location, rcb) => { + const servers = helpers.addSource(cache, source, + ['servers', 'listPostgresFlexibleServer', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, + 'Unable to query for PostgreSQL flexible servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No existing PostgreSQL flexible servers found', location); + return rcb(); + } + + for (let postgresServer of servers.data) { + if (!postgresServer.id) continue; + + const firewallRules = helpers.addSource(cache, source, + ['firewallRules', 'listByFlexibleServerPostgres', location, postgresServer.id]); + + if (!firewallRules || firewallRules.err || !firewallRules.data) { + helpers.addResult(results, 3, + 'Unable to query Postgres Flexible Server Firewall Rules: ' + helpers.addError(firewallRules), location, postgresServer.id); + continue; + } + + if (!firewallRules.data.length) { + helpers.addResult(results, 0, 'No existing postgres Flexible Server Firewall Rules found', location, postgresServer.id); + continue; + } + + let accessToServices = true; + for (let rule of firewallRules.data) { + if (rule.name && rule.name.toLowerCase().includes('allowallazureservicesandresourceswithinazureips')) { + accessToServices = false; + break; + } + } + + if (accessToServices) { + helpers.addResult(results, 0, + 'Access to other Azure services is disabled for PostgreSQL flexible server', location, postgresServer.id); + } else { + helpers.addResult(results, 2, + 'Access to other Azure services is not disabled for PostgreSQL flexible server', location, postgresServer.id); + } + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/postgresqlserver/flexibleServerPrivateAccess.spec.js b/plugins/azure/postgresqlserver/flexibleServerPrivateAccess.spec.js new file mode 100644 index 0000000000..362a8a17b8 --- /dev/null +++ b/plugins/azure/postgresqlserver/flexibleServerPrivateAccess.spec.js @@ -0,0 +1,125 @@ +var expect = require('chai').expect; +var flexibleServerPrivateAccess = require('./flexibleServerPrivateAccess'); + +const listPostgresFlexibleServer = [ + { + "id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-server", + "type": "Microsoft.DBforPostgreSQL/flexibleServers", + "storageProfile": { + "storageMB": 5120, + "backupRetentionDays": 7, + "geoRedundantBackup": "Disabled", + "storageAutogrow": "Disabled" + }, + } +]; + +const firewallRules = [ + { + "id": "/subscriptions/jk34n234k-dwef/resourceGroups/akhtar-rg/providers/Microsoft.DBforPostgreSQL/servers/geo-redundant/firewallRules/TestRule", + "name": "testRule", + "type": "Microsoft.DBforPostgreSQL/servers/firewallRules", + "location": "East US", + "kind": "v12.0", + }, + { + "id": "/subscriptions/jk34n234k-dwef/resourceGroups/akhtar-rg/providers/Microsoft.DBforPostgreSQL/servers/geo-redundant/firewallRules/AllowAllWindowsAzureIps", + "name": "AllowAllAzureServicesAndResourcesWithinAzureIps_2023-12-1_16-2-47')", + "type": "Microsoft.DBforPostgreSQL/servers/firewallRules", + "location": "East US", + "kind": "v12.0", + "properties": { + "startIpAddress": "0.0.0.0", + "endIpAddress": "0.0.0.0" + }, + }, +]; +const createCache = (list, rules) => { + const serverId = (list && list.length) ? list[0].id : null; + return { + servers: { + listPostgresFlexibleServer: { + 'eastus': { + data: list + } + } + }, + firewallRules: { + listByFlexibleServerPostgres: { + 'eastus': { + [serverId]: { + data: rules + } + } + } + } + } +}; + +describe('flexibleServerPrivateAccess', function() { + describe('run', function() { + it('should give passing result if no servers', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing PostgreSQL flexible servers found'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache([]); + + flexibleServerPrivateAccess.run(cache, {}, callback); + }) + + it('should give failing result if postgresql flexiable server does not have access disabled', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Access to other Azure services is not disabled for PostgreSQL flexible server'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + [listPostgresFlexibleServer[0]], + [firewallRules[1]] + ); + + flexibleServerPrivateAccess.run(cache, {}, callback); + }); + + it('should give passing result if postgresql server not have access to azure services', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Access to other Azure services is disabled for PostgreSQL flexible server'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + [listPostgresFlexibleServer[0]], + [firewallRules[0]] + ); + + flexibleServerPrivateAccess.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query for PostgreSQL Servers', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for PostgreSQL flexible servers'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + null + ); + + flexibleServerPrivateAccess.run(cache, {}, callback); + }); + }) +}) \ No newline at end of file From 848e7dadc7d75bdcd0157f054dea2cac21b14c58 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 14:05:40 +0500 Subject: [PATCH 137/498] updated with recommended changes --- exports.js | 4 ++-- .../sqldatabases/dbDataMaskingEnabled.js | 19 ++++++++++--------- .../sqldatabases/dbDataMaskingEnabled.spec.js | 8 ++++---- 3 files changed, 16 insertions(+), 15 deletions(-) diff --git a/exports.js b/exports.js index 831491b1c2..3112b983ee 100644 --- a/exports.js +++ b/exports.js @@ -933,6 +933,7 @@ module.exports = { 'appOrgnaizationalDirectoryAccess' : require(__dirname + '/plugins/azure/activedirectory/appOrgnaizationalDirectoryAccess.js'), 'dbAuditingEnabled' : require(__dirname + '/plugins/azure/sqldatabases/dbAuditingEnabled.js'), + 'dbDataMaskingEnabled' : require(__dirname + '/plugins/azure/sqldatabases/dbDataMaskingEnabled.js'), 'sqlDbMultiAz' : require(__dirname + '/plugins/azure/sqldatabases/sqlDbMultiAz.js'), 'dbRestorable' : require(__dirname + '/plugins/azure/sqldatabases/dbRestorable.js'), 'pitrBackupEnabled' : require(__dirname + '/plugins/azure/sqldatabases/pitrBackupEnabled.js'), @@ -989,8 +990,7 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion': require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), - 'dbDataMaskingEnabled': require(__dirname + '/plugins/azure/sqldatabases/dbDataMaskingEnabled.js'), + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js index 24ff3b42f0..51089766f4 100644 --- a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js +++ b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js @@ -2,12 +2,12 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Set Dynamic Data Masking for SQL Databases', + title: 'Dynamic Data Masking Enabled', category: 'SQL Databases', domain: 'Databases', - description: 'Set up dynamic data masking to protect sensitive data exposure in SQL databases.', + description: 'Ensures dynamic data masking is enabeld for all SQL databases.', more_info: 'Dynamic data masking helps prevent unauthorized access to sensitive data by hiding it in query results.', - recommended_action: 'Set up dynamic data masking for designated database fields to enhance data security.', + recommended_action: 'Set up dynamic data masking to protect sensitive data exposure in SQL databases.', link: 'https://docs.microsoft.com/en-us/azure/sql-database/sql-database-dynamic-data-masking-get-started-portal', apis: ['servers:listSql', 'databases:listByServer', 'dataMaskingPolicies:get'], @@ -32,7 +32,7 @@ module.exports = { } // Loop through servers and check databases - servers.data.forEach(function(server) { + servers.data.forEach(server => { var databases = helpers.addSource(cache, source, ['databases', 'listByServer', location, server.id]); @@ -44,16 +44,17 @@ module.exports = { helpers.addResult(results, 0, 'No databases found for SQL server', location, server.id); } else { - databases.data.forEach(function(database) { + databases.data.forEach(database => { var dataMaskingPolicies = helpers.addSource(cache, source, ['dataMaskingPolicies', 'get', location, database.id]); - if (!dataMaskingPolicies || dataMaskingPolicies.err || !dataMaskingPolicies.data) { - helpers.addResult(results, 3, 'Unable to query dynamic data masking: ' + helpers.addError(dataMaskingPolicies), location, database.id); + console.log('dataMaskingPolicies------', dataMaskingPolicies); + if (!dataMaskingPolicies || dataMaskingPolicies.err || !dataMaskingPolicies.data || !dataMaskingPolicies.data.dataMaskingState) { + helpers.addResult(results, 3, 'Unable to query dynamic data masking policies: ' + helpers.addError(dataMaskingPolicies), location, database.id); } else { if (dataMaskingPolicies.data.dataMaskingState.toLowerCase()=='enabled') { - helpers.addResult(results, 0, 'Dynamic data masking is enabled for the database', location, database.id); + helpers.addResult(results, 0, 'Dynamic data masking is enabled for SQL database', location, database.id); } else { - helpers.addResult(results, 2, 'Dynamic data masking is not enabled for the database', location, database.id); + helpers.addResult(results, 2, 'Dynamic data masking is not enabled for SQL database', location, database.id); } } }); diff --git a/plugins/azure/sqldatabases/dbDataMaskingEnabled.spec.js b/plugins/azure/sqldatabases/dbDataMaskingEnabled.spec.js index e9e278acc5..d0112bee3f 100644 --- a/plugins/azure/sqldatabases/dbDataMaskingEnabled.spec.js +++ b/plugins/azure/sqldatabases/dbDataMaskingEnabled.spec.js @@ -97,11 +97,11 @@ describe('setDynamicDataMasking', function() { setDynamicDataMasking.run(cache, {}, callback); }); - it('should give passing result if Dynamic data masking is enabled for the database', function(done) { + it('should give passing result if Dynamic data masking is enabled for SQL database', function(done) { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Dynamic data masking is enabled for the database'); + expect(results[0].message).to.include('Dynamic data masking is enabled for SQL database'); expect(results[0].region).to.equal('eastus'); done(); }; @@ -115,11 +115,11 @@ describe('setDynamicDataMasking', function() { setDynamicDataMasking.run(cache, {}, callback); }); - it('should give failing result if Dynamic data masking is not enabled for the database', function(done) { + it('should give failing result if Dynamic data masking is not enabled for SQL database', function(done) { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Dynamic data masking is not enabled for the database'); + expect(results[0].message).to.include('Dynamic data masking is not enabled for SQL database'); expect(results[0].region).to.equal('eastus'); done(); }; From faf30fe6cff85db72c5105971ced94eacd30b5c0 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 14:06:30 +0500 Subject: [PATCH 138/498] updated with recommended changes --- plugins/azure/sqldatabases/dbDataMaskingEnabled.js | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js index 51089766f4..5eea069baf 100644 --- a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js +++ b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js @@ -47,7 +47,6 @@ module.exports = { databases.data.forEach(database => { var dataMaskingPolicies = helpers.addSource(cache, source, ['dataMaskingPolicies', 'get', location, database.id]); - console.log('dataMaskingPolicies------', dataMaskingPolicies); if (!dataMaskingPolicies || dataMaskingPolicies.err || !dataMaskingPolicies.data || !dataMaskingPolicies.data.dataMaskingState) { helpers.addResult(results, 3, 'Unable to query dynamic data masking policies: ' + helpers.addError(dataMaskingPolicies), location, database.id); } else { From be8984b0277344f3ed07b7a4754a2de739b1f330 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 14:09:37 +0500 Subject: [PATCH 139/498] updated with recommended changes --- plugins/azure/sqldatabases/dbDataMaskingEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js index 5eea069baf..1d9734067e 100644 --- a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js +++ b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js @@ -5,7 +5,7 @@ module.exports = { title: 'Dynamic Data Masking Enabled', category: 'SQL Databases', domain: 'Databases', - description: 'Ensures dynamic data masking is enabeld for all SQL databases.', + description: 'Ensures dynamic data masking is enabled for all SQL databases.', more_info: 'Dynamic data masking helps prevent unauthorized access to sensitive data by hiding it in query results.', recommended_action: 'Set up dynamic data masking to protect sensitive data exposure in SQL databases.', link: 'https://docs.microsoft.com/en-us/azure/sql-database/sql-database-dynamic-data-masking-get-started-portal', From de9190e9726c25cd31ebf8c020baed74196dbba9 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 14:51:36 +0500 Subject: [PATCH 140/498] updated with recommended changes --- exports.js | 4 ++-- .../azure/sqldatabases/dbLedgerDigestStorageEnabled.js | 10 +++++----- .../sqldatabases/dbLedgerDigestStorageEnabled.spec.js | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/exports.js b/exports.js index 238b678883..fd48918ff9 100644 --- a/exports.js +++ b/exports.js @@ -935,6 +935,7 @@ module.exports = { 'dbAuditingEnabled' : require(__dirname + '/plugins/azure/sqldatabases/dbAuditingEnabled.js'), 'sqlDbMultiAz' : require(__dirname + '/plugins/azure/sqldatabases/sqlDbMultiAz.js'), 'dbRestorable' : require(__dirname + '/plugins/azure/sqldatabases/dbRestorable.js'), + 'dbLedgerDigestStorageEnabled' : require(__dirname + '/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js'), 'pitrBackupEnabled' : require(__dirname + '/plugins/azure/sqldatabases/pitrBackupEnabled.js'), 'lbHttpsOnly' : require(__dirname + '/plugins/azure/loadbalancer/lbHttpsOnly.js'), @@ -989,8 +990,7 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion': require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), - 'dbLedgerDigestStorageEnabled': require(__dirname + '/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js'), + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js index 51360cffe0..983e53ec8a 100644 --- a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js @@ -2,10 +2,10 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Enable Automatic Ledger Digest Storage for SQL Databases', + title: 'Ledger Digest Storage Enabled', category: 'SQL Databases', domain: 'Databases', - description: 'Enable automatic Ledger digest storage for enhanced data integrity.', + description: 'Ensure automatic Ledger digest storage is enabled for enhanced data integrity.', more_info: 'Configuring automatic Ledger digest storage allows for the generation and storage of digests for later verification.', recommended_action: 'Configure an Azure Storage account or Azure Confidential Ledger for automatic Ledger digest storage. Alternatively, manually generate digests and store them in a secure location.', link: 'https://docs.microsoft.com/en-us/azure/sql-database/sql-database-ledger-overview', @@ -44,15 +44,15 @@ module.exports = { helpers.addResult(results, 0, 'No databases found for SQL server', location, server.id); } else { - databases.data.forEach(function(database) { + databases.data.forEach(database=> { var ledgerDigestUploads = helpers.addSource(cache, source, ['ledgerDigestUploads', 'list', location, database.id]); if (!ledgerDigestUploads || ledgerDigestUploads.err) { helpers.addResult(results, 3, 'Unable to query for Azure ledger: ' + helpers.addError(ledgerDigestUploads), location, database.id); } else { if (ledgerDigestUploads.data[0].state.toLowerCase() == 'enabled') { - helpers.addResult(results, 0, 'Automatic Ledger digest storage is enabled', location, database.id); + helpers.addResult(results, 0, 'Automatic Ledger digest storage is enabled for SQL database', location, database.id); } else { - helpers.addResult(results, 2, 'Automatic Ledger digest storage is disbaled', location, database.id); + helpers.addResult(results, 2, 'Automatic Ledger digest storage is disabled for SQL database', location, database.id); } } diff --git a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js index 48f4c9cf65..637eb5a6f9 100644 --- a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js +++ b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js @@ -101,7 +101,7 @@ describe('enableAutomaticLedgerDigestStorage', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Automatic Ledger digest storage is enabled'); + expect(results[0].message).to.include('Automatic Ledger digest storage is enabled for SQL database'); expect(results[0].region).to.equal('eastus'); done(); }; @@ -119,7 +119,7 @@ describe('enableAutomaticLedgerDigestStorage', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Automatic Ledger digest storage is disbaled'); + expect(results[0].message).to.include('Automatic Ledger digest storage is disabled for SQL database'); expect(results[0].region).to.equal('eastus'); done(); }; From 052b9bedd44b62eae15062a63d6568f5bd105c7f Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 14:59:40 +0500 Subject: [PATCH 141/498] updated with recommended changes --- exports.js | 5 +++-- plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js | 6 +++--- plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js | 1 - 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/exports.js b/exports.js index b0fecbe9b1..a0ac0fda96 100644 --- a/exports.js +++ b/exports.js @@ -936,6 +936,8 @@ module.exports = { 'sqlDbMultiAz' : require(__dirname + '/plugins/azure/sqldatabases/sqlDbMultiAz.js'), 'dbRestorable' : require(__dirname + '/plugins/azure/sqldatabases/dbRestorable.js'), 'pitrBackupEnabled' : require(__dirname + '/plugins/azure/sqldatabases/pitrBackupEnabled.js'), + 'dbSyncGroupPrivateLink' : require(__dirname + '/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js'), + 'lbHttpsOnly' : require(__dirname + '/plugins/azure/loadbalancer/lbHttpsOnly.js'), 'lbNoInstances' : require(__dirname + '/plugins/azure/loadbalancer/lbNoInstances.js'), @@ -989,8 +991,7 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion': require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), - 'dbSyncGroupPrivateLink': require(__dirname + '/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js'), + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js index cef81a6b8a..bcb55e8449 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js @@ -2,7 +2,7 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'SQL Database Sync Groups - Private Link & Manual Approval', + title: 'Private Link Enabled for SQL Databases', category: 'SQL Databases', domain: 'Databases', description: 'Ensures SQL Database sync groups use private link when SQL DB sync with others databases.', @@ -45,7 +45,7 @@ module.exports = { helpers.addResult(results, 0, 'No databases found for SQL server', location, server.id); } else { - databases.data.forEach(function(database) { + databases.data.forEach(database=> { var syncGroups = helpers.addSource(cache, source, ['syncGroups', 'list', location, database.id]); @@ -58,7 +58,7 @@ module.exports = { 'No Database sync group found for SQL database', location, database.id); } - syncGroups.data.forEach(function(syncGroup) { + syncGroups.data.forEach(syncGroup=> { if (syncGroup.usePrivateLinkConnection) { helpers.addResult(results, 0, 'SQL Database sync group uses private link to sync with other databases', location, syncGroup.id); } else { diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js index 09f3d4b682..7107fb58eb 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js @@ -113,7 +113,6 @@ describe('sqlDatabaseSyncGroups', function() { it('should give failing result if SQL Database sync group does not use private link', function(done) { const callback = (err, results) => { - console.log('here-----',results) expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); expect(results[0].message).to.include('SQL Database sync group does not uses private link to sync with other databases'); From 6082bbd6d1ec9115783389aaf902a9254f2369f8 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 15:12:05 +0500 Subject: [PATCH 142/498] updated with recommended changes --- exports.js | 4 ++-- plugins/azure/sqldatabases/dbTDEEnabled.js | 14 +++++++------- plugins/azure/sqldatabases/dbTDEEnabled.spec.js | 6 +++--- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/exports.js b/exports.js index 2ce161f68d..dffd78deea 100644 --- a/exports.js +++ b/exports.js @@ -936,6 +936,7 @@ module.exports = { 'sqlDbMultiAz' : require(__dirname + '/plugins/azure/sqldatabases/sqlDbMultiAz.js'), 'dbRestorable' : require(__dirname + '/plugins/azure/sqldatabases/dbRestorable.js'), 'pitrBackupEnabled' : require(__dirname + '/plugins/azure/sqldatabases/pitrBackupEnabled.js'), + 'dbTDEEnabled' : require(__dirname + '/plugins/azure/sqldatabases/dbTDEEnabled.js'), 'lbHttpsOnly' : require(__dirname + '/plugins/azure/loadbalancer/lbHttpsOnly.js'), 'lbNoInstances' : require(__dirname + '/plugins/azure/loadbalancer/lbNoInstances.js'), @@ -989,8 +990,7 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion': require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), - 'dbTDEEnabled': require(__dirname + '/plugins/azure/sqldatabases/dbTDEEnabled.js'), + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/sqldatabases/dbTDEEnabled.js b/plugins/azure/sqldatabases/dbTDEEnabled.js index 365daff3c7..78169d994c 100644 --- a/plugins/azure/sqldatabases/dbTDEEnabled.js +++ b/plugins/azure/sqldatabases/dbTDEEnabled.js @@ -2,10 +2,10 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Enable Transparent Data Encryption on SQL Databases', + title: 'Transparent Data Encryption Enabled', category: 'SQL Databases', domain: 'Databases', - description: 'Enables Transparent Data Encryption (TDE) on SQL databases for enhanced security', + description: 'Ensure Transparent Data Encryption (TDE) is enabled on SQL databases for enhanced security', more_info: 'TDE helps protect sensitive data at rest by encrypting the database files.', recommended_action: 'Enable TDE for SQL databases to enhance data security.', link: 'https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15', @@ -31,7 +31,7 @@ module.exports = { return rcb(); } - servers.data.forEach(function(server) { + servers.data.forEach(server=> { var databases = helpers.addSource(cache, source, ['databases', 'listByServer', location, server.id]); @@ -43,19 +43,19 @@ module.exports = { helpers.addResult(results, 0, 'No databases found for SQL server', location, server.id); } else { - databases.data.forEach(function(database) { + databases.data.forEach(database=> { var transparentDataEncryption = helpers.addSource(cache, source, ['transparentDataEncryption', 'list', location, database.id]); if (!transparentDataEncryption || transparentDataEncryption.err || !transparentDataEncryption.data || !transparentDataEncryption.data.length) { - helpers.addResult(results, 3, 'Unable to query for SQL Database transparent data encryption: ' + helpers.addError(transparentDataEncryption), location, database.id); + helpers.addResult(results, 3, 'Unable to query transparent data encryption for SQL Database: ' + helpers.addError(transparentDataEncryption), location, database.id); return; } if (transparentDataEncryption.data[0].state.toLowerCase()=='enabled') { - helpers.addResult(results, 0, 'SQL Database transparent data encryption is Enabled', location, database.id); + helpers.addResult(results, 0, 'Transparent data encryption is Enabled for SQL Database', location, database.id); } else { - helpers.addResult(results, 2, 'SQL Database transparent data encryption is Disabled', location, database.id); + helpers.addResult(results, 2, 'Transparent data encryption is Disabled for SQL Database', location, database.id); } }); } diff --git a/plugins/azure/sqldatabases/dbTDEEnabled.spec.js b/plugins/azure/sqldatabases/dbTDEEnabled.spec.js index d2d78742f7..54f0409687 100644 --- a/plugins/azure/sqldatabases/dbTDEEnabled.spec.js +++ b/plugins/azure/sqldatabases/dbTDEEnabled.spec.js @@ -97,7 +97,7 @@ describe('enableTransparentDataEncryption', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('SQL Database transparent data encryption is Enabled'); + expect(results[0].message).to.include('Transparent data encryption is Enabled for SQL Database'); expect(results[0].region).to.equal('eastus'); done(); }; @@ -115,7 +115,7 @@ describe('enableTransparentDataEncryption', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('SQL Database transparent data encryption is Disabled'); + expect(results[0].message).to.include('Transparent data encryption is Disabled for SQL Database'); expect(results[0].region).to.equal('eastus'); done(); }; @@ -177,7 +177,7 @@ describe('enableTransparentDataEncryption', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query for SQL Database transparent data encryption'); + expect(results[0].message).to.include('Unable to query transparent data encryption for SQL Database'); expect(results[0].region).to.equal('eastus'); done(); }; From 22babd4848fd72978c79f88edc79edaaac9674d3 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 15:22:13 +0500 Subject: [PATCH 143/498] updated with recommended changes --- exports.js | 5 +++-- plugins/azure/sqldatabases/dbEnableSecureEnclaves.js | 12 ++++++------ .../sqldatabases/dbEnableSecureEnclaves.spec.js | 4 ++-- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/exports.js b/exports.js index 462c69a408..fb34f9b6df 100644 --- a/exports.js +++ b/exports.js @@ -936,6 +936,8 @@ module.exports = { 'sqlDbMultiAz' : require(__dirname + '/plugins/azure/sqldatabases/sqlDbMultiAz.js'), 'dbRestorable' : require(__dirname + '/plugins/azure/sqldatabases/dbRestorable.js'), 'pitrBackupEnabled' : require(__dirname + '/plugins/azure/sqldatabases/pitrBackupEnabled.js'), + 'dbEnableSecureEnclaves' : require(__dirname + '/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js'), + 'lbHttpsOnly' : require(__dirname + '/plugins/azure/loadbalancer/lbHttpsOnly.js'), 'lbNoInstances' : require(__dirname + '/plugins/azure/loadbalancer/lbNoInstances.js'), @@ -989,8 +991,7 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion': require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), - 'dbEnableSecureEnclaves': require(__dirname + '/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js'), + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js index e8a0b07301..c43d7d1993 100644 --- a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js +++ b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js @@ -2,10 +2,10 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Enable Always Encrypted with Secure Enclaves for SQL Databases', + title: 'Database Secure Enclaves Encryption Enabled', category: 'SQL Databases', domain: 'Databases', - description: 'Enable Always Encrypted with secure enclaves at the database level for enhanced data security.', + description: 'Ensure Always Encrypted with secure enclaves is enabled at the database level for enhanced data security.', more_info: 'Always Encrypted with secure enclaves allows encrypted data to be processed inside a secure enclave for improved security.', recommended_action: 'Enable Always Encrypted with secure enclaves for the SQL database to enhance data security.', link: 'https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves-security-features?view=sql-server-ver15', @@ -31,7 +31,7 @@ module.exports = { return rcb(); } - servers.data.forEach(function(server) { + servers.data.forEach(server=> { var databases = helpers.addSource(cache, source, ['databases', 'listByServer', location, server.id]); @@ -43,12 +43,12 @@ module.exports = { helpers.addResult(results, 0, 'No databases found for SQL server', location, server.id); } else { - databases.data.forEach(function(database) { + databases.data.forEach(database=> { if (!database.preferredEnclaveType) { - helpers.addResult(results, 2, 'Always Encrypted with secure enclaves disabled', location, database.id); + helpers.addResult(results, 2, 'Always Encrypted with secure enclaves is disabled for SQL database', location, database.id); } else { - helpers.addResult(results, 0, 'Always Encrypted with secure enclaves enabled', location, database.id); + helpers.addResult(results, 0, 'Always Encrypted with secure enclaves is enabled for SQL database', location, database.id); } } ); diff --git a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.spec.js b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.spec.js index a293eb062a..83772acc4e 100644 --- a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.spec.js +++ b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.spec.js @@ -80,7 +80,7 @@ describe('enableAlwaysEncrypted', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Always Encrypted with secure enclaves enabled'); + expect(results[0].message).to.include('Always Encrypted with secure enclaves is enabled for SQL database'); expect(results[0].region).to.equal('eastus'); done(); }; @@ -97,7 +97,7 @@ describe('enableAlwaysEncrypted', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Always Encrypted with secure enclaves disabled'); + expect(results[0].message).to.include('Always Encrypted with secure enclaves is disabled for SQL database'); expect(results[0].region).to.equal('eastus'); done(); }; From f30d3abb28da40601d3d9411990de19ddf9fe327 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 15:29:26 +0500 Subject: [PATCH 144/498] updated with recommended changes --- exports.js | 4 ++-- plugins/azure/sqldatabases/dbLedgerEnabled.js | 12 ++++++------ plugins/azure/sqldatabases/dbLedgerEnabled.spec.js | 4 ++-- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/exports.js b/exports.js index 15c67dd606..7c6bb78a53 100644 --- a/exports.js +++ b/exports.js @@ -936,6 +936,7 @@ module.exports = { 'sqlDbMultiAz' : require(__dirname + '/plugins/azure/sqldatabases/sqlDbMultiAz.js'), 'dbRestorable' : require(__dirname + '/plugins/azure/sqldatabases/dbRestorable.js'), 'pitrBackupEnabled' : require(__dirname + '/plugins/azure/sqldatabases/pitrBackupEnabled.js'), + 'dbLedgerEnabled' : require(__dirname + '/plugins/azure/sqldatabases/dbLedgerEnabled.js'), 'lbHttpsOnly' : require(__dirname + '/plugins/azure/loadbalancer/lbHttpsOnly.js'), 'lbNoInstances' : require(__dirname + '/plugins/azure/loadbalancer/lbNoInstances.js'), @@ -989,8 +990,7 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion': require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), - 'dbLedgerEnabled': require(__dirname + '/plugins/azure/sqldatabases/dbLedgerEnabled.js'), + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/sqldatabases/dbLedgerEnabled.js b/plugins/azure/sqldatabases/dbLedgerEnabled.js index ea36dccd8f..7c849d6f06 100644 --- a/plugins/azure/sqldatabases/dbLedgerEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerEnabled.js @@ -2,10 +2,10 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Enable Azure Ledger for SQL Databases', + title: 'Database Azure Ledger Enabled', category: 'SQL Databases', domain: 'Databases', - description: 'Enable Azure ledger to protect the integrity of data for SQL databases.', + description: 'Ensure Azure ledger is enabled to protect the integrity of data for SQL databases.', more_info: 'Azure ledger helps protect the integrity of data by enabling customers to use cryptographic seals on their data.', recommended_action: 'Enable Azure ledger for all future tables in the SQL database to enhance data integrity.', link: 'https://docs.microsoft.com/en-us/azure/sql-database/sql-database-ledger-overview', @@ -32,7 +32,7 @@ module.exports = { } // Loop through servers and check databases - servers.data.forEach(function(server) { + servers.data.forEach(server=> { var databases = helpers.addSource(cache, source, ['databases', 'listByServer', location, server.id]); @@ -45,12 +45,12 @@ module.exports = { 'No databases found for SQL server', location, server.id); } else { // Loop through databases - databases.data.forEach(function(database) { + databases.data.forEach(database=> { if (database.isLedgerOn==true) { - helpers.addResult(results, 0, 'Azure ledger is enabled', location, database.id); + helpers.addResult(results, 0, 'Azure ledger is enabled for SQL database', location, database.id); } else { - helpers.addResult(results, 2, 'Azure ledger is disabled', location, database.id); + helpers.addResult(results, 2, 'Azure ledger is disabled for SQL database', location, database.id); } }); diff --git a/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js b/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js index f592c2b369..2a54d6fdf1 100644 --- a/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js +++ b/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js @@ -81,7 +81,7 @@ describe('enableAzureLedger', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Azure ledger is enabled'); + expect(results[0].message).to.include('Azure ledger is enabled for SQL database'); expect(results[0].region).to.equal('eastus'); done(); }; @@ -98,7 +98,7 @@ describe('enableAzureLedger', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Azure ledger is disabled'); + expect(results[0].message).to.include('Azure ledger is disabled for SQL database'); expect(results[0].region).to.equal('eastus'); done(); }; From d4ece260db2cb011ac2dfcc16c7693faf5872539 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 15:35:11 +0500 Subject: [PATCH 145/498] updated with recommended changes --- exports.js | 4 ++-- .../azure/sqlserver/restrictOutboundNetworking.js | 12 ++++++------ .../sqlserver/restrictOutboundNetworking.spec.js | 6 +++--- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/exports.js b/exports.js index 55afcf3117..101138a1ce 100644 --- a/exports.js +++ b/exports.js @@ -882,8 +882,8 @@ module.exports = { 'serverSendEmailToAdmins' : require(__dirname + '/plugins/azure/sqlserver/serverSendEmailToAdmins.js'), 'sqlServerRecurringScans' : require(__dirname + '/plugins/azure/sqlserver/sqlServerRecurringScans.js'), 'sqlServerSendScanReports' : require(__dirname + '/plugins/azure/sqlserver/sqlServerSendScanReports.js'), - 'sqlServerHasTags': require(__dirname + '/plugins/azure/sqlserver/sqlServerHasTags.js'), - 'restrictOutboundNetworking': require(__dirname + '/plugins/azure/sqlserver/restrictOutboundNetworking.js'), + 'sqlServerHasTags' : require(__dirname + '/plugins/azure/sqlserver/sqlServerHasTags.js'), + 'restrictOutboundNetworking' : require(__dirname + '/plugins/azure/sqlserver/restrictOutboundNetworking.js'), 'javaVersion' : require(__dirname + '/plugins/azure/appservice/javaVersion.js'), diff --git a/plugins/azure/sqlserver/restrictOutboundNetworking.js b/plugins/azure/sqlserver/restrictOutboundNetworking.js index c4a73110a8..ea7630a3b3 100644 --- a/plugins/azure/sqlserver/restrictOutboundNetworking.js +++ b/plugins/azure/sqlserver/restrictOutboundNetworking.js @@ -2,7 +2,7 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Restrict Outbound Networking for SQL Server', + title: 'Server Outbound Networking Restricted', category: 'SQL Server', domain: 'Databases', description: 'Ensure outbound networking restrictions are configured for the Azure SQL logical server.', @@ -34,13 +34,13 @@ module.exports = { return rcb(); } - for (const server of servers.data) { - if (server.restrictOutboundNetworkAccess && server.restrictOutboundNetworkAccess.toLowerCase()=='enabled') { - helpers.addResult(results, 0, 'Outbound networking restrictions are configured for the SQL server', location, server.id); + servers.data.forEach(server=> { + if (server.restrictOutboundNetworkAccess && server.restrictOutboundNetworkAccess.toLowerCase() == 'enabled') { + helpers.addResult(results, 0, 'Outbound networking restrictions are configured for SQL server', location, server.id); } else { - helpers.addResult(results, 2, 'Outbound networking restrictions are not configured for the SQL server', location, server.id); + helpers.addResult(results, 2, 'Outbound networking restrictions are not configured for SQL server', location, server.id); } - } + }); rcb(); }, function() { diff --git a/plugins/azure/sqlserver/restrictOutboundNetworking.spec.js b/plugins/azure/sqlserver/restrictOutboundNetworking.spec.js index 4abbba1312..30fcacf95f 100644 --- a/plugins/azure/sqlserver/restrictOutboundNetworking.spec.js +++ b/plugins/azure/sqlserver/restrictOutboundNetworking.spec.js @@ -27,7 +27,7 @@ describe('restrictOutboundNetworking', function () { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Outbound networking restrictions are configured for the SQL server'); + expect(results[0].message).to.include('Outbound networking restrictions are configured for SQL server'); expect(results[0].region).to.equal('eastus'); done(); }; @@ -39,11 +39,11 @@ describe('restrictOutboundNetworking', function () { restrictOutboundNetworking.run(cache, {}, callback); }); - it('should give failing result if outbound networking restrictions are not configured for the SQL server', function (done) { + it('should give failing result if outbound networking restrictions are not configured for SQL server', function (done) { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Outbound networking restrictions are not configured for the SQL server'); + expect(results[0].message).to.include('Outbound networking restrictions are not configured for SQL server'); expect(results[0].region).to.equal('eastus'); done(); }; From 2430a46cb38a18046c828b23c3869ded2334e196 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 15:45:12 +0500 Subject: [PATCH 146/498] updated with recommended changes --- exports.js | 2 +- .../sqlserver/auditMicrosoftOperationsEnabled.js | 12 ++++++------ .../auditMicrosoftOperationsEnabled.spec.js | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/exports.js b/exports.js index 6735ab9db6..138f527e4e 100644 --- a/exports.js +++ b/exports.js @@ -882,7 +882,7 @@ module.exports = { 'serverSendEmailToAdmins' : require(__dirname + '/plugins/azure/sqlserver/serverSendEmailToAdmins.js'), 'sqlServerRecurringScans' : require(__dirname + '/plugins/azure/sqlserver/sqlServerRecurringScans.js'), 'sqlServerSendScanReports' : require(__dirname + '/plugins/azure/sqlserver/sqlServerSendScanReports.js'), - 'sqlServerHasTags': require(__dirname + '/plugins/azure/sqlserver/sqlServerHasTags.js'), + 'sqlServerHasTags' : require(__dirname + '/plugins/azure/sqlserver/sqlServerHasTags.js'), 'auditMicrosoftOperationsEnabled':require(__dirname + '/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js'), 'javaVersion' : require(__dirname + '/plugins/azure/appservice/javaVersion.js'), diff --git a/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js b/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js index 0cf81baa59..75e0d9a929 100644 --- a/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js +++ b/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js @@ -2,7 +2,7 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Auditing of Microsoft Support Operations', + title: 'Microsoft Support Operations Auditing Enabled', category: 'SQL Server', domain: 'Databases', description: 'Ensure auditing of Microsoft support operations is enabled on SQL server.', @@ -33,7 +33,7 @@ module.exports = { return rcb(); } - for (const server of servers.data) { + servers.data.forEach(server => { const devOpsAuditingSettings = helpers.addSource(cache, source, ['devOpsAuditingSettings', 'list', location, server.id]); @@ -41,13 +41,13 @@ module.exports = { helpers.addResult(results, 3, 'Unable to query Auditing Policies: ' + helpers.addError(devOpsAuditingSettings), location, server.id); } else { - if (devOpsAuditingSettings.data[0].state.toLowerCase()=='enabled') { - helpers.addResult(results, 0, 'Auditing of Microsoft support operations is enabled on the SQL server', location, server.name); + if (devOpsAuditingSettings.data[0].state.toLowerCase() == 'enabled') { + helpers.addResult(results, 0, 'Microsoft support operations auditing is enabled on SQL server', location, server.id); } else { - helpers.addResult(results, 2, 'Auditing of Microsoft support operations is not enabled on the SQL server', location, server.name); + helpers.addResult(results, 2, 'Microsoft support operations auditing is not enabled on SQL server', location, server.id); } } - } + }); rcb(); }, function() { diff --git a/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.spec.js b/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.spec.js index 633d50fb95..2da13d0a19 100644 --- a/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.spec.js +++ b/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.spec.js @@ -47,7 +47,7 @@ describe('Auditing of Microsoft Support Operations', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Auditing of Microsoft support operations is enabled on the SQL server'); + expect(results[0].message).to.include('Microsoft support operations auditing is enabled on SQL server'); expect(results[0].region).to.equal('eastus'); done(); }; @@ -84,7 +84,7 @@ describe('Auditing of Microsoft Support Operations', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Auditing of Microsoft support operations is not enabled on the SQL server'); + expect(results[0].message).to.include('Microsoft support operations auditing is not enabled on SQL server'); expect(results[0].region).to.equal('eastus'); done(); }; From c0fa5450a7463cfdfbfd667bedccd07073567dd3 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 15:57:09 +0500 Subject: [PATCH 147/498] updated with recommended changes --- exports.js | 4 ++-- plugins/azure/virtualmachines/vmSecurityType.js | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/exports.js b/exports.js index 0239c298d5..8f8532754e 100644 --- a/exports.js +++ b/exports.js @@ -745,8 +745,8 @@ module.exports = { 'vmScaleSetHasTags' : require(__dirname + '/plugins/azure/virtualmachines/vmScaleSetHasTags.js'), 'snapshotByokEncryptionEnabled' : require(__dirname + '/plugins/azure/virtualmachines/snapshotByokEncryptionEnabled.js'), 'systemAssignedIdentityEnabled' : require(__dirname + '/plugins/azure/virtualmachines/systemAssignedIdentityEnabled.js'), - 'vmWindowsAntiMalwareExtension': require(__dirname + '/plugins/azure/virtualmachines/vmWindowsAntiMalwareExtension.js'), - 'vmSecurityType': require(__dirname + '/plugins/azure/virtualmachines/vmSecurityType.js'), + 'vmWindowsAntiMalwareExtension' : require(__dirname + '/plugins/azure/virtualmachines/vmWindowsAntiMalwareExtension.js'), + 'vmSecurityType' : require(__dirname + '/plugins/azure/virtualmachines/vmSecurityType.js'), 'bastionHostExists' : require(__dirname + '/plugins/azure/bastion/bastionHostExists.js'), diff --git a/plugins/azure/virtualmachines/vmSecurityType.js b/plugins/azure/virtualmachines/vmSecurityType.js index 2897fe141a..2414e0a885 100644 --- a/plugins/azure/virtualmachines/vmSecurityType.js +++ b/plugins/azure/virtualmachines/vmSecurityType.js @@ -2,7 +2,7 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Select Trusted Launch for Azure VMs', + title: 'Azure VMs Security Type', category: 'Virtual Machines', domain: 'Compute', description: 'Ensure Trusted Launch is selected for Azure virtual machines (VM) to enhance security against advanced and persistent attack techniques.', From f6757a880c002739890b6c33b894483624efb9af Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 15:59:50 +0500 Subject: [PATCH 148/498] updated with recommended changes --- exports.js | 4 ++-- plugins/azure/virtualmachines/vmVTPMEnabled.js | 6 +++--- plugins/azure/virtualmachines/vmVTPMEnabled.spec.js | 8 ++++---- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/exports.js b/exports.js index 9f943c4b5b..0a64d25e60 100644 --- a/exports.js +++ b/exports.js @@ -745,8 +745,8 @@ module.exports = { 'vmScaleSetHasTags' : require(__dirname + '/plugins/azure/virtualmachines/vmScaleSetHasTags.js'), 'snapshotByokEncryptionEnabled' : require(__dirname + '/plugins/azure/virtualmachines/snapshotByokEncryptionEnabled.js'), 'systemAssignedIdentityEnabled' : require(__dirname + '/plugins/azure/virtualmachines/systemAssignedIdentityEnabled.js'), - 'vmWindowsAntiMalwareExtension': require(__dirname + '/plugins/azure/virtualmachines/vmWindowsAntiMalwareExtension.js'), - 'vmVTPMEnabled': require(__dirname + '/plugins/azure/virtualmachines/vmVTPMEnabled.js'), + 'vmWindowsAntiMalwareExtension' : require(__dirname + '/plugins/azure/virtualmachines/vmWindowsAntiMalwareExtension.js'), + 'vmVTPMEnabled' : require(__dirname + '/plugins/azure/virtualmachines/vmVTPMEnabled.js'), 'bastionHostExists' : require(__dirname + '/plugins/azure/bastion/bastionHostExists.js'), diff --git a/plugins/azure/virtualmachines/vmVTPMEnabled.js b/plugins/azure/virtualmachines/vmVTPMEnabled.js index 463fcf5fd9..212ae0af90 100644 --- a/plugins/azure/virtualmachines/vmVTPMEnabled.js +++ b/plugins/azure/virtualmachines/vmVTPMEnabled.js @@ -2,7 +2,7 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Select vTPM for Azure VMs', + title: 'Azure VMs vTPM Enabled', category: 'Virtual Machines', domain: 'Compute', description: 'Ensure Virtual Trusted Platform Module (vTPM) is enabled for Azure virtual machines (VM) to validate boot integrity, securely store keys and secrets, and support advanced threat detection.', @@ -34,9 +34,9 @@ module.exports = { virtualMachines.data.forEach(virtualMachine => { if (virtualMachine.securityProfile && virtualMachine.securityProfile.uefiSettings.vTpmEnabled) { - helpers.addResult(results, 0, 'vTPM is selected for Azure Virtual Machine', location, virtualMachine.id); + helpers.addResult(results, 0, 'vTPM is enabled for Azure Virtual Machine', location, virtualMachine.id); } else { - helpers.addResult(results, 2, 'vTPM is not selected for Azure Virtual Machine', location, virtualMachine.id); + helpers.addResult(results, 2, 'vTPM is not enabled for Azure Virtual Machine', location, virtualMachine.id); } }); diff --git a/plugins/azure/virtualmachines/vmVTPMEnabled.spec.js b/plugins/azure/virtualmachines/vmVTPMEnabled.spec.js index c9dc7cab57..ba03d7888d 100644 --- a/plugins/azure/virtualmachines/vmVTPMEnabled.spec.js +++ b/plugins/azure/virtualmachines/vmVTPMEnabled.spec.js @@ -62,23 +62,23 @@ describe('selectVTPM', function() { }); }); - it('should give passing result if vTPM is selected', function(done) { + it('should give passing result if vTPM is enabled', function(done) { const cache = createCache([virtualMachines[0]]); selectVTPM.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('vTPM is selected for Azure Virtual Machine'); + expect(results[0].message).to.include('vTPM is enabled for Azure Virtual Machine'); expect(results[0].region).to.equal('eastus'); done(); }); }); - it('should give failing result if vTPM is not selected', function(done) { + it('should give failing result if vTPM is not enabled', function(done) { const cache = createCache([virtualMachines[1]]); selectVTPM.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('vTPM is not selected for Azure Virtual Machine'); + expect(results[0].message).to.include('vTPM is not enabled for Azure Virtual Machine'); expect(results[0].region).to.equal('eastus'); done(); }); From 904d3a78ef6b931cb98aa24d1b673757d407fc47 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 16:02:22 +0500 Subject: [PATCH 149/498] updated with recommended changes --- exports.js | 4 ++-- plugins/azure/virtualmachines/vmSecureBootEnabled.js | 6 +++--- plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js | 8 ++++---- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/exports.js b/exports.js index 6aec686b46..020ba904a8 100644 --- a/exports.js +++ b/exports.js @@ -745,8 +745,8 @@ module.exports = { 'vmScaleSetHasTags' : require(__dirname + '/plugins/azure/virtualmachines/vmScaleSetHasTags.js'), 'snapshotByokEncryptionEnabled' : require(__dirname + '/plugins/azure/virtualmachines/snapshotByokEncryptionEnabled.js'), 'systemAssignedIdentityEnabled' : require(__dirname + '/plugins/azure/virtualmachines/systemAssignedIdentityEnabled.js'), - 'vmWindowsAntiMalwareExtension': require(__dirname + '/plugins/azure/virtualmachines/vmWindowsAntiMalwareExtension.js'), - 'vmSecureBootEnabled':require(__dirname + '/plugins/azure/virtualmachines/vmSecureBootEnabled.js'), + 'vmWindowsAntiMalwareExtension' : require(__dirname + '/plugins/azure/virtualmachines/vmWindowsAntiMalwareExtension.js'), + 'vmSecureBootEnabled' :require(__dirname + '/plugins/azure/virtualmachines/vmSecureBootEnabled.js'), 'bastionHostExists' : require(__dirname + '/plugins/azure/bastion/bastionHostExists.js'), diff --git a/plugins/azure/virtualmachines/vmSecureBootEnabled.js b/plugins/azure/virtualmachines/vmSecureBootEnabled.js index 3cd9fa10f3..7ca7b01a44 100644 --- a/plugins/azure/virtualmachines/vmSecureBootEnabled.js +++ b/plugins/azure/virtualmachines/vmSecureBootEnabled.js @@ -2,7 +2,7 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Select Secure Boot for Azure VMs', + title: 'Azure VMs Secure Boot Enabled', category: 'Virtual Machines', domain: 'Compute', description: 'Ensure Secure Boot is enabled for Azure virtual machines (VM) to protect against boot kits, rootkits, and kernel-level malware.', @@ -34,9 +34,9 @@ module.exports = { virtualMachines.data.forEach(virtualMachine => { if (virtualMachine.securityProfile && virtualMachine.securityProfile.uefiSettings.secureBootEnabled) { - helpers.addResult(results, 0, 'Secure Boot is selected for Azure Virtual Machine', location, virtualMachine.id); + helpers.addResult(results, 0, 'Secure Boot is enabled for Azure Virtual Machine', location, virtualMachine.id); } else { - helpers.addResult(results, 2, 'Secure Boot is not selected for Azure Virtual Machine', location, virtualMachine.id); + helpers.addResult(results, 2, 'Secure Boot is not enabled for Azure Virtual Machine', location, virtualMachine.id); } }); diff --git a/plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js b/plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js index e6141a3bf5..cec6f99f13 100644 --- a/plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js +++ b/plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js @@ -62,23 +62,23 @@ describe('selectSecureBoot', function() { }); }); - it('should give passing result if Secure Boot is selected', function(done) { + it('should give passing result if Secure Boot is enabled', function(done) { const cache = createCache([virtualMachines[0]]); selectSecureBoot.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Secure Boot is selected for Azure Virtual Machine'); + expect(results[0].message).to.include('Secure Boot is enabled for Azure Virtual Machine'); expect(results[0].region).to.equal('eastus'); done(); }); }); - it('should give failing result if Secure Boot is not selected', function(done) { + it('should give failing result if Secure Boot is not enabled', function(done) { const cache = createCache([virtualMachines[1]]); selectSecureBoot.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Secure Boot is not selected for Azure Virtual Machine'); + expect(results[0].message).to.include('Secure Boot is not enabled for Azure Virtual Machine'); expect(results[0].region).to.equal('eastus'); done(); }); From 580e7443c952a19a62b679cc253e30d212b37cd0 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 16:08:38 +0500 Subject: [PATCH 150/498] updated with recommended changes --- exports.js | 4 ++-- plugins/azure/virtualmachines/vmDiskDeleteConfig.js | 8 ++++---- plugins/azure/virtualmachines/vmDiskDeleteConfig.spec.js | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/exports.js b/exports.js index e87951d775..be0e67705d 100644 --- a/exports.js +++ b/exports.js @@ -745,8 +745,8 @@ module.exports = { 'vmScaleSetHasTags' : require(__dirname + '/plugins/azure/virtualmachines/vmScaleSetHasTags.js'), 'snapshotByokEncryptionEnabled' : require(__dirname + '/plugins/azure/virtualmachines/snapshotByokEncryptionEnabled.js'), 'systemAssignedIdentityEnabled' : require(__dirname + '/plugins/azure/virtualmachines/systemAssignedIdentityEnabled.js'), - 'vmWindowsAntiMalwareExtension': require(__dirname + '/plugins/azure/virtualmachines/vmWindowsAntiMalwareExtension.js'), - 'vmDiskDeleteConfig' : require(__dirname + '/plugins/azure/virtualmachines/vmDiskDeleteConfig.js'), + 'vmWindowsAntiMalwareExtension' : require(__dirname + '/plugins/azure/virtualmachines/vmWindowsAntiMalwareExtension.js'), + 'vmDiskDeleteConfig' : require(__dirname + '/plugins/azure/virtualmachines/vmDiskDeleteConfig.js'), 'bastionHostExists' : require(__dirname + '/plugins/azure/bastion/bastionHostExists.js'), diff --git a/plugins/azure/virtualmachines/vmDiskDeleteConfig.js b/plugins/azure/virtualmachines/vmDiskDeleteConfig.js index e2b042cd54..720e4ec033 100644 --- a/plugins/azure/virtualmachines/vmDiskDeleteConfig.js +++ b/plugins/azure/virtualmachines/vmDiskDeleteConfig.js @@ -2,10 +2,10 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Automatically Delete Disks on VM Termination', + title: 'Azure VM"s Automatic Disks Delete Enabled', category: 'Virtual Machines', domain: 'Compute', - description: 'Enable the option to automatically delete disks when the associated VM is terminated to ensure all confidential information is wiped.', + description: 'Ensure the option to automatically delete disks is enabled when the associated VM is terminated to ensure all confidential information is wiped.', more_info: 'Disks persist independently from VMs. Enabling this option ensures that all disks associated with a VM are deleted automatically when the VM is terminated, enhancing security.', recommended_action: 'Configure VMs to automatically delete disks when the VM is terminated to enhance security and prevent lingering confidential information.', link: 'https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/disk-delete', @@ -34,9 +34,9 @@ module.exports = { virtualMachines.data.forEach(virtualMachine => { if (virtualMachine.storageProfile && virtualMachine.storageProfile.osDisk && virtualMachine.storageProfile.osDisk.deleteOption=='Delete') { - helpers.addResult(results, 0, 'Automatically delete disks with VM is configured', location, virtualMachine.id); + helpers.addResult(results, 0, 'Automatic disks delete with VM is enabled', location, virtualMachine.id); } else { - helpers.addResult(results, 2, 'Automatically delete disks with VM is not configured', location, virtualMachine.id); + helpers.addResult(results, 2, 'Automatic disks delete with VM is not enabled', location, virtualMachine.id); } }); rcb(); diff --git a/plugins/azure/virtualmachines/vmDiskDeleteConfig.spec.js b/plugins/azure/virtualmachines/vmDiskDeleteConfig.spec.js index 150a3e1000..add9490730 100644 --- a/plugins/azure/virtualmachines/vmDiskDeleteConfig.spec.js +++ b/plugins/azure/virtualmachines/vmDiskDeleteConfig.spec.js @@ -67,7 +67,7 @@ describe('autoDeleteDisks', function() { autoDeleteDisks.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Automatically delete disks with VM is configured'); + expect(results[0].message).to.include('Automatic disks delete with VM is enabled'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -78,7 +78,7 @@ describe('autoDeleteDisks', function() { autoDeleteDisks.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Automatically delete disks with VM is not configured'); + expect(results[0].message).to.include('Automatic disks delete with VM is not enabled'); expect(results[0].region).to.equal('eastus'); done(); }); From b6d1a600cb3d6376e8be79aa6d82d0f13c81c989 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Mon, 4 Dec 2023 16:41:43 +0500 Subject: [PATCH 151/498] resolve issues --- .../postgresqlserver/postgresqlTlsVersion.js | 19 +++++++++---------- .../postgresqlTlsVersion.spec.js | 4 ++-- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/plugins/azure/postgresqlserver/postgresqlTlsVersion.js b/plugins/azure/postgresqlserver/postgresqlTlsVersion.js index cf591c7dda..9af1ade32e 100644 --- a/plugins/azure/postgresqlserver/postgresqlTlsVersion.js +++ b/plugins/azure/postgresqlserver/postgresqlTlsVersion.js @@ -36,29 +36,28 @@ module.exports = { servers.data.forEach(function(server) { if (!server.id) return; - if (server.minimalTlsVersion) { - if (server.minimalTlsVersion === 'TLSEnforcementDisabled') { - helpers.addResult(results, 2, - 'PostgreSQL server allows all TLS versions', - location, server.id); + if (server.minimalTlsVersion && server.minimalTlsVersion !== 'TLSEnforcementDisabled') { + const tlsVersionRegex = /^TLS1_\d$/; + if (!tlsVersionRegex.test(server.minimalTlsVersion)) { + helpers.addResult(results, 2, 'Postgresql server TLS version cannot be parsed', location, server.id); } else { var numericTlsVersion = parseFloat(server.minimalTlsVersion.replace('TLS', '').replace('_', '.')); if (numericTlsVersion >= 1.2) { helpers.addResult(results, 0, - `PostgreSQL server is using TLS version ${server.minimalTlsVersion} which is equal to or higher than 1.2`, + 'PostgreSQL server is using TLS version 1.2 or higher', location, server.id); } else { helpers.addResult(results, 2, - `PostgreSQL server is using TLS version ${server.minimalTlsVersion} which is less than 1.2`, + 'PostgreSQL server is not using TLS version 1.2', location, server.id); - } - + } } } else { helpers.addResult(results, 2, 'PostgreSQL server allows all TLS versions', location, server.id); - } + } + }); rcb(); diff --git a/plugins/azure/postgresqlserver/postgresqlTlsVersion.spec.js b/plugins/azure/postgresqlserver/postgresqlTlsVersion.spec.js index 4c4f639e8b..f26d4681af 100644 --- a/plugins/azure/postgresqlserver/postgresqlTlsVersion.spec.js +++ b/plugins/azure/postgresqlserver/postgresqlTlsVersion.spec.js @@ -130,7 +130,7 @@ describe('postgresqlTlsVersion', function() { postgresqlTlsVersion.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('which is less than 1.2'); + expect(results[0].message).to.include('PostgreSQL server is not using TLS version 1.2'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -141,7 +141,7 @@ describe('postgresqlTlsVersion', function() { postgresqlTlsVersion.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('which is equal to or higher than 1.2'); + expect(results[0].message).to.include('PostgreSQL server is using TLS version 1.2 or higher'); expect(results[0].region).to.equal('eastus'); done(); }); From f23dbfe0bef9a7be90fa36e4654633a29776fc43 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 16:56:38 +0500 Subject: [PATCH 152/498] Update plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js Co-authored-by: Fatima <66124862+fatima99s@users.noreply.github.com> --- plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js index 983e53ec8a..0075e45866 100644 --- a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Databases', description: 'Ensure automatic Ledger digest storage is enabled for enhanced data integrity.', more_info: 'Configuring automatic Ledger digest storage allows for the generation and storage of digests for later verification.', - recommended_action: 'Configure an Azure Storage account or Azure Confidential Ledger for automatic Ledger digest storage. Alternatively, manually generate digests and store them in a secure location.', + recommended_action: 'Configure an Azure Storage account or Azure Confidential Ledger for automatic Ledger digest storage. ', link: 'https://docs.microsoft.com/en-us/azure/sql-database/sql-database-ledger-overview', apis: ['servers:listSql', 'databases:listByServer', 'ledgerDigestUploads:list'], From 579b6b05b8e9705ec87c182e26698708487f3a78 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 16:56:54 +0500 Subject: [PATCH 153/498] Update plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js Co-authored-by: Fatima <66124862+fatima99s@users.noreply.github.com> --- plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js index 0075e45866..52b3dd8911 100644 --- a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js @@ -52,7 +52,7 @@ module.exports = { if (ledgerDigestUploads.data[0].state.toLowerCase() == 'enabled') { helpers.addResult(results, 0, 'Automatic Ledger digest storage is enabled for SQL database', location, database.id); } else { - helpers.addResult(results, 2, 'Automatic Ledger digest storage is disabled for SQL database', location, database.id); + helpers.addResult(results, 2, 'Automatic Ledger digest storage is not enabled for SQL database', location, database.id); } } From d674dba48153c4a0b17cf089e5041e61fa51d7a0 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 16:57:52 +0500 Subject: [PATCH 154/498] Update plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js Co-authored-by: Fatima <66124862+fatima99s@users.noreply.github.com> --- plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js index bcb55e8449..c579f4a873 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js @@ -2,7 +2,7 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Private Link Enabled for SQL Databases', + title: 'SQL Databases Private Link Enabled', category: 'SQL Databases', domain: 'Databases', description: 'Ensures SQL Database sync groups use private link when SQL DB sync with others databases.', From 86dad4cd48b75bf84390b16693e32547f68a7fcb Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 17:01:45 +0500 Subject: [PATCH 155/498] updated with recommended changes --- plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js index 637eb5a6f9..cd1f9d5c41 100644 --- a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js +++ b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js @@ -119,7 +119,7 @@ describe('enableAutomaticLedgerDigestStorage', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Automatic Ledger digest storage is disabled for SQL database'); + expect(results[0].message).to.include('Automatic Ledger digest storage is not enabled for SQL database'); expect(results[0].region).to.equal('eastus'); done(); }; From c969d2f0a614ce71989c773c459186ae19e91e48 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:08:50 +0500 Subject: [PATCH 156/498] Update plugins/azure/sqldatabases/dbTDEEnabled.js Co-authored-by: Fatima <66124862+fatima99s@users.noreply.github.com> --- plugins/azure/sqldatabases/dbTDEEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbTDEEnabled.js b/plugins/azure/sqldatabases/dbTDEEnabled.js index 78169d994c..adc6b639a2 100644 --- a/plugins/azure/sqldatabases/dbTDEEnabled.js +++ b/plugins/azure/sqldatabases/dbTDEEnabled.js @@ -53,7 +53,7 @@ module.exports = { } if (transparentDataEncryption.data[0].state.toLowerCase()=='enabled') { - helpers.addResult(results, 0, 'Transparent data encryption is Enabled for SQL Database', location, database.id); + helpers.addResult(results, 0, 'Transparent data encryption is enabled for SQL Database', location, database.id); } else { helpers.addResult(results, 2, 'Transparent data encryption is Disabled for SQL Database', location, database.id); } From 24aac544751b0b5186f9b7833827c3f9e3edb968 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:08:58 +0500 Subject: [PATCH 157/498] Update plugins/azure/sqldatabases/dbTDEEnabled.js Co-authored-by: Fatima <66124862+fatima99s@users.noreply.github.com> --- plugins/azure/sqldatabases/dbTDEEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbTDEEnabled.js b/plugins/azure/sqldatabases/dbTDEEnabled.js index adc6b639a2..0f339d6af7 100644 --- a/plugins/azure/sqldatabases/dbTDEEnabled.js +++ b/plugins/azure/sqldatabases/dbTDEEnabled.js @@ -55,7 +55,7 @@ module.exports = { if (transparentDataEncryption.data[0].state.toLowerCase()=='enabled') { helpers.addResult(results, 0, 'Transparent data encryption is enabled for SQL Database', location, database.id); } else { - helpers.addResult(results, 2, 'Transparent data encryption is Disabled for SQL Database', location, database.id); + helpers.addResult(results, 2, 'Transparent data encryption is not enabled for SQL Database', location, database.id); } }); } From d9812b1274eabf87369768fa5811f1ad957e3361 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 17:10:37 +0500 Subject: [PATCH 158/498] updated with recommended changes --- plugins/azure/sqldatabases/dbTDEEnabled.spec.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/sqldatabases/dbTDEEnabled.spec.js b/plugins/azure/sqldatabases/dbTDEEnabled.spec.js index 54f0409687..13a9b17c64 100644 --- a/plugins/azure/sqldatabases/dbTDEEnabled.spec.js +++ b/plugins/azure/sqldatabases/dbTDEEnabled.spec.js @@ -97,7 +97,7 @@ describe('enableTransparentDataEncryption', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Transparent data encryption is Enabled for SQL Database'); + expect(results[0].message).to.include('Transparent data encryption is enabled for SQL Database'); expect(results[0].region).to.equal('eastus'); done(); }; @@ -115,7 +115,7 @@ describe('enableTransparentDataEncryption', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Transparent data encryption is Disabled for SQL Database'); + expect(results[0].message).to.include('Transparent data encryption is not enabled for SQL Database'); expect(results[0].region).to.equal('eastus'); done(); }; From 1db9b89762715e610658f95841ab982c3409ee4d Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 17:12:07 +0500 Subject: [PATCH 159/498] updated with recommended changes --- plugins/azure/sqldatabases/dbTDEEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbTDEEnabled.js b/plugins/azure/sqldatabases/dbTDEEnabled.js index 0f339d6af7..86d5b33276 100644 --- a/plugins/azure/sqldatabases/dbTDEEnabled.js +++ b/plugins/azure/sqldatabases/dbTDEEnabled.js @@ -6,7 +6,7 @@ module.exports = { category: 'SQL Databases', domain: 'Databases', description: 'Ensure Transparent Data Encryption (TDE) is enabled on SQL databases for enhanced security', - more_info: 'TDE helps protect sensitive data at rest by encrypting the database files.', + more_info: 'Transparent data encryption (TDE) helps protect Azure SQL Database against the threat of malicious offline activity by encrypting data at rest.', recommended_action: 'Enable TDE for SQL databases to enhance data security.', link: 'https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15', apis: ['servers:listSql','databases:listByServer','transparentDataEncryption:list'], From 6ae477296f59eaa886394ff4f757be126fe3ed01 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:13:02 +0500 Subject: [PATCH 160/498] Update plugins/azure/sqldatabases/dbEnableSecureEnclaves.js Co-authored-by: Fatima <66124862+fatima99s@users.noreply.github.com> --- plugins/azure/sqldatabases/dbEnableSecureEnclaves.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js index c43d7d1993..bdaaaec179 100644 --- a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js +++ b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js @@ -8,7 +8,7 @@ module.exports = { description: 'Ensure Always Encrypted with secure enclaves is enabled at the database level for enhanced data security.', more_info: 'Always Encrypted with secure enclaves allows encrypted data to be processed inside a secure enclave for improved security.', recommended_action: 'Enable Always Encrypted with secure enclaves for the SQL database to enhance data security.', - link: 'https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves-security-features?view=sql-server-ver15', + link: 'https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves?view=sql-server-ver16', apis: ['servers:listSql', 'databases:listByServer'], run: function(cache, settings, callback) { From 9b130f57f1830641ca87c25231f49548ab09612b Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:13:20 +0500 Subject: [PATCH 161/498] Update plugins/azure/sqldatabases/dbLedgerEnabled.js Co-authored-by: Fatima <66124862+fatima99s@users.noreply.github.com> --- plugins/azure/sqldatabases/dbLedgerEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbLedgerEnabled.js b/plugins/azure/sqldatabases/dbLedgerEnabled.js index 7c849d6f06..081c9f5d7a 100644 --- a/plugins/azure/sqldatabases/dbLedgerEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerEnabled.js @@ -8,7 +8,7 @@ module.exports = { description: 'Ensure Azure ledger is enabled to protect the integrity of data for SQL databases.', more_info: 'Azure ledger helps protect the integrity of data by enabling customers to use cryptographic seals on their data.', recommended_action: 'Enable Azure ledger for all future tables in the SQL database to enhance data integrity.', - link: 'https://docs.microsoft.com/en-us/azure/sql-database/sql-database-ledger-overview', + link: 'https://learn.microsoft.com/en-us/sql/relational-databases/security/ledger/ledger-overview?view=sql-server-ver16', apis: ['servers:listSql', 'databases:listByServer'], run: function(cache, settings, callback) { From db8aa0e97de500e66a539f1c6840b7a29382e729 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:13:29 +0500 Subject: [PATCH 162/498] Update plugins/azure/sqldatabases/dbLedgerEnabled.js Co-authored-by: Fatima <66124862+fatima99s@users.noreply.github.com> --- plugins/azure/sqldatabases/dbLedgerEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbLedgerEnabled.js b/plugins/azure/sqldatabases/dbLedgerEnabled.js index 081c9f5d7a..242ddefa65 100644 --- a/plugins/azure/sqldatabases/dbLedgerEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerEnabled.js @@ -50,7 +50,7 @@ module.exports = { if (database.isLedgerOn==true) { helpers.addResult(results, 0, 'Azure ledger is enabled for SQL database', location, database.id); } else { - helpers.addResult(results, 2, 'Azure ledger is disabled for SQL database', location, database.id); + helpers.addResult(results, 2, 'Azure ledger is not enabled for SQL database', location, database.id); } }); From 19bdf79626d6b07efacc890e78dc1f3533c5b1f4 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:14:43 +0500 Subject: [PATCH 163/498] Update plugins/azure/sqldatabases/dbLedgerEnabled.js Co-authored-by: Fatima <66124862+fatima99s@users.noreply.github.com> --- plugins/azure/sqldatabases/dbLedgerEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbLedgerEnabled.js b/plugins/azure/sqldatabases/dbLedgerEnabled.js index 242ddefa65..88cbf73f4d 100644 --- a/plugins/azure/sqldatabases/dbLedgerEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerEnabled.js @@ -47,7 +47,7 @@ module.exports = { // Loop through databases databases.data.forEach(database=> { - if (database.isLedgerOn==true) { + if (database.isLedgerOn == true) { helpers.addResult(results, 0, 'Azure ledger is enabled for SQL database', location, database.id); } else { helpers.addResult(results, 2, 'Azure ledger is not enabled for SQL database', location, database.id); From 2cf228b3a84eacf826479473790c33c691844ca5 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 17:15:13 +0500 Subject: [PATCH 164/498] updated with recommended changes --- plugins/azure/sqldatabases/dbLedgerEnabled.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js b/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js index 2a54d6fdf1..1a09922984 100644 --- a/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js +++ b/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js @@ -98,7 +98,7 @@ describe('enableAzureLedger', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Azure ledger is disabled for SQL database'); + expect(results[0].message).to.include('Azure ledger is not enabled for SQL database'); expect(results[0].region).to.equal('eastus'); done(); }; From e320a98b94ab4a96f8026f61c47dc241ae2aef38 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:30:36 +0500 Subject: [PATCH 165/498] Update plugins/azure/virtualmachines/vmDiskDeleteConfig.js Co-authored-by: Fatima <66124862+fatima99s@users.noreply.github.com> --- plugins/azure/virtualmachines/vmDiskDeleteConfig.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmDiskDeleteConfig.js b/plugins/azure/virtualmachines/vmDiskDeleteConfig.js index 720e4ec033..7c7ede030f 100644 --- a/plugins/azure/virtualmachines/vmDiskDeleteConfig.js +++ b/plugins/azure/virtualmachines/vmDiskDeleteConfig.js @@ -2,7 +2,7 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Azure VM"s Automatic Disks Delete Enabled', + title: 'Azure VM Automatic Disks Delete Enabled', category: 'Virtual Machines', domain: 'Compute', description: 'Ensure the option to automatically delete disks is enabled when the associated VM is terminated to ensure all confidential information is wiped.', From 916abd3bb3ebb8a04ec6bc939ac3873b1b5c1d13 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 17:32:39 +0500 Subject: [PATCH 166/498] updated with recommended changes --- plugins/azure/virtualmachines/vmDiskDeleteConfig.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmDiskDeleteConfig.js b/plugins/azure/virtualmachines/vmDiskDeleteConfig.js index 7c7ede030f..5f11135d9b 100644 --- a/plugins/azure/virtualmachines/vmDiskDeleteConfig.js +++ b/plugins/azure/virtualmachines/vmDiskDeleteConfig.js @@ -8,7 +8,7 @@ module.exports = { description: 'Ensure the option to automatically delete disks is enabled when the associated VM is terminated to ensure all confidential information is wiped.', more_info: 'Disks persist independently from VMs. Enabling this option ensures that all disks associated with a VM are deleted automatically when the VM is terminated, enhancing security.', recommended_action: 'Configure VMs to automatically delete disks when the VM is terminated to enhance security and prevent lingering confidential information.', - link: 'https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/disk-delete', + link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/delete?tabs=portal2%2Ccli3%2Cportal4%2Cportal5', apis: ['virtualMachines:listAll'], run: function(cache, settings, callback) { From c1b92ab431a4e229830facf2554dc54aab11c0a3 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:33:18 +0500 Subject: [PATCH 167/498] Update plugins/azure/virtualmachines/vmSecureBootEnabled.js Co-authored-by: Fatima <66124862+fatima99s@users.noreply.github.com> --- plugins/azure/virtualmachines/vmSecureBootEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmSecureBootEnabled.js b/plugins/azure/virtualmachines/vmSecureBootEnabled.js index 7ca7b01a44..f2a0cf1a39 100644 --- a/plugins/azure/virtualmachines/vmSecureBootEnabled.js +++ b/plugins/azure/virtualmachines/vmSecureBootEnabled.js @@ -8,7 +8,7 @@ module.exports = { description: 'Ensure Secure Boot is enabled for Azure virtual machines (VM) to protect against boot kits, rootkits, and kernel-level malware.', more_info: 'Secure Boot helps protect VMs by ensuring that only signed and trusted components are allowed to execute during the boot process.', recommended_action: 'Enable Secure Boot for Azure virtual machines to enhance security and protect against advanced threats during the boot process.', - link: 'https://docs.microsoft.com/en-us/azure/virtual-machines/security-secure-boot', + link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-portal?tabs=portal%2Cportal3%2Cportal2, apis: ['virtualMachines:listAll'], run: function(cache, settings, callback) { From 8b4570aae6c6dc8e03ca4084f258ba47d43ff1d4 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 17:34:05 +0500 Subject: [PATCH 168/498] updated with recommended changes --- plugins/azure/virtualmachines/vmVTPMEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmVTPMEnabled.js b/plugins/azure/virtualmachines/vmVTPMEnabled.js index 212ae0af90..4f15a70453 100644 --- a/plugins/azure/virtualmachines/vmVTPMEnabled.js +++ b/plugins/azure/virtualmachines/vmVTPMEnabled.js @@ -8,7 +8,7 @@ module.exports = { description: 'Ensure Virtual Trusted Platform Module (vTPM) is enabled for Azure virtual machines (VM) to validate boot integrity, securely store keys and secrets, and support advanced threat detection.', more_info: 'vTPM is TPM2.0 compliant and enhances security by validating VM boot integrity and providing a secure storage mechanism for keys and secrets.', recommended_action: 'Enable vTPM for Azure virtual machines to leverage advanced security features and support Guest Attestation in Azure Security Center.', - link: 'https://docs.microsoft.com/en-us/azure/security/azure-security-vm-tpm', + link: 'https://learn.microsoft.com/en-us/azure/confidential-computing/virtual-tpms-in-azure-confidential-vm', apis: ['virtualMachines:listAll'], run: function(cache, settings, callback) { From b6c76e203234dcb97fe5935eb653a8c9838f2179 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:35:50 +0500 Subject: [PATCH 169/498] Update vmSecurityType.js --- plugins/azure/virtualmachines/vmSecurityType.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmSecurityType.js b/plugins/azure/virtualmachines/vmSecurityType.js index 2414e0a885..84bfd6e84f 100644 --- a/plugins/azure/virtualmachines/vmSecurityType.js +++ b/plugins/azure/virtualmachines/vmSecurityType.js @@ -8,7 +8,7 @@ module.exports = { description: 'Ensure Trusted Launch is selected for Azure virtual machines (VM) to enhance security against advanced and persistent attack techniques.', more_info: 'Trusted Launch provides additional security features on Gen 2 virtual machines, offering defense against sophisticated threats.', recommended_action: 'Enable Trusted Launch for Azure virtual machines to leverage coordinated infrastructure technologies for enhanced security.', - link: 'https://docs.microsoft.com/en-us/azure/security/benchmark/azure-benchmark', + link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-portal?tabs=portal%2Cportal3%2Cportal2', apis: ['virtualMachines:listAll'], run: function(cache, settings, callback) { From b79aeacc0b93f73260a4cf0e791b0cd45d4a45c6 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:37:09 +0500 Subject: [PATCH 170/498] Update vmSecureBootEnabled.js --- plugins/azure/virtualmachines/vmSecureBootEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmSecureBootEnabled.js b/plugins/azure/virtualmachines/vmSecureBootEnabled.js index f2a0cf1a39..781bfa377b 100644 --- a/plugins/azure/virtualmachines/vmSecureBootEnabled.js +++ b/plugins/azure/virtualmachines/vmSecureBootEnabled.js @@ -8,7 +8,7 @@ module.exports = { description: 'Ensure Secure Boot is enabled for Azure virtual machines (VM) to protect against boot kits, rootkits, and kernel-level malware.', more_info: 'Secure Boot helps protect VMs by ensuring that only signed and trusted components are allowed to execute during the boot process.', recommended_action: 'Enable Secure Boot for Azure virtual machines to enhance security and protect against advanced threats during the boot process.', - link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-portal?tabs=portal%2Cportal3%2Cportal2, + link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-portal?tabs=portal%2Cportal3%2Cportal2', apis: ['virtualMachines:listAll'], run: function(cache, settings, callback) { From 495dc604a32058cd9d6400b310696c3e25f612ef Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:38:36 +0500 Subject: [PATCH 171/498] Update auditMicrosoftOperationsEnabled.js --- plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js b/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js index 75e0d9a929..730901e390 100644 --- a/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js +++ b/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js @@ -8,7 +8,7 @@ module.exports = { description: 'Ensure auditing of Microsoft support operations is enabled on SQL server.', more_info: 'Enabling this option captures Microsoft support engineers (DevOps) operations for enhanced monitoring and troubleshooting.', recommended_action: 'Enable the option to capture Microsoft support operations and write them to a selected Storage account, Log Analytics workspace, or Event Hub.', - link: 'https://docs.microsoft.com/en-us/azure/azure-sql/database/security-overview-auditing?tabs=azure-powershell#configure-azure-sql-auditing', + link: 'https://learn.microsoft.com/en-us/azure/azure-sql/database/auditing-microsoft-support-operations?view=azuresql', apis: ['servers:listSql', 'devOpsAuditingSettings:list'], run: function(cache, settings, callback) { var results = []; From e43c6bb2a09707aaf945c0c7ed06c97348b99088 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:40:53 +0500 Subject: [PATCH 172/498] Update restrictOutboundNetworking.js --- plugins/azure/sqlserver/restrictOutboundNetworking.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqlserver/restrictOutboundNetworking.js b/plugins/azure/sqlserver/restrictOutboundNetworking.js index ea7630a3b3..92107eb3b5 100644 --- a/plugins/azure/sqlserver/restrictOutboundNetworking.js +++ b/plugins/azure/sqlserver/restrictOutboundNetworking.js @@ -8,7 +8,7 @@ module.exports = { description: 'Ensure outbound networking restrictions are configured for the Azure SQL logical server.', more_info: 'Outbound firewall rules limit network traffic from the Azure SQL logical server to a customer-defined list of Azure Storage accounts and Azure SQL logical servers.', recommended_action: 'Configure outbound networking restrictions to allow access only to specified Azure Storage accounts and Azure SQL logical servers.', - link: 'https://docs.microsoft.com/en-us/azure/azure-sql/database/firewall-configure#configure-outbound-networking-restrictions', + link: 'https://learn.microsoft.com/en-us/azure/azure-sql/database/outbound-firewall-rule-overview?view=azuresql', apis: ['servers:listSql'], run: function(cache, settings, callback) { From e2fb0c4273b6024a43a06fa30640f844ee7bb2be Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Mon, 4 Dec 2023 18:07:46 +0500 Subject: [PATCH 173/498] tls version --- .../azure/applicationGateway/agSslPolicy.js | 30 +++++++++++++++--- .../applicationGateway/agSslPolicy.spec.js | 31 ++++++++++++++++--- 2 files changed, 52 insertions(+), 9 deletions(-) diff --git a/plugins/azure/applicationGateway/agSslPolicy.js b/plugins/azure/applicationGateway/agSslPolicy.js index 414114c7d1..be43b665db 100644 --- a/plugins/azure/applicationGateway/agSslPolicy.js +++ b/plugins/azure/applicationGateway/agSslPolicy.js @@ -36,12 +36,32 @@ module.exports = { for (let appGateway of appGateways.data) { if (!appGateway.id) continue; - const sslPolicy = appGateway.sslPolicy? appGateway.sslPolicy : ''; - if (sslPolicy.policyType && ((sslPolicy.policyType == 'Predefined' && sslPolicy.policyName && recommendedSSLPolicies.indexOf(sslPolicy.policyName) > -1) || - (sslPolicy.policyType == 'Custom' && sslPolicy.minProtocolVersion && sslPolicy.minProtocolVersion.toLowerCase() == 'tlsv1_2'))) { - helpers.addResult(results, 0, 'Application Gateway is using SSL policy which supports TLSV1_2', location, appGateway.id); + var found = false; + if (appGateway.sslPolicy && appGateway.sslPolicy.policyType) { + const sslPolicy = appGateway.sslPolicy; + if (sslPolicy.policyType == 'Predefined' && sslPolicy.policyName && recommendedSSLPolicies.indexOf(sslPolicy.policyName) > -1) { + found = true; + } else if ((sslPolicy.policyType == 'Custom' || sslPolicy.policyType == 'CustomV2') && sslPolicy.minProtocolVersion) { + // Check for protocol version if it matches the regex TLSV1.2 and then split on letter v + var regexMatched = /^(tls)(v(\d+)_(\d+))$/i.test(sslPolicy.minProtocolVersion)? sslPolicy.minProtocolVersion.replace('_', '.').split(/v/i): '' + if (regexMatched){ + var tlsVersion = parseFloat(regexMatched[1]); + if (tlsVersion >= 1.2){ + found = true; + } + } else { + helpers.addResult(results, 2, 'Application Gateway TLS version cannot be parsed', location, appGateway.id); + break; + } + } + + if (found){ + helpers.addResult(results, 0, 'Application Gateway is using SSL policy which supports latest TLS version', location, appGateway.id); + } else { + helpers.addResult(results, 2, 'Application Gateway is using SSL policy which does not support latest TLS version', location, appGateway.id); + } } else { - helpers.addResult(results, 2, 'Application Gateway is using SSL policy which does not support TLSV1_2', location, appGateway.id); + helpers.addResult(results, 2, 'Application Gateway is using SSL policy which does not support latest TLS version', location, appGateway.id); } } diff --git a/plugins/azure/applicationGateway/agSslPolicy.spec.js b/plugins/azure/applicationGateway/agSslPolicy.spec.js index 61573f310b..25070ccd8b 100644 --- a/plugins/azure/applicationGateway/agSslPolicy.spec.js +++ b/plugins/azure/applicationGateway/agSslPolicy.spec.js @@ -36,7 +36,19 @@ const appGateway = [ "location": "eastus", "sslPolicy": { "policyType": "Custom", - "minProtocolVersion": "TLSV1_2" + "minProtocolVersion": "TLSV1_3" + }, + }, + { "sku": { + "tier": "WAF_v2" + }, + "name": 'test-gateway', + "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Network/applicationGateways/test-gateway",', + "type": "Microsoft.Network/applicationGateways", + "location": "eastus", + "sslPolicy": { + "policyType": "Custom", + "minProtocolVersion": "TLSV13" }, } ]; @@ -81,7 +93,7 @@ describe('agSslPolicy', function() { agSslPolicy.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('SSL policy which does not support TLSV1_2'); + expect(results[0].message).to.include('SSL policy which does not support latest TLS version'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -103,7 +115,7 @@ describe('agSslPolicy', function() { agSslPolicy.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('SSL policy which supports TLSV1_2'); + expect(results[0].message).to.include('SSL policy which supports latest TLS version'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -114,7 +126,18 @@ describe('agSslPolicy', function() { agSslPolicy.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('SSL policy which supports TLSV1_2'); + expect(results[0].message).to.include('SSL policy which supports latest TLS version'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if Application Gateway is using tls version which cannot be parsed', function(done) { + const cache = createCache([appGateway[3]]); + agSslPolicy.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Application Gateway TLS version cannot be parsed'); expect(results[0].region).to.equal('eastus'); done(); }); From 075e455f9943b4d87e8770777770f04d117c5d5a Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Mon, 4 Dec 2023 18:10:17 +0500 Subject: [PATCH 174/498] linting --- plugins/azure/applicationGateway/agSslPolicy.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/applicationGateway/agSslPolicy.js b/plugins/azure/applicationGateway/agSslPolicy.js index be43b665db..9b68012f72 100644 --- a/plugins/azure/applicationGateway/agSslPolicy.js +++ b/plugins/azure/applicationGateway/agSslPolicy.js @@ -38,12 +38,12 @@ module.exports = { var found = false; if (appGateway.sslPolicy && appGateway.sslPolicy.policyType) { - const sslPolicy = appGateway.sslPolicy; + const sslPolicy = appGateway.sslPolicy; if (sslPolicy.policyType == 'Predefined' && sslPolicy.policyName && recommendedSSLPolicies.indexOf(sslPolicy.policyName) > -1) { found = true; } else if ((sslPolicy.policyType == 'Custom' || sslPolicy.policyType == 'CustomV2') && sslPolicy.minProtocolVersion) { // Check for protocol version if it matches the regex TLSV1.2 and then split on letter v - var regexMatched = /^(tls)(v(\d+)_(\d+))$/i.test(sslPolicy.minProtocolVersion)? sslPolicy.minProtocolVersion.replace('_', '.').split(/v/i): '' + var regexMatched = /^(tls)(v(\d+)_(\d+))$/i.test(sslPolicy.minProtocolVersion)? sslPolicy.minProtocolVersion.replace('_', '.').split(/v/i): ''; if (regexMatched){ var tlsVersion = parseFloat(regexMatched[1]); if (tlsVersion >= 1.2){ From 1bbd00dc252d3461871280ff0c13be0dd99a8f90 Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Wed, 29 Nov 2023 11:24:46 +0500 Subject: [PATCH 175/498] Azure - PostgreSQL Diagnostic Logging Enabled Plugin --- exports.js | 1 + helpers/azure/api.js | 6 +- .../diagnosticLoggingEnabled.js | 63 +++++++++ .../diagnosticLoggingEnabled.spec.js | 124 ++++++++++++++++++ 4 files changed, 193 insertions(+), 1 deletion(-) create mode 100644 plugins/azure/postgresqlserver/diagnosticLoggingEnabled.js create mode 100644 plugins/azure/postgresqlserver/diagnosticLoggingEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..457b0c784c 100644 --- a/exports.js +++ b/exports.js @@ -816,6 +816,7 @@ module.exports = { 'postgresqlServerHasTags' : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlServerHasTags.js'), 'postgresqlInfraDoubleEncryption': require(__dirname + '/plugins/azure/postgresqlserver/postgresqlInfraDoubleEncryption.js'), 'azureServicesAccessDisabled' : require(__dirname + '/plugins/azure/postgresqlserver/azureServicesAccessDisabled.js'), + 'diagnosticLoggingEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/diagnosticLoggingEnabled.js'), 'openOracleAutoDataWarehouse' : require(__dirname + '/plugins/azure/networksecuritygroups/openOracleAutoDataWarehouse.js'), 'networkWatcherEnabled' : require(__dirname + '/plugins/azure/networksecuritygroups/networkWatcherEnabled.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..c2f8d97e90 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -956,8 +956,12 @@ var tertiarycalls = { reliesOnPath: 'registries.list', properties: ['id'], url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' + }, + listByPostgresServers: { + reliesOnPath: 'servers.listPostgres', + properties: ['id'], + url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' } - }, backupShortTermRetentionPolicies: { listByDatabase: { diff --git a/plugins/azure/postgresqlserver/diagnosticLoggingEnabled.js b/plugins/azure/postgresqlserver/diagnosticLoggingEnabled.js new file mode 100644 index 0000000000..19b0389966 --- /dev/null +++ b/plugins/azure/postgresqlserver/diagnosticLoggingEnabled.js @@ -0,0 +1,63 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'PostgreSQL Diagnostic Logging Enabled', + category: 'PostgreSQL Server', + domain: 'Databases', + description: 'Ensures diagnostic logging is enabled for PostgreSQL servers.', + more_info: 'Enabling diagnostic logging for Azure Database for PostgreSQL servers helps with performance monitoring, troubleshooting, and security optimization.', + recommended_action: 'Enable diagnostic logging for all PostgreSQL servers.', + link: 'https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-server-logs', + apis: ['servers:listPostgres', 'diagnosticSettings:listByPostgresServers'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, (location, rcb) => { + + const servers = helpers.addSource(cache, source, + ['servers', 'listPostgres', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, + 'Unable to query for PostgreSQL Servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No existing PostgreSQL Servers found', location); + return rcb(); + } + + for (let server of servers.data) { + if (!server.id) continue; + + var diagnosticSettings = helpers.addSource(cache, source, + ['diagnosticSettings', 'listByPostgresServers', location, server.id]); + + if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { + helpers.addResult(results, 3, `Unable to query for PostgreSQL Server diagnostic settings: ${helpers.addError(diagnosticSettings)}`, + location, server.id); + continue; + } + + var found = diagnosticSettings.data.find(ds => ds.logs && ds.logs.length); + + if (found) { + helpers.addResult(results, 0, 'PostgreSQL Server has diagnostic logs enabled', location, server.id); + } else { + helpers.addResult(results, 2, 'PostgreSQL Server does not have diagnostic logs enabled', location, server.id); + } + } + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/postgresqlserver/diagnosticLoggingEnabled.spec.js b/plugins/azure/postgresqlserver/diagnosticLoggingEnabled.spec.js new file mode 100644 index 0000000000..6f2229a307 --- /dev/null +++ b/plugins/azure/postgresqlserver/diagnosticLoggingEnabled.spec.js @@ -0,0 +1,124 @@ +var expect = require('chai').expect; +var diagnosticLoggingEnabled = require('./diagnosticLoggingEnabled'); + +const servers = [ + { + "id": "/subscriptions/jk34n234k-dwef/resourceGroups/test-rg/providers/Microsoft.DBforPostgreSQL/servers/test-server", + }, +]; + + +const diagnosticSettings = [ + { + id: '/subscriptions/234/myrg/providers/Microsoft.DBforPostgreSQL/servers/test/providers/microsoft.insights/diagnosticSettings/test-setting', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'server-setting', + location: 'eastus', + kind: null, + tags: null, + eventHubName: null, + metrics: [], + logs: [ + { + "category": null, + "categoryGroup": "allLogs", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + { + "category": null, + "categoryGroup": "audit", + "enabled": false, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + logAnalyticsDestinationType: null + } +]; + +const createCache = (servers, ds) => { + const id = servers && servers.length ? servers[0].id : null; + return { + servers: { + listPostgres: { + 'eastus': { + data: servers + } + } + }, + diagnosticSettings: { + listByPostgresServers: { + 'eastus': { + [id]: { + data: ds + } + } + } + + }, + }; +}; + +describe('diagnosticLoggingEnabled', function() { + describe('run', function() { + it('should give a passing result if no PostgreSQL Servers are found', function (done) { + const cache = createCache([], null); + diagnosticLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing PostgreSQL Servers found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for PostgreSQL Servers', function (done) { + const cache = createCache(null, ['error']); + diagnosticLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for PostgreSQL Servers'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + it('should give unknown result if unable to query for diagnostic settings', function(done) { + const cache = createCache([servers[0]], null); + diagnosticLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for PostgreSQL Server diagnostic settings'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if diagnostic logs enabled', function(done) { + const cache = createCache([servers[0]], [diagnosticSettings[0]]); + diagnosticLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('PostgreSQL Server has diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if diagnostic logs not enabled', function(done) { + const cache = createCache([servers[0]], [[]]); + diagnosticLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('PostgreSQL Server does not have diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); From 9580a123d215999c415a51152b8e70498c05d0ae Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Wed, 29 Nov 2023 10:57:26 +0500 Subject: [PATCH 176/498] Azure - Service Bus Namespace Logging Enabled Plugin --- exports.js | 5 +- .../servicebus/namespaceLoggingEnabled.js | 61 ++++++++ .../namespaceLoggingEnabled.spec.js | 133 ++++++++++++++++++ 3 files changed, 198 insertions(+), 1 deletion(-) create mode 100644 plugins/azure/servicebus/namespaceLoggingEnabled.js create mode 100644 plugins/azure/servicebus/namespaceLoggingEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..5637a77919 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,10 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + + 'namespaceLoggingEnabled' : require(__dirname + '/plugins/azure/servicebus/namespaceLoggingEnabled.js'), + }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/servicebus/namespaceLoggingEnabled.js b/plugins/azure/servicebus/namespaceLoggingEnabled.js new file mode 100644 index 0000000000..165cf3ede3 --- /dev/null +++ b/plugins/azure/servicebus/namespaceLoggingEnabled.js @@ -0,0 +1,61 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Namespace Logging Enabled', + category: 'Service Bus', + domain: 'Application Integration', + description: 'Ensure that Azure Service Bus namespaces have diagnostic logs enabled.', + more_info: 'Diagnostic logs provide valuable insights into the operation and health of Service Bus namespaces. By enabling diagnostic logs, you can enhance visibility, easily monitor and troubleshoot and optimize messaging performance.', + link: 'https://learn.microsoft.com/en-us/azure/service-bus-messaging/monitor-service-bus-reference', + recommended_action: 'Modify the namespace settings and enable diagnostic logs.', + apis: ['serviceBus:listNamespacesBySubscription', 'diagnosticSettings:listByServiceBusNamespaces'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.serviceBus, function(location, rcb) { + const namespaces = helpers.addSource(cache, source, + ['serviceBus', 'listNamespacesBySubscription', location]); + + if (!namespaces) return rcb(); + + + if (namespaces.err || !namespaces.data) { + helpers.addResult(results, 3, 'Unable to query Service Bus namespaces: ' + helpers.addError(namespaces), location); + return rcb(); + } + + if (!namespaces.data.length) { + helpers.addResult(results, 0, 'No Service Bus namespaces found', location); + return rcb(); + } + for (let namespace of namespaces.data) { + if (!namespace.id) continue; + + var diagnosticSettings = helpers.addSource(cache, source, + ['diagnosticSettings', 'listByServiceBusNamespaces', location, namespace.id]); + + if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { + helpers.addResult(results, 3, `Unable to query for namespace diagnostic settings: ${helpers.addError(diagnosticSettings)}`, + location, namespace.id); + continue; + } + + var found = diagnosticSettings.data.find(ds => ds.logs && ds.logs.length); + + if (found) { + helpers.addResult(results, 0, 'Service Bus namespace has diagnostic logs enabled', location, namespace.id); + } else { + helpers.addResult(results, 2, 'Service Bus namespace does not have diagnostic logs enabled', location, namespace.id); + } + } + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/servicebus/namespaceLoggingEnabled.spec.js b/plugins/azure/servicebus/namespaceLoggingEnabled.spec.js new file mode 100644 index 0000000000..84427ef110 --- /dev/null +++ b/plugins/azure/servicebus/namespaceLoggingEnabled.spec.js @@ -0,0 +1,133 @@ +var expect = require('chai').expect; +var namespaceLoggingEnabled = require('./namespaceLoggingEnabled'); + +const namespaces = [ + { + sku: { name: 'Premium', tier: 'Premium', capacity: 1 }, + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test', + name: 'test', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: false, + provisioningState: 'Succeeded', + status: 'Active' + }, + + +]; + +const diagnosticSettings = [ + { + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test/providers/microsoft.insights/diagnosticSettings/gio-test-setting', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'servicebus-setting', + location: 'eastus', + kind: null, + tags: null, + eventHubName: null, + metrics: [], + logs: [ + { + "category": null, + "categoryGroup": "allLogs", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + { + "category": null, + "categoryGroup": "audit", + "enabled": false, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + logAnalyticsDestinationType: null + } +]; + +const createCache = (namespaces, ds) => { + const id = namespaces && namespaces.length ? namespaces[0].id : null; + return { + serviceBus: { + listNamespacesBySubscription: { + 'eastus': { + data: namespaces + } + } + }, + diagnosticSettings: { + listByServiceBusNamespaces: { + 'eastus': { + [id]: { + data: ds + } + } + } + + }, + }; +}; + +describe('namespaceLoggingEnabled', function() { + describe('run', function() { + it('should give a passing result if no Service Bus namespaces are found', function (done) { + const cache = createCache([], null); + namespaceLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No Service Bus namespaces found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for Service Bus namespaces', function (done) { + const cache = createCache(null, ['error']); + namespaceLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Service Bus namespaces'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + it('should give unknown result if unable to query for diagnostic settings', function(done) { + const cache = createCache([namespaces[0]], null); + namespaceLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for namespace diagnostic settings'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if diagnostic logs enabled', function(done) { + const cache = createCache([namespaces[0]], [diagnosticSettings[0]]); + namespaceLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Service Bus namespace has diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if diagnostic logs not enabled', function(done) { + const cache = createCache([namespaces[0]], [[]]); + namespaceLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Service Bus namespace does not have diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); From ea160d39636b573037f53a708c92e41bce5d3457 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 20:45:41 +0500 Subject: [PATCH 177/498] Update plugins/azure/virtualmachines/vmSecureBootEnabled.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/virtualmachines/vmSecureBootEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmSecureBootEnabled.js b/plugins/azure/virtualmachines/vmSecureBootEnabled.js index 781bfa377b..df175b8430 100644 --- a/plugins/azure/virtualmachines/vmSecureBootEnabled.js +++ b/plugins/azure/virtualmachines/vmSecureBootEnabled.js @@ -2,7 +2,7 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Azure VMs Secure Boot Enabled', + title: 'VM Secure Boot Enabled', category: 'Virtual Machines', domain: 'Compute', description: 'Ensure Secure Boot is enabled for Azure virtual machines (VM) to protect against boot kits, rootkits, and kernel-level malware.', From 5e69dda47986039e860db72d45a62f45d861c2d1 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 20:46:06 +0500 Subject: [PATCH 178/498] Update plugins/azure/virtualmachines/vmSecureBootEnabled.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/virtualmachines/vmSecureBootEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmSecureBootEnabled.js b/plugins/azure/virtualmachines/vmSecureBootEnabled.js index df175b8430..c2754115f7 100644 --- a/plugins/azure/virtualmachines/vmSecureBootEnabled.js +++ b/plugins/azure/virtualmachines/vmSecureBootEnabled.js @@ -5,7 +5,7 @@ module.exports = { title: 'VM Secure Boot Enabled', category: 'Virtual Machines', domain: 'Compute', - description: 'Ensure Secure Boot is enabled for Azure virtual machines (VM) to protect against boot kits, rootkits, and kernel-level malware.', + description: 'Ensure Secure Boot is enabled for Azure virtual machines (VM).', more_info: 'Secure Boot helps protect VMs by ensuring that only signed and trusted components are allowed to execute during the boot process.', recommended_action: 'Enable Secure Boot for Azure virtual machines to enhance security and protect against advanced threats during the boot process.', link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-portal?tabs=portal%2Cportal3%2Cportal2', From bf4cfe0a7932dd72dbb27857fa0d9f2dc9d7fe96 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 20:46:36 +0500 Subject: [PATCH 179/498] Update plugins/azure/virtualmachines/vmSecureBootEnabled.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/virtualmachines/vmSecureBootEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmSecureBootEnabled.js b/plugins/azure/virtualmachines/vmSecureBootEnabled.js index c2754115f7..3e8896efff 100644 --- a/plugins/azure/virtualmachines/vmSecureBootEnabled.js +++ b/plugins/azure/virtualmachines/vmSecureBootEnabled.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Compute', description: 'Ensure Secure Boot is enabled for Azure virtual machines (VM).', more_info: 'Secure Boot helps protect VMs by ensuring that only signed and trusted components are allowed to execute during the boot process.', - recommended_action: 'Enable Secure Boot for Azure virtual machines to enhance security and protect against advanced threats during the boot process.', + recommended_action: 'Enable Secure Boot for Azure virtual machines.', link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-portal?tabs=portal%2Cportal3%2Cportal2', apis: ['virtualMachines:listAll'], From 4524aa8ad53ab48575609328ab697f2713af4704 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 20:47:07 +0500 Subject: [PATCH 180/498] Update plugins/azure/virtualmachines/vmSecureBootEnabled.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/virtualmachines/vmSecureBootEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmSecureBootEnabled.js b/plugins/azure/virtualmachines/vmSecureBootEnabled.js index 3e8896efff..a7c89677f5 100644 --- a/plugins/azure/virtualmachines/vmSecureBootEnabled.js +++ b/plugins/azure/virtualmachines/vmSecureBootEnabled.js @@ -23,7 +23,7 @@ module.exports = { if (!virtualMachines) return rcb(); if (virtualMachines.err || !virtualMachines.data) { - helpers.addResult(results, 3, 'Unable to query for virtual machines: ' + helpers.addError(virtualMachines), location); + helpers.addResult(results, 3, 'Unable to query for Virtual Machines: ' + helpers.addError(virtualMachines), location); return rcb(); } From a88474a7cea465956ce8aea4b05a3041065222d8 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 20:47:43 +0500 Subject: [PATCH 181/498] Update plugins/azure/virtualmachines/vmSecureBootEnabled.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/virtualmachines/vmSecureBootEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmSecureBootEnabled.js b/plugins/azure/virtualmachines/vmSecureBootEnabled.js index a7c89677f5..3d2c17a7f2 100644 --- a/plugins/azure/virtualmachines/vmSecureBootEnabled.js +++ b/plugins/azure/virtualmachines/vmSecureBootEnabled.js @@ -33,7 +33,7 @@ module.exports = { } virtualMachines.data.forEach(virtualMachine => { - if (virtualMachine.securityProfile && virtualMachine.securityProfile.uefiSettings.secureBootEnabled) { + if (virtualMachine.securityProfile && virtualMachine.securityProfile.uefiSettings && virtualMachine.securityProfile.uefiSettings.secureBootEnabled) { helpers.addResult(results, 0, 'Secure Boot is enabled for Azure Virtual Machine', location, virtualMachine.id); } else { helpers.addResult(results, 2, 'Secure Boot is not enabled for Azure Virtual Machine', location, virtualMachine.id); From e07895d488fd4793329284acad3336f11bec5042 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 20:47:58 +0500 Subject: [PATCH 182/498] Update plugins/azure/virtualmachines/vmSecureBootEnabled.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/virtualmachines/vmSecureBootEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmSecureBootEnabled.js b/plugins/azure/virtualmachines/vmSecureBootEnabled.js index 3d2c17a7f2..df68dfb09a 100644 --- a/plugins/azure/virtualmachines/vmSecureBootEnabled.js +++ b/plugins/azure/virtualmachines/vmSecureBootEnabled.js @@ -8,7 +8,7 @@ module.exports = { description: 'Ensure Secure Boot is enabled for Azure virtual machines (VM).', more_info: 'Secure Boot helps protect VMs by ensuring that only signed and trusted components are allowed to execute during the boot process.', recommended_action: 'Enable Secure Boot for Azure virtual machines.', - link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-portal?tabs=portal%2Cportal3%2Cportal2', + link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#secure-boot', apis: ['virtualMachines:listAll'], run: function(cache, settings, callback) { From 03a1609282ffd6132eece2ebfc38af8c6a708d9b Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 20:52:22 +0500 Subject: [PATCH 183/498] updated with recommended changes --- plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js b/plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js index cec6f99f13..d7b0ad8ae4 100644 --- a/plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js +++ b/plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js @@ -56,7 +56,7 @@ describe('selectSecureBoot', function() { selectSecureBoot.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query for virtual machines'); + expect(results[0].message).to.include('Unable to query for Virtual Machines:'); expect(results[0].region).to.equal('eastus'); done(); }); From f51f093203615e58d52a126ee130de19b7731808 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Mon, 4 Dec 2023 21:06:31 +0500 Subject: [PATCH 184/498] Removed Duplicate Code --- plugins/azure/applicationGateway/agSslPolicy.js | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/plugins/azure/applicationGateway/agSslPolicy.js b/plugins/azure/applicationGateway/agSslPolicy.js index 9b68012f72..6a7103a35c 100644 --- a/plugins/azure/applicationGateway/agSslPolicy.js +++ b/plugins/azure/applicationGateway/agSslPolicy.js @@ -54,15 +54,12 @@ module.exports = { break; } } - - if (found){ - helpers.addResult(results, 0, 'Application Gateway is using SSL policy which supports latest TLS version', location, appGateway.id); - } else { - helpers.addResult(results, 2, 'Application Gateway is using SSL policy which does not support latest TLS version', location, appGateway.id); - } + } + if (found){ + helpers.addResult(results, 0, 'Application Gateway is using SSL policy which supports latest TLS version', location, appGateway.id); } else { helpers.addResult(results, 2, 'Application Gateway is using SSL policy which does not support latest TLS version', location, appGateway.id); - } + } } rcb(); From 00c736ce79ffb87374ac13a3c9b6bb4367ae46a9 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Mon, 4 Dec 2023 21:21:11 +0500 Subject: [PATCH 185/498] Regions and api call of bedrock --- helpers/aws/api.js | 28 +++++++++++++++++++++++ helpers/aws/api_multipart.js | 28 +++++++++++++++++++++++ helpers/aws/regions.js | 1 + helpers/aws/regions_china.js | 1 + helpers/aws/regions_gov.js | 1 + helpers/aws/regions_gov_fedramp_east_1.js | 1 + helpers/aws/regions_gov_fedramp_west_1.js | 1 + package.json | 4 ++-- 8 files changed, 63 insertions(+), 2 deletions(-) diff --git a/helpers/aws/api.js b/helpers/aws/api.js index 2a71604f2b..8ccd1cb277 100644 --- a/helpers/aws/api.js +++ b/helpers/aws/api.js @@ -628,6 +628,20 @@ var calls = { paginate: 'NextToken' } }, + Bedrock:{ + listCustomModels:{ + property: 'modelSummaries', + paginate: 'NextToken', + }, + listModelCustomizationJobs:{ + property: 'modelCustomizationJobSummaries"', + paginate: 'NextToken', + }, + getModelInvocationLoggingConfiguration: { + property: 'loggingConfig', + paginate: 'NextToken' + } + }, CloudFormation: { listStacks: { property: 'StackSummaries', @@ -1855,6 +1869,20 @@ var postcalls = [ }, sendIntegration: serviceMap['Backup'] }, + Bedrock:{ + getCustomModel: { + reliesOnService: 'bedrock', + reliesOnCall: 'listCustomModels', + filterKey: 'modelIdentifier', + filterValue: 'modelName', + }, + getModelCustomizationJob: { + reliesOnService: 'bedrock', + reliesOnCall: 'listModelCustomizationJobs', + filterKey: 'jobIdentifier', + filterValue: 'jobArn', + } + }, CloudFormation: { describeStackEvents: { reliesOnService: 'cloudformation', diff --git a/helpers/aws/api_multipart.js b/helpers/aws/api_multipart.js index b0cf7fef45..b72b111afd 100644 --- a/helpers/aws/api_multipart.js +++ b/helpers/aws/api_multipart.js @@ -118,6 +118,20 @@ var calls = [ paginate: 'NextToken' } }, + Bedrock:{ + listCustomModels:{ + property: 'modelSummaries', + paginate: 'NextToken', + }, + listModelCustomizationJobs:{ + property: 'modelCustomizationJobSummaries"', + paginate: 'NextToken', + }, + getModelInvocationLoggingConfiguration: { + property: 'loggingConfig', + paginate: 'NextToken' + } + }, CloudFormation: { listStacks: { property: 'StackSummaries', @@ -1250,6 +1264,20 @@ var postcalls = [ filterValue: 'BackupPlanId', } }, + Bedrock:{ + getCustomModel: { + reliesOnService: 'bedrock', + reliesOnCall: 'listCustomModels', + filterKey: 'modelIdentifier', + filterValue: 'modelName', + }, + getModelCustomizationJob: { + reliesOnService: 'bedrock', + reliesOnCall: 'listModelCustomizationJobs', + filterKey: 'jobIdentifier', + filterValue: 'jobArn', + } + }, CloudFront: { getDistribution: { reliesOnService: 'cloudfront', diff --git a/helpers/aws/regions.js b/helpers/aws/regions.js index eba8049cdb..2d3c3001e9 100644 --- a/helpers/aws/regions.js +++ b/helpers/aws/regions.js @@ -41,6 +41,7 @@ module.exports = { acm: [...regions, ...newRegionsUpdate], apigateway: [...regions, ...newRegionsUpdate], athena: regions, + bedrock: ['us-east-1', 'us-west-2', 'ap-southeast-1', 'ap-northeast-1', 'eu-central-1'], cloudfront: ['us-east-1'], // CloudFront uses the default global region autoscaling: [...regions, ...newRegionsUpdate], iam: ['us-east-1'], diff --git a/helpers/aws/regions_china.js b/helpers/aws/regions_china.js index 1410f079bd..b3d5984374 100644 --- a/helpers/aws/regions_china.js +++ b/helpers/aws/regions_china.js @@ -14,6 +14,7 @@ module.exports = { acm: [], apigateway: regions, athena: [], + bedrock:[], cloudfront: [], efs: [], autoscaling: regions, diff --git a/helpers/aws/regions_gov.js b/helpers/aws/regions_gov.js index 4a98a5f1f2..05efc34573 100644 --- a/helpers/aws/regions_gov.js +++ b/helpers/aws/regions_gov.js @@ -14,6 +14,7 @@ module.exports = { apigateway: regions, athena: regions, backup: regions, + bedrock: [], cloudfront: [], autoscaling: regions, iam: regions, diff --git a/helpers/aws/regions_gov_fedramp_east_1.js b/helpers/aws/regions_gov_fedramp_east_1.js index 5776c48ab0..84ca9e0673 100644 --- a/helpers/aws/regions_gov_fedramp_east_1.js +++ b/helpers/aws/regions_gov_fedramp_east_1.js @@ -11,6 +11,7 @@ module.exports = { apigateway: regions, athena: regions, backup: regions, + bedrock: [], cloudfront: [], autoscaling: regions, iam: regions, diff --git a/helpers/aws/regions_gov_fedramp_west_1.js b/helpers/aws/regions_gov_fedramp_west_1.js index a562719711..b4793ef189 100644 --- a/helpers/aws/regions_gov_fedramp_west_1.js +++ b/helpers/aws/regions_gov_fedramp_west_1.js @@ -11,6 +11,7 @@ module.exports = { apigateway: regions, athena: regions, backup: regions, + bedrock: [], cloudfront: [], autoscaling: regions, iam: regions, diff --git a/package.json b/package.json index 678a62640c..68843434d1 100644 --- a/package.json +++ b/package.json @@ -50,7 +50,7 @@ "ali-oss": "^6.15.2", "argparse": "^2.0.0", "async": "^2.6.1", - "aws-sdk": "^2.1338.0", + "aws-sdk": "^2.1506.0", "azure-storage": "^2.10.3", "csv-write-stream": "^2.0.0", "fast-safe-stringify": "^2.0.6", @@ -66,4 +66,4 @@ "nodemon": "^1.19.4", "nyc": "^14.1.1" } -} +} \ No newline at end of file From a1fa876bd569ed263e70b9717dc7d212226f304f Mon Sep 17 00:00:00 2001 From: fatima99s Date: Mon, 4 Dec 2023 21:33:00 +0500 Subject: [PATCH 186/498] Custom Model Encryption Enabled --- exports.js | 2 + .../bedrock/customModelEncryptionEnabled.js | 116 ++++++++++ .../customModelEncryptionEnabled.spec.js | 212 ++++++++++++++++++ 3 files changed, 330 insertions(+) create mode 100644 plugins/aws/bedrock/customModelEncryptionEnabled.js create mode 100644 plugins/aws/bedrock/customModelEncryptionEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..bdf3adde9f 100644 --- a/exports.js +++ b/exports.js @@ -52,6 +52,8 @@ module.exports = { 'workgroupEncrypted' : require(__dirname + '/plugins/aws/athena/workgroupEncrypted.js'), 'workgroupEnforceConfiguration' : require(__dirname + '/plugins/aws/athena/workgroupEnforceConfiguration.js'), + 'customModelEncrypted' :require(__dirname + '/plugins/aws/bedrock/customModelEncryptionEnabled.js'), + 'infraConfigNotificationEnabled': require(__dirname + '/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js'), 'publicS3Origin' : require(__dirname + '/plugins/aws/cloudfront/publicS3Origin.js'), 'secureOrigin' : require(__dirname + '/plugins/aws/cloudfront/secureOrigin.js'), diff --git a/plugins/aws/bedrock/customModelEncryptionEnabled.js b/plugins/aws/bedrock/customModelEncryptionEnabled.js new file mode 100644 index 0000000000..62aa864d5c --- /dev/null +++ b/plugins/aws/bedrock/customModelEncryptionEnabled.js @@ -0,0 +1,116 @@ +var async = require('async'); +var helpers = require('../../../helpers/aws'); + +module.exports = { + title: 'Custom Model Encryption Enabled', + category: 'BedRock', + domain: 'Machine Learning', + description: 'Ensure that an Amazon Bedrock custom models are encrypted using KMS customer managed keys (CMKs)', + more_info: 'When you encrypt AWS Bedrock custom model using your own AWS KMS Customer Managed Keys (CMKs) for enhanced protection, you have full control over who can use the encryption keys to access your custom model.', + recommended_action: 'Encrypt Bedrock custom model using AWS KMS Customer Managed Keys', + link: 'https://docs.aws.amazon.com/bedrock/latest/userguide/encryption-custom-job.html', + apis: ['Bedrock:listCustomModels', 'Bedrock:getCustomModel', 'KMS:listKeys', 'KMS:describeKey'], + settings: { + bedrock_model_desired_encryption_level: { + name: 'Bedrock Custom Model Encryption Level', + description: 'In order (lowest to highest) awskms=AWS-managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS', + regex: '^(awskms|awscmk|externalcmk|cloudhsm)$', + default: 'awscmk', + } + }, + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var regions = helpers.regions(settings); + var config = { + desiredEncryptionLevelString: settings.bedrock_model_desired_encryption_level || this.settings.bedrock_model_desired_encryption_level.default + }; + + var desiredEncryptionLevel = helpers.ENCRYPTION_LEVELS.indexOf(config.desiredEncryptionLevelString); + var currentEncryptionLevel; + + async.each(regions.bedrock, function(region, rcb){ + var listCustomModels = helpers.addSource(cache, source, + ['bedrock', 'listCustomModels', region]); + + if (!listCustomModels) return rcb(); + + if (listCustomModels.err || !listCustomModels.data) { + helpers.addResult(results, 3, + `Unable to query for Bedrock custom model list: ${helpers.addError(listCustomModels)}`, region); + return rcb(); + } + + if (!listCustomModels.data.length) { + helpers.addResult(results, 0, 'No Bedrock custom model found', region); + return rcb(); + } + var listKeys = helpers.addSource(cache, source, + ['kms', 'listKeys', region]); + + if (!listKeys || listKeys.err || !listKeys.data) { + helpers.addResult(results, 3, + `Unable to list KMS keys: ${helpers.addError(listKeys)}`, region); + return rcb(); + } + + for (let model of listCustomModels.data){ + if (!model.modelArn|| !model.modelName) continue; + + let resource = model.modelArn; + + let getCustomModel = helpers.addSource(cache, source, + ['bedrock', 'getCustomModel', region, model.modelName]); + + + if (!getCustomModel || getCustomModel.err || !getCustomModel.data) { + helpers.addResult(results, 3, `Unable to describe Bedrock custom model : ${helpers.addError(getCustomModel)}`, region, resource); + continue; + } + + if (getCustomModel.data.modelKmsKeyArn) { + var kmsKeyId = getCustomModel.data.modelKmsKeyArn.split('/')[1] ? getCustomModel.data.modelKmsKeyArn.split('/')[1] : getCustomModel.data.modelKmsKeyArn; + + var describeKey = helpers.addSource(cache, source, + ['kms', 'describeKey', region, kmsKeyId]); + if (!describeKey || describeKey.err || !describeKey.data || !describeKey.data.KeyMetadata) { + helpers.addResult(results, 3, + `Unable to query KMS key: ${helpers.addError(describeKey)}`, + region, getCustomModel.data.modelKmsKeyArn); + continue; + } + currentEncryptionLevel = helpers.getEncryptionLevel(describeKey.data.KeyMetadata, helpers.ENCRYPTION_LEVELS); + var currentEncryptionLevelString = helpers.ENCRYPTION_LEVELS[currentEncryptionLevel]; + + if (currentEncryptionLevel >= desiredEncryptionLevel) { + helpers.addResult(results, 0, + `Bedrock Custom model is encrypted with ${currentEncryptionLevelString} \ + which is greater than or equal to the desired encryption level ${config.desiredEncryptionLevelString}`, + region, resource); + } else { + helpers.addResult(results, 2, + `Bedrock Custom model is encrypted with ${currentEncryptionLevelString} \ + which is less than the desired encryption level ${config.desiredEncryptionLevelString}`, + region, resource); + } + + } else if (desiredEncryptionLevel == 2){ + helpers.addResult(results, 0, + `Bedrock Custom model is encrypted with awskms \ + which is greater than or equal to the desired encryption level ${config.desiredEncryptionLevelString}`, + region, resource); + } else { + helpers.addResult(results, 2, + `Bedrock Custom model is encrypted with awskms \ + which is less than the desired encryption level ${config.desiredEncryptionLevelString}`, + region, resource); + } + } + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/aws/bedrock/customModelEncryptionEnabled.spec.js b/plugins/aws/bedrock/customModelEncryptionEnabled.spec.js new file mode 100644 index 0000000000..8130f7848d --- /dev/null +++ b/plugins/aws/bedrock/customModelEncryptionEnabled.spec.js @@ -0,0 +1,212 @@ +var expect = require('chai').expect; +var customModelEncryptionEnabled = require('./customModelEncryptionEnabled'); + +const listCustomModels = [ + { + "modelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/2ytyyx8nid0h", + "modelName": "model2", + "creationTime": "2023-11-29T10:45:43.056000+00:00", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "baseModelName": "" + }, + { + "modelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/vjqsydtdhkpz", + "modelName": "test-model", + "creationTime": "2023-11-28T11:29:18.655000+00:00", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "baseModelName": "" + } +]; + +const getCustomModel = [ + { + "modelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/2ytyyx8nid0h", + "modelName": "model2", + "jobArn": "arn:aws:bedrock:us-east-1:11223344:model-customization-job/amazon.titan-text-lite-v1:0:4k/lo7152tvvl3f", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "modelKmsKeyArn": "arn:aws:kms:us-east-1:000011112222:key/c4750c1a-72e5-4d16-bc72-0e7b559e0250", + "hyperParameters": { + "batchSize": "2", + "epochCount": "2", + "learningRate": "0.00001", + "learningRateWarmupSteps": "0" + }, + "trainingDataConfig": { + "s3Uri": "s3://bedrockbuckettest/trainigdata.jsonl" + }, + "outputDataConfig": { + "s3Uri": "s3://bedrockbuckettest" + }, + "trainingMetrics": { + "trainingLoss": 1.7109375 + }, + "validationMetrics": [], + "creationTime": "2023-11-29T10:45:43.056000+00:00" + }, + { + "modelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/vjqsydtdhkpz", + "modelName": "test-model", + "jobArn": "arn:aws:bedrock:us-east-1:11223344:model-customization-job/amazon.titan-text-lite-v1:0:4k/iuvltioettou", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "hyperParameters": { + "batchSize": "2", + "epochCount": "2", + "learningRate": "0.00001", + "learningRateWarmupSteps": "0" + }, + "trainingDataConfig": { + "s3Uri": "s3://bedrockbuckettest/trainigdata.jsonl" + }, + "outputDataConfig": { + "s3Uri": "s3://bedrockbuckettest" + }, + "trainingMetrics": { + "trainingLoss": 1.7109375 + }, + "validationMetrics": [], + "creationTime": "2023-11-28T11:29:18.655000+00:00" + } +]; + +const describeKey = [ + { + "KeyMetadata": { + "AWSAccountId": "000011112222", + "KeyId": "c4750c1a-72e5-4d16-bc72-0e7b559e0250", + "Arn": "arn:aws:kms:us-east-1:000011112222:key/c4750c1a-72e5-4d16-bc72-0e7b559e0250", + "CreationDate": "2020-12-15T01:16:53.045000+05:00", + "Enabled": true, + "Description": "Default master key that protects my Glue data when no other key is defined", + "KeyUsage": "ENCRYPT_DECRYPT", + "KeyState": "Enabled", + "Origin": "AWS_KMS", + "KeyManager": "CUSTOMER", + "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", + "EncryptionAlgorithms": [ + "SYMMETRIC_DEFAULT" + ] + } + }, + { + "KeyMetadata": { + "AWSAccountId": "000011112222", + "KeyId": "c4750c1a-72e5-4d16-bc72-0e7b559e0252", + "Arn": "arn:aws:kms:us-east-1:000011112222:key/c4750c1a-72e5-4d16-bc72-0e7b559e0252", + "CreationDate": "2020-12-15T01:16:53.045000+05:00", + "Enabled": true, + "Description": "Default master key that protects my Glue data when no other key is defined", + "KeyUsage": "ENCRYPT_DECRYPT", + "KeyState": "Enabled", + "Origin": "AWS_KMS", + "KeyManager": "AWS", + "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", + "EncryptionAlgorithms": [ + "SYMMETRIC_DEFAULT" + ] + } + } +]; + +const listKeys = [ + { + "KeyId": "0604091b-8c1b-4a55-a844-8cc8ab1834d9", + "KeyArn": "arn:aws:kms:us-east-1:000011112222:key/c4750c1a-72e5-4d16-bc72-0e7b559e0250" + }, + { + "KeyId": "0604091b-8c1b-4a55-a844-8cc8ab1834d9", + "KeyArn": "arn:aws:kms:us-east-1:000011112222:key/f4942dd6-bce5-4213-bdd3-cc8ccd87dd890" + } +] +const createCache = (customModel, getCustomModel, keys, describeKey, customModelErr, getCustomModelErr, keysErr, describeKeyErr) => { + var modelName = (customModel && customModel.length) ? customModel[0].modelName: null; + var keyId = (keys && keys.length) ? keys[0].KeyArn.split('/')[1] : null; + return { + bedrock: { + listCustomModels: { + 'us-east-1': { + err: customModelErr, + data: customModel + }, + }, + getCustomModel: { + 'us-east-1': { + [modelName]: { + data: getCustomModel, + err: getCustomModelErr + } + } + } + }, + kms: { + listKeys: { + 'us-east-1': { + data: keys, + err: keysErr + } + }, + describeKey: { + 'us-east-1': { + [keyId]: { + err: describeKeyErr, + data: describeKey + }, + }, + }, + }, + }; +}; + +describe('customModelEncryptionEnabled', function () { + describe('run', function () { + it('should PASS if Bedrock Custom Model is Encrypted using CMK', function (done) { + const cache = createCache([listCustomModels[0]], getCustomModel[0], listKeys, describeKey[0]); + customModelEncryptionEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + + it('should FAIL if Bedrock Custom Model is encrypted with AWS owned key', function (done) { + const cache = createCache([listCustomModels[1]], getCustomModel[1], listKeys, describeKey[1]); + customModelEncryptionEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + + it('should PASS if the desired encryption level for bedrock custom model is awskms', function (done) { + const cache = createCache([listCustomModels[1]], getCustomModel[1], listKeys, describeKey[1]); + customModelEncryptionEnabled.run(cache, {bedrock_model_desired_encryption_level: 'awskms'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + + it('should PASS if no Bedrock custom model found', function (done) { + const cache = createCache([]); + customModelEncryptionEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + + it('should UNKNOWN if unable to list Bedrock custom model', function (done) { + const cache = createCache(null, null, null, { message: "Unable to list Bedrock Custom Model" }); + customModelEncryptionEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + }); +}) + From 85e08cd9d8ba530d73930ab21f39ba8fab884a2f Mon Sep 17 00:00:00 2001 From: fatima99s Date: Mon, 4 Dec 2023 21:52:11 +0500 Subject: [PATCH 187/498] Private Custom Model --- exports.js | 2 + plugins/aws/bedrock/privateCustomModel.js | 109 ++++++ .../aws/bedrock/privateCustomModel.spec.js | 370 ++++++++++++++++++ 3 files changed, 481 insertions(+) create mode 100644 plugins/aws/bedrock/privateCustomModel.js create mode 100644 plugins/aws/bedrock/privateCustomModel.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..e9c3f59674 100644 --- a/exports.js +++ b/exports.js @@ -52,6 +52,8 @@ module.exports = { 'workgroupEncrypted' : require(__dirname + '/plugins/aws/athena/workgroupEncrypted.js'), 'workgroupEnforceConfiguration' : require(__dirname + '/plugins/aws/athena/workgroupEnforceConfiguration.js'), + 'privateCustomModel' :require(__dirname + '/plugins/aws/bedrock/privateCustomModel.js'), + 'infraConfigNotificationEnabled': require(__dirname + '/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js'), 'publicS3Origin' : require(__dirname + '/plugins/aws/cloudfront/publicS3Origin.js'), 'secureOrigin' : require(__dirname + '/plugins/aws/cloudfront/secureOrigin.js'), diff --git a/plugins/aws/bedrock/privateCustomModel.js b/plugins/aws/bedrock/privateCustomModel.js new file mode 100644 index 0000000000..75c0329124 --- /dev/null +++ b/plugins/aws/bedrock/privateCustomModel.js @@ -0,0 +1,109 @@ +var async = require('async'); +var helpers = require('../../../helpers/aws'); + +module.exports = { + title: 'Private Custom Model', + category: 'BedRock', + domain: 'Machine Learning', + description: 'Ensure that an Amazon Bedrock custom model is configured within a private VPC.', + more_info: 'When the custom model is configured within a private VPC or with a private VPC endpoint, it enhances security by restricting access to authorized networks only, preventing exposure to the public internet.', + recommended_action: 'Configure the custom model with VPC and private VPC endpoint.', + link: 'https://docs.aws.amazon.com/bedrock/latest/userguide/vpc-interface-endpoints.html', + apis: ['Bedrock:listCustomModels', 'Bedrock:getCustomModel','Bedrock:listModelCustomizationJobs', 'Bedrock:getModelCustomizationJob','EC2:describeSubnets', 'EC2:describeRouteTables'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var regions = helpers.regions(settings); + + async.each(regions.bedrock, function(region, rcb){ + var listCustomModels = helpers.addSource(cache, source, + ['bedrock', 'listCustomModels', region]); + + if (!listCustomModels) return rcb(); + + if (listCustomModels.err && listCustomModels.err.message.includes('This service may not be available in')) { + helpers.addResult(results, 0, 'Bedrock service is not available in this region', region); + return rcb(); + } + + if (listCustomModels.err || !listCustomModels.data) { + helpers.addResult(results, 3, + `Unable to query for Bedrock custom model list: ${helpers.addError(listCustomModels)}`, region); + return rcb(); + } + + if (!listCustomModels.data.length) { + helpers.addResult(results, 0, 'No Bedrock custom model found', region); + return rcb(); + } + var subnetRouteTableMap; + var privateSubnets = []; + + var describeSubnets = helpers.addSource(cache, source, + ['ec2', 'describeSubnets', region]); + var describeRouteTables = helpers.addSource(cache, {}, + ['ec2', 'describeRouteTables', region]); + + if (!describeRouteTables || describeRouteTables.err || !describeRouteTables.data ) { + helpers.addResult(results, 3, + 'Unable to query for route tables: ' + helpers.addError(describeRouteTables), region); + return rcb(); + } + + if (!describeSubnets || describeSubnets.err || !describeSubnets.data) { + helpers.addResult(results, 3, + 'Unable to query for subnets: ' + helpers.addError(describeSubnets), region); + return rcb(); + } else { + subnetRouteTableMap = helpers.getSubnetRTMap(describeSubnets.data, describeRouteTables.data); + privateSubnets = helpers.getPrivateSubnets(subnetRouteTableMap, describeSubnets.data, describeRouteTables.data); + } + + for (let model of listCustomModels.data){ + if (!model.modelArn|| !model.modelName) continue; + + let resource = model.modelArn; + + let getCustomModel = helpers.addSource(cache, source, + ['bedrock', 'getCustomModel', region, model.modelName]); + + + if (!getCustomModel || getCustomModel.err || !getCustomModel.data) { + helpers.addResult(results, 3, `Unable to describe Bedrock custom model : ${helpers.addError(getCustomModel)}`, region, resource); + continue; + } + + let getModelJob = helpers.addSource(cache, source, + ['bedrock', 'getModelCustomizationJob', region, getCustomModel.data.jobArn]); + + if (!getModelJob || getModelJob.err || !getModelJob.data) { + helpers.addResult(results, 3, `Unable to describe Bedrock model customzation job : ${helpers.addError(getModelJob)}`, region, resource); + continue; + } + + if (getModelJob.data.vpcConfig && getModelJob.data.vpcConfig.subnetIds) { + var allPrivate = getModelJob.data.vpcConfig.subnetIds.every(subnetId => privateSubnets.includes(subnetId)); + + if (allPrivate) { + helpers.addResult(results, 0, + 'Bedrock custom model is configured within a private VPC', + region, resource); + } else { + helpers.addResult(results, 2, + 'Bedrock custom model is not configured within a private VPC', + region, resource); + } + } else { + helpers.addResult(results, 2, + 'Bedrock custom model does not have VPC configured', + region, resource); + } + } + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/aws/bedrock/privateCustomModel.spec.js b/plugins/aws/bedrock/privateCustomModel.spec.js new file mode 100644 index 0000000000..509e223b14 --- /dev/null +++ b/plugins/aws/bedrock/privateCustomModel.spec.js @@ -0,0 +1,370 @@ +var expect = require('chai').expect; +var privateCustomModel = require('./privateCustomModel'); + +const listCustomModels = [ + { + "modelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/2ytyyx8nid0h", + "modelName": "model2", + "creationTime": "2023-11-29T10:45:43.056000+00:00", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "baseModelName": "" + }, + { + "modelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/vjqsydtdhkpz", + "modelName": "testmodel2", + "creationTime": "2023-11-28T11:29:18.655000+00:00", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "baseModelName": "" + } +]; + +const getCustomModel = [ + { + "modelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/2ytyyx8nid0h", + "modelName": "model2", + "jobArn": "arn:aws:bedrock:us-east-1:11223344:model-customization-job/amazon.titan-text-lite-v1:0:4k/lo7152tvvl3f", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "modelKmsKeyArn": "arn:aws:kms:us-east-1:11223344:key/29c2507e-ba0d-4b70-b20d-8b30b761685b", + "hyperParameters": { + "batchSize": "2", + "epochCount": "2", + "learningRate": "0.00001", + "learningRateWarmupSteps": "0" + }, + "trainingDataConfig": { + "s3Uri": "s3://bedrockbuckettest/trainigdata.jsonl" + }, + "outputDataConfig": { + "s3Uri": "s3://bedrockbuckettest" + }, + "trainingMetrics": { + "trainingLoss": 1.7109375 + }, + "validationMetrics": [], + "creationTime": "2023-11-29T10:45:43.056000+00:00" + }, + { + "modelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/vjqsydtdhkpz", + "modelName": "testmodel2", + "jobArn": "arn:aws:bedrock:us-east-1:11223344:model-customization-job/amazon.titan-text-lite-v1:0:4k/iuvltioettou", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "hyperParameters": { + "batchSize": "2", + "epochCount": "2", + "learningRate": "0.00001", + "learningRateWarmupSteps": "0" + }, + "trainingDataConfig": { + "s3Uri": "s3://bedrockbuckettest/trainigdata.jsonl" + }, + "outputDataConfig": { + "s3Uri": "s3://bedrockbuckettest" + }, + "trainingMetrics": { + "trainingLoss": 1.7109375 + }, + "validationMetrics": [], + "creationTime": "2023-11-28T11:29:18.655000+00:00" + } +]; + +const listModelCustomizationJobs = [ + { + "jobArn": "arn:aws:bedrock:us-east-1:11223344:model-customization-job/amazon.titan-text-lite-v1:0:4k/lo7152tvvl3f", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "jobName": "second", + "status": "Completed", + "lastModifiedTime": "2023-11-29T11:36:48.302000+00:00", + "creationTime": "2023-11-29T10:45:43.056000+00:00", + "endTime": "2023-11-29T11:36:47.666000+00:00", + "customModelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/2ytyyx8nid0h", + "customModelName": "model2" + }, + { + "jobArn": "arn:aws:bedrock:us-east-1:11223344:model-customization-job/amazon.titan-text-lite-v1:0:4k/nn23m2vejr54", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "jobName": "testjobformodel2", + "status": "Failed", + "lastModifiedTime": "2023-11-29T09:08:17.414000+00:00", + "creationTime": "2023-11-29T08:47:00.690000+00:00", + "endTime": "2023-11-29T09:08:17.335000+00:00", + "customModelName": "testmodel2" + }, +] + +const getModelCustomizationJob = [ + { + "jobArn": "arn:aws:bedrock:us-east-1:11223344:model-customization-job/amazon.titan-text-lite-v1:0:4k/nn23m2vejr54", + "jobName": "second", + "outputModelName": "model2", + "outputModelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/2ytyyx8nid0h", + "clientRequestToken": "0da79509-df0a-4bec-9dab-c13a33584247", + "roleArn": "arn:aws:iam::11223344:role/service-role/test-role-bedrock", + "status": "Completed", + "creationTime": "2023-11-29T10:45:43.056000+00:00", + "lastModifiedTime": "2023-11-29T11:36:48.302000+00:00", + "endTime": "2023-11-29T11:36:47.666000+00:00", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "hyperParameters": { + "batchSize": "2", + "epochCount": "2", + "learningRate": "0.00001", + "learningRateWarmupSteps": "0" + }, + "trainingDataConfig": { + "s3Uri": "s3://bedrockbuckettest/trainigdata.jsonl" + }, + "validationDataConfig": { + "validators": [] + }, + "outputDataConfig": { + "s3Uri": "s3://bedrockbuckettest" + }, + "outputModelKmsKeyArn": "arn:aws:kms:us-east-1:672202477801:key/29c2507e-ba0d-4b70-b20d-8b30b761685b", + "validationMetrics": [], + "vpcConfig": { + "subnetIds": [ + "subnet-123", + ], + "securityGroupIds": [ + "sg-0931c3a02deed68f5" + ] + } + }, + { + "jobArn": "arn:aws:bedrock:us-east-1:11223344:model-customization-job/amazon.titan-text-lite-v1:0:4k/lo7152tvvl3f", + "jobName": "first", + "outputModelName": "testmodel2", + "outputModelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/2ytyyx8nid0h", + "clientRequestToken": "0da79509-df0a-4bec-9dab-c13a33584247", + "roleArn": "arn:aws:iam::11223344:role/service-role/test-role-bedrock", + "status": "Completed", + "creationTime": "2023-11-29T10:45:43.056000+00:00", + "lastModifiedTime": "2023-11-29T11:36:48.302000+00:00", + "endTime": "2023-11-29T11:36:47.666000+00:00", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "hyperParameters": { + "batchSize": "2", + "epochCount": "2", + "learningRate": "0.00001", + "learningRateWarmupSteps": "0" + }, + "trainingDataConfig": { + "s3Uri": "s3://bedrockbuckettest/trainigdata.jsonl" + }, + "validationDataConfig": { + "validators": [] + }, + "outputDataConfig": { + "s3Uri": "s3://bedrockbuckettest" + }, + "outputModelKmsKeyArn": "arn:aws:kms:us-east-1:672202477801:key/29c2507e-ba0d-4b70-b20d-8b30b761685b", + "validationMetrics": [], + "vpcConfig": { + "subnetIds": [ + "subnet-234", + ], + "securityGroupIds": [ + "sg-0931c3a02deed68f5" + ] + } + } +]; + +const describeRouteTables = [ + { + "Associations": [ + { + "Main": true, + "RouteTableAssociationId": "rtbassoc-79c7a000", + "RouteTableId": "rtb-f6522690", + "AssociationState": { + "State": "associated" + } + } + ], + "PropagatingVgws": [], + "RouteTableId": "rtb-f6522690", + "Routes": [ + { + "DestinationCidrBlock": "172.31.0.0/16", + "GatewayId": "local", + "Origin": "CreateRouteTable", + "State": "active" + } + ], + "Tags": [], + "VpcId": "vpc-123", + "OwnerId": "000011112222" + }, + { + "Associations": [ + { + "Main": true, + "RouteTableAssociationId": "rtbassoc-79c7a000", + "RouteTableId": "rtb-f6522690", + "AssociationState": { + "State": "associated" + } + } + ], + "PropagatingVgws": [], + "RouteTableId": "rtb-f6522690", + "Routes": [ + { + "DestinationCidrBlock": "172.31.0.0/16", + "GatewayId": "local", + "Origin": "CreateRouteTable", + "State": "active" + }, + { + "DestinationCidrBlock": "172.31.0.0/16", + "GatewayId": "igw-sedwednkq", + "Origin": "CreateRouteTable", + "State": "active" + } + + ], + "Tags": [], + "VpcId": "vpc-234", + "OwnerId": "000011112222" + } +]; + +const describeSubnets = [ + { + "AvailabilityZone": "us-east-1c", + "AvailabilityZoneId": "use1-az4", + "AvailableIpAddressCount": 4091, + "CidrBlock": "172.31.16.0/20", + "DefaultForAz": true, + "MapPublicIpOnLaunch": true, + "MapCustomerOwnedIpOnLaunch": false, + "State": "available", + "SubnetId": "subnet-123", + "VpcId": "vpc-123", + "OwnerId": "000011112222", + "AssignIpv6AddressOnCreation": false, + "Ipv6CidrBlockAssociationSet": [], + "SubnetArn": "arn:aws:ec2:us-east-1:000011112222:subnet/subnet-aac6b3e7" + }, + { + "AvailabilityZone": "us-east-1c", + "AvailabilityZoneId": "use1-az4", + "AvailableIpAddressCount": 4091, + "CidrBlock": "172.31.16.0/20", + "DefaultForAz": true, + "MapPublicIpOnLaunch": true, + "MapCustomerOwnedIpOnLaunch": false, + "State": "available", + "SubnetId": "subnet-234", + "VpcId": "vpc-234", + "OwnerId": "000011112222", + "AssignIpv6AddressOnCreation": false, + "Ipv6CidrBlockAssociationSet": [], + "SubnetArn": "arn:aws:ec2:us-east-1:000011112222:subnet/subnet-aac6b3e7" + } +]; + +const createCache = (customModel, listJobs, getCustomModel, getJobs, subnets, routeTables, customModelErr, listJobsErr, getCustomModelErr, getJobErr) => { + var modelName = (customModel && customModel.length) ? customModel[0].modelName: null; + var jobName = (listJobs && listJobs.length) ? listJobs[0].jobArn: null; + return { + bedrock: { + listCustomModels: { + 'us-east-1': { + err: customModelErr, + data: customModel + }, + }, + listModelCustomizationJobs: { + 'us-east-1': { + err: listJobsErr, + data: listJobs + }, + }, + getCustomModel: { + 'us-east-1': { + [modelName]: { + data: getCustomModel, + err: getCustomModelErr + } + } + }, + getModelCustomizationJob: { + 'us-east-1': { + [jobName]: { + data: getJobs, + err: getJobErr + } + } + } + }, + ec2: { + describeSubnets: { + 'us-east-1': { + data: subnets + } + }, + describeRouteTables: { + 'us-east-1': { + data: routeTables + } + } + } + }; +}; + +describe('privateCustomModel', function () { + describe('run', function () { + it('should PASS if Bedrock Custom Model is a private model', function (done) { + const cache = createCache([listCustomModels[1]], [listModelCustomizationJobs[0]],getCustomModel[0],getModelCustomizationJob[0],[describeSubnets[0]], [describeRouteTables[0]]); + privateCustomModel.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + + it('should FAIL if Bedrock Custom Model have not Vpc configured', function (done) { + const cache = createCache([listCustomModels[0]],[listModelCustomizationJobs[0]] ,getCustomModel[0],getModelCustomizationJob[1],[describeSubnets[0]], [describeRouteTables[0]]); + privateCustomModel.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + + it('should FAIL if Bedrock Custom Model is not a private model', function (done) { + const cache = createCache([listCustomModels[0]],[listModelCustomizationJobs[0]] ,getCustomModel[0],getModelCustomizationJob[0],[describeSubnets[1]], [describeRouteTables[1]]); + privateCustomModel.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + + it('should PASS if no Bedrock custom model found', function (done) { + const cache = createCache([]); + privateCustomModel.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + + it('should UNKNOWN if unable to list Bedrock custom model', function (done) { + const cache = createCache(null, null, null, { message: "Unable to list Bedrock Custom Model" }); + privateCustomModel.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + }); +}) \ No newline at end of file From 882f7ed831f44234f4d13be3a5a0824cab638d8a Mon Sep 17 00:00:00 2001 From: fatima99s Date: Mon, 4 Dec 2023 21:57:16 +0500 Subject: [PATCH 188/498] Custom Model In VPC --- exports.js | 2 + plugins/aws/bedrock/customModelInVpc.js | 72 ++++++ plugins/aws/bedrock/customModelInVpc.spec.js | 251 +++++++++++++++++++ 3 files changed, 325 insertions(+) create mode 100644 plugins/aws/bedrock/customModelInVpc.js create mode 100644 plugins/aws/bedrock/customModelInVpc.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..5cf4fb9464 100644 --- a/exports.js +++ b/exports.js @@ -52,6 +52,8 @@ module.exports = { 'workgroupEncrypted' : require(__dirname + '/plugins/aws/athena/workgroupEncrypted.js'), 'workgroupEnforceConfiguration' : require(__dirname + '/plugins/aws/athena/workgroupEnforceConfiguration.js'), + 'customModelInVpc' :require(__dirname + '/plugins/aws/bedrock/customModelInVpc.js'), + 'infraConfigNotificationEnabled': require(__dirname + '/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js'), 'publicS3Origin' : require(__dirname + '/plugins/aws/cloudfront/publicS3Origin.js'), 'secureOrigin' : require(__dirname + '/plugins/aws/cloudfront/secureOrigin.js'), diff --git a/plugins/aws/bedrock/customModelInVpc.js b/plugins/aws/bedrock/customModelInVpc.js new file mode 100644 index 0000000000..e397ec88f8 --- /dev/null +++ b/plugins/aws/bedrock/customModelInVpc.js @@ -0,0 +1,72 @@ +var async = require('async'); +var helpers = require('../../../helpers/aws'); + +module.exports = { + title: 'Custom Model In VPC', + category: 'BedRock', + domain: 'Machine Learning', + description: 'Ensure that an Amazon Bedrock custom model is configured with a VPC.', + more_info: 'When the custom model is configured within a VPC, it establishes a secure environment that prevents unauthorized internet access to your training data, enhancing the overall security and confidentiality of your model.', + recommended_action: 'Create the custom model with VPC configuration', + link: 'https://docs.aws.amazon.com/bedrock/latest/userguide/usingVPC.html', + apis: ['Bedrock:listCustomModels', 'Bedrock:getCustomModel','Bedrock:listModelCustomizationJobs', 'Bedrock:getModelCustomizationJob'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var regions = helpers.regions(settings); + + async.each(regions.bedrock, function(region, rcb){ + var listCustomModels = helpers.addSource(cache, source, + ['bedrock', 'listCustomModels', region]); + + if (!listCustomModels) return rcb(); + + if (listCustomModels.err || !listCustomModels.data) { + helpers.addResult(results, 3, + `Unable to query for Bedrock custom model list: ${helpers.addError(listCustomModels)}`, region); + return rcb(); + } + + if (!listCustomModels.data.length) { + helpers.addResult(results, 0, 'No Bedrock custom model found', region); + return rcb(); + } + + for (let model of listCustomModels.data){ + if (!model.modelArn|| !model.modelName) continue; + + let resource = model.modelArn; + + let getCustomModel = helpers.addSource(cache, source, + ['bedrock', 'getCustomModel', region, model.modelName]); + + + if (!getCustomModel || getCustomModel.err || !getCustomModel.data) { + helpers.addResult(results, 3, `Unable to describe Bedrock custom model : ${helpers.addError(getCustomModel)}`, region, resource); + continue; + } + + let getModelJob = helpers.addSource(cache, source, + ['bedrock', 'getModelCustomizationJob', region, getCustomModel.data.jobArn]); + + if (!getModelJob || getModelJob.err || !getModelJob.data) { + helpers.addResult(results, 3, `Unable to describe Bedrock model customzation job : ${helpers.addError(getModelJob)}`, region, resource); + continue; + } + + if (getModelJob.data.vpcConfig ) { + helpers.addResult(results, 0, + 'Bedrock custom model is configured within a VPC', region, resource); + } else { + helpers.addResult(results, 2, + 'Bedrock custom model is not configured within a VPC', region, resource); + } + } + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/aws/bedrock/customModelInVpc.spec.js b/plugins/aws/bedrock/customModelInVpc.spec.js new file mode 100644 index 0000000000..27d120973a --- /dev/null +++ b/plugins/aws/bedrock/customModelInVpc.spec.js @@ -0,0 +1,251 @@ +var expect = require('chai').expect; +var customModelInVpc = require('./customModelInVpc') + +const listCustomModels = [ + { + "modelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/2ytyyx8nid0h", + "modelName": "model2", + "creationTime": "2023-11-29T10:45:43.056000+00:00", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "baseModelName": "" + }, + { + "modelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/vjqsydtdhkpz", + "modelName": "testmodel2", + "creationTime": "2023-11-28T11:29:18.655000+00:00", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "baseModelName": "" + } +]; + +const getCustomModel = [ + { + "modelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/2ytyyx8nid0h", + "modelName": "model2", + "jobArn": "arn:aws:bedrock:us-east-1:11223344:model-customization-job/amazon.titan-text-lite-v1:0:4k/lo7152tvvl3f", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "modelKmsKeyArn": "arn:aws:kms:us-east-1:11223344:key/29c2507e-ba0d-4b70-b20d-8b30b761685b", + "hyperParameters": { + "batchSize": "2", + "epochCount": "2", + "learningRate": "0.00001", + "learningRateWarmupSteps": "0" + }, + "trainingDataConfig": { + "s3Uri": "s3://bedrockbuckettest/trainigdata.jsonl" + }, + "outputDataConfig": { + "s3Uri": "s3://bedrockbuckettest" + }, + "trainingMetrics": { + "trainingLoss": 1.7109375 + }, + "validationMetrics": [], + "creationTime": "2023-11-29T10:45:43.056000+00:00" + }, + { + "modelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/vjqsydtdhkpz", + "modelName": "testmodel2", + "jobArn": "arn:aws:bedrock:us-east-1:11223344:model-customization-job/amazon.titan-text-lite-v1:0:4k/iuvltioettou", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "hyperParameters": { + "batchSize": "2", + "epochCount": "2", + "learningRate": "0.00001", + "learningRateWarmupSteps": "0" + }, + "trainingDataConfig": { + "s3Uri": "s3://bedrockbuckettest/trainigdata.jsonl" + }, + "outputDataConfig": { + "s3Uri": "s3://bedrockbuckettest" + }, + "trainingMetrics": { + "trainingLoss": 1.7109375 + }, + "validationMetrics": [], + "creationTime": "2023-11-28T11:29:18.655000+00:00" + } +]; + +const listModelCustomizationJobs = [ + { + "jobArn": "arn:aws:bedrock:us-east-1:11223344:model-customization-job/amazon.titan-text-lite-v1:0:4k/lo7152tvvl3f", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "jobName": "second", + "status": "Completed", + "lastModifiedTime": "2023-11-29T11:36:48.302000+00:00", + "creationTime": "2023-11-29T10:45:43.056000+00:00", + "endTime": "2023-11-29T11:36:47.666000+00:00", + "customModelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/2ytyyx8nid0h", + "customModelName": "model2" + }, + { + "jobArn": "arn:aws:bedrock:us-east-1:11223344:model-customization-job/amazon.titan-text-lite-v1:0:4k/nn23m2vejr54", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "jobName": "testjobformodel2", + "status": "Failed", + "lastModifiedTime": "2023-11-29T09:08:17.414000+00:00", + "creationTime": "2023-11-29T08:47:00.690000+00:00", + "endTime": "2023-11-29T09:08:17.335000+00:00", + "customModelName": "testmodel2" + }, +] + +const getModelCustomizationJob = [ + { + "jobArn": "arn:aws:bedrock:us-east-1:11223344:model-customization-job/amazon.titan-text-lite-v1:0:4k/nn23m2vejr54", + "jobName": "second", + "outputModelName": "model2", + "outputModelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/2ytyyx8nid0h", + "clientRequestToken": "0da79509-df0a-4bec-9dab-c13a33584247", + "roleArn": "arn:aws:iam::11223344:role/service-role/test-role-bedrock", + "status": "Completed", + "creationTime": "2023-11-29T10:45:43.056000+00:00", + "lastModifiedTime": "2023-11-29T11:36:48.302000+00:00", + "endTime": "2023-11-29T11:36:47.666000+00:00", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "hyperParameters": { + "batchSize": "2", + "epochCount": "2", + "learningRate": "0.00001", + "learningRateWarmupSteps": "0" + }, + "trainingDataConfig": { + "s3Uri": "s3://bedrockbuckettest/trainigdata.jsonl" + }, + "validationDataConfig": { + "validators": [] + }, + "outputDataConfig": { + "s3Uri": "s3://bedrockbuckettest" + }, + "outputModelKmsKeyArn": "arn:aws:kms:us-east-1:672202477801:key/29c2507e-ba0d-4b70-b20d-8b30b761685b", + "validationMetrics": [], + "vpcConfig": { + "subnetIds": [ + "subnet-090543c3cc7bee455", + "subnet-0c24e4b662cd8d653", + "subnet-0d9749278f1e1363d", + "subnet-047096f0145576587", + "subnet-042ccd1bd4f8fcc89", + "subnet-02b16d7c95cf5de7f", + "subnet-0a47a7d5f3f852877" + ], + "securityGroupIds": [ + "sg-0931c3a02deed68f5" + ] + } + }, + { + "jobArn": "arn:aws:bedrock:us-east-1:11223344:model-customization-job/amazon.titan-text-lite-v1:0:4k/lo7152tvvl3f", + "jobName": "first", + "outputModelName": "testmodel2", + "outputModelArn": "arn:aws:bedrock:us-east-1:11223344:custom-model/amazon.titan-text-lite-v1:0:4k/2ytyyx8nid0h", + "clientRequestToken": "0da79509-df0a-4bec-9dab-c13a33584247", + "roleArn": "arn:aws:iam::11223344:role/service-role/test-role-bedrock", + "status": "Completed", + "creationTime": "2023-11-29T10:45:43.056000+00:00", + "lastModifiedTime": "2023-11-29T11:36:48.302000+00:00", + "endTime": "2023-11-29T11:36:47.666000+00:00", + "baseModelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-lite-v1:0:4k", + "hyperParameters": { + "batchSize": "2", + "epochCount": "2", + "learningRate": "0.00001", + "learningRateWarmupSteps": "0" + }, + "trainingDataConfig": { + "s3Uri": "s3://bedrockbuckettest/trainigdata.jsonl" + }, + "validationDataConfig": { + "validators": [] + }, + "outputDataConfig": { + "s3Uri": "s3://bedrockbuckettest" + }, + "outputModelKmsKeyArn": "arn:aws:kms:us-east-1:672202477801:key/29c2507e-ba0d-4b70-b20d-8b30b761685b", + "validationMetrics": [], + } +] + +const createCache = (customModel, listJobs, getCustomModel, getJobs, customModelErr, listJobsErr, getCustomModelErr, getJobErr) => { + var modelName = (customModel && customModel.length) ? customModel[0].modelName: null; + var jobName = (listJobs && listJobs.length) ? listJobs[0].jobArn: null; + return { + bedrock: { + listCustomModels: { + 'us-east-1': { + err: customModelErr, + data: customModel + }, + }, + listModelCustomizationJobs: { + 'us-east-1': { + err: listJobsErr, + data: listJobs + }, + }, + getCustomModel: { + 'us-east-1': { + [modelName]: { + data: getCustomModel, + err: getCustomModelErr + } + } + }, + getModelCustomizationJob: { + 'us-east-1': { + [jobName]: { + data: getJobs, + err: getJobErr + } + } + } + } + }; +}; + +describe('customModelInVpc', function () { + describe('run', function () { + it('should PASS if Bedrock Custom Model has Vpc configured', function (done) { + const cache = createCache([listCustomModels[1]], [listModelCustomizationJobs[0]],getCustomModel[0],getModelCustomizationJob[0]); + customModelInVpc.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + + it('should FAIL if Bedrock Custom Model have not Vpc configured', function (done) { + const cache = createCache([listCustomModels[0]],[listModelCustomizationJobs[0]] ,getCustomModel[0],getModelCustomizationJob[1]); + customModelInVpc.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + + it('should PASS if no Bedrock custom model found', function (done) { + const cache = createCache([]); + customModelInVpc.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + + it('should UNKNOWN if unable to list Bedrock custom model', function (done) { + const cache = createCache(null, null, null, { message: "Unable to list Bedrock Custom Model" }); + customModelInVpc.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + }); +}) From df7c2dc2558a742f86ef3d81e037ced9fae1782a Mon Sep 17 00:00:00 2001 From: fatima99s Date: Mon, 4 Dec 2023 22:01:51 +0500 Subject: [PATCH 189/498] Bedrock Model Invocation Logging Enabled --- exports.js | 2 + .../bedrock/modelInvocationLoggingEnabled.js | 45 ++++++++++++++ .../modelInvocationLoggingEnabled.spec.js | 61 +++++++++++++++++++ 3 files changed, 108 insertions(+) create mode 100644 plugins/aws/bedrock/modelInvocationLoggingEnabled.js create mode 100644 plugins/aws/bedrock/modelInvocationLoggingEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..4cd15f6182 100644 --- a/exports.js +++ b/exports.js @@ -52,6 +52,8 @@ module.exports = { 'workgroupEncrypted' : require(__dirname + '/plugins/aws/athena/workgroupEncrypted.js'), 'workgroupEnforceConfiguration' : require(__dirname + '/plugins/aws/athena/workgroupEnforceConfiguration.js'), + 'modelInvocationLoggingEnabled' :require(__dirname + '/plugins/aws/bedrock/modelInvocationLoggingEnabled.js'), + 'infraConfigNotificationEnabled': require(__dirname + '/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js'), 'publicS3Origin' : require(__dirname + '/plugins/aws/cloudfront/publicS3Origin.js'), 'secureOrigin' : require(__dirname + '/plugins/aws/cloudfront/secureOrigin.js'), diff --git a/plugins/aws/bedrock/modelInvocationLoggingEnabled.js b/plugins/aws/bedrock/modelInvocationLoggingEnabled.js new file mode 100644 index 0000000000..7025578be7 --- /dev/null +++ b/plugins/aws/bedrock/modelInvocationLoggingEnabled.js @@ -0,0 +1,45 @@ +var async = require('async'); +var helpers = require('../../../helpers/aws'); + +module.exports = { + title: 'Bedrock Model Invocation Logging Enabled', + category: 'BedRock', + domain: 'Machine Learning', + description: 'Ensure that Amazon Bedrock model invocation logging is enabled.', + more_info: 'With invocation logging enabled, you can collect the full request data, response data, and metadata associated with all calls performed in account. This detailed logging provides valuable insights into model usage patterns, helps in troubleshooting, and enhances security by allowing for thorough analysis of model interactions. It also facilitates compliance with auditing requirements, offering a comprehensive record of model invocations.', + recommended_action: 'Enable invocation logging for Amazon Bedrock models.', + link: 'https://docs.aws.amazon.com/bedrock/latest/userguide/settings.html#model-invocation-logging', + apis: ['Bedrock:getModelInvocationLoggingConfiguration'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var regions = helpers.regions(settings); + + async.each(regions.bedrock, function(region, rcb){ + var invocationLoggingConfiguration = helpers.addSource(cache, source, + ['bedrock', 'getModelInvocationLoggingConfiguration', region]); + + if (!invocationLoggingConfiguration) return rcb(); + + if (invocationLoggingConfiguration.err && invocationLoggingConfiguration.err.message.includes('This service may not be available in')) { + helpers.addResult(results, 0, 'Bedrock service is not available in this region', region); + return rcb(); + } else if (invocationLoggingConfiguration.err ) { + helpers.addResult(results, 3, + `Unable to query for Invocation Logging Configuration: ${helpers.addError(invocationLoggingConfiguration)}`, region); + return rcb(); + } + + if (!invocationLoggingConfiguration.data) { + helpers.addResult(results, 2, 'Invocation logging is not enabled for bedrock models', region); + } else { + helpers.addResult(results, 0, 'Invocation logging is enabled for bedrock models', region); + } + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; diff --git a/plugins/aws/bedrock/modelInvocationLoggingEnabled.spec.js b/plugins/aws/bedrock/modelInvocationLoggingEnabled.spec.js new file mode 100644 index 0000000000..6468498532 --- /dev/null +++ b/plugins/aws/bedrock/modelInvocationLoggingEnabled.spec.js @@ -0,0 +1,61 @@ +var expect = require('chai').expect; +var modelInvocationLoggingEnabled = require('./modelInvocationLoggingEnabled'); + +const invocationLoggingConfiguration = { + "loggingConfig": { + "s3Config": { + "bucketName": "bedrockbuckettest", + "keyPrefix": "" + }, + "textDataDeliveryEnabled": true, + "imageDataDeliveryEnabled": true, + "embeddingDataDeliveryEnabled": true + } +} + +const createCache = (invocationLoggingConfiguration, invocationLoggingConfigurationErr) => { + return { + bedrock: { + getModelInvocationLoggingConfiguration: { + 'us-east-1': { + err: invocationLoggingConfigurationErr, + data: invocationLoggingConfiguration + }, + }, + } + }; +}; + +describe('modelInvocationLoggingEnabled', function () { + describe('run', function () { + it('should PASS if model invocation logging is enabled for bedrock models', function (done) { + const cache = createCache(invocationLoggingConfiguration); + modelInvocationLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + + it('should FAIL if model invocation logging is disabled for bedrock models', function (done) { + const cache = createCache(); + modelInvocationLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + + it('should UNKNOWN if unable to query for model invocation logging', function (done) { + const cache = createCache(null, { message: "Unable to list model invocation logging config"}); + modelInvocationLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].region).to.equal('us-east-1'); + done(); + }); + }); + }); +}) \ No newline at end of file From 8a0e8b57e87fe2bf7dfcc619d501fc350fc1ccea Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Mon, 4 Dec 2023 22:20:07 +0500 Subject: [PATCH 190/498] pr changes --- plugins/azure/mediaServices/amsManagedIdentityEnabled.js | 8 ++++---- .../azure/mediaServices/amsManagedIdentityEnabled.spec.js | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/plugins/azure/mediaServices/amsManagedIdentityEnabled.js b/plugins/azure/mediaServices/amsManagedIdentityEnabled.js index a18c4c6609..ff999a94ac 100644 --- a/plugins/azure/mediaServices/amsManagedIdentityEnabled.js +++ b/plugins/azure/mediaServices/amsManagedIdentityEnabled.js @@ -2,9 +2,9 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Azure Media Service Managed Identity Enabled', + title: 'Media Service Managed Identity Enabled', category: 'Media Services', - domain: 'Identity and Access Management', + domain: 'Content Delivery', description: 'Ensure that Azure Media Services have managed identity enabled.', more_info: 'Enabling managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.', link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/concept-managed-identities', @@ -48,9 +48,9 @@ module.exports = { && (getMediaService.data.identity.type.toLowerCase() === 'userassigned' || getMediaService.data.identity.type.toLowerCase() === 'systemassigned')) { - helpers.addResult(results, 0, 'Managed Identity is enabled for Azure Media Service account', location, mediaService.id); + helpers.addResult(results, 0, 'Media Service account has managed Identity enabled', location, mediaService.id); } else { - helpers.addResult(results, 2, 'Managed Identity is not enabled for Azure Media Service account', location, mediaService.id); + helpers.addResult(results, 2, 'Media Service account does not have managed Identity enabled', location, mediaService.id); } } diff --git a/plugins/azure/mediaServices/amsManagedIdentityEnabled.spec.js b/plugins/azure/mediaServices/amsManagedIdentityEnabled.spec.js index a28fd9dd40..49f3457e97 100644 --- a/plugins/azure/mediaServices/amsManagedIdentityEnabled.spec.js +++ b/plugins/azure/mediaServices/amsManagedIdentityEnabled.spec.js @@ -100,7 +100,7 @@ describe('amsManagedIdentityEnabled', function() { amsManagedIdentityEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Managed Identity is not enabled for Azure Media Service account'); + expect(results[0].message).to.include('Media Service account does not have managed Identity enabled'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -111,7 +111,7 @@ describe('amsManagedIdentityEnabled', function() { amsManagedIdentityEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Managed Identity is enabled for Azure Media Service account'); + expect(results[0].message).to.include('Media Service account has managed Identity enabled'); expect(results[0].region).to.equal('eastus'); done(); }); From 43661b2f962019ed0c4253ae6e70783a6f25dfb9 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Mon, 4 Dec 2023 22:25:13 +0500 Subject: [PATCH 191/498] pr changes --- plugins/azure/mediaServices/amsPublicAccessDisabled.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/azure/mediaServices/amsPublicAccessDisabled.js b/plugins/azure/mediaServices/amsPublicAccessDisabled.js index 03e39a7f20..281a3a4bd7 100644 --- a/plugins/azure/mediaServices/amsPublicAccessDisabled.js +++ b/plugins/azure/mediaServices/amsPublicAccessDisabled.js @@ -2,12 +2,12 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Azure Media Services Public Access Disabled', + title: 'Media Services Public Access Disabled', category: 'Media Services', - domain: 'Network Access Control', + domain: 'Content Delivery', description: 'Ensure that Microsoft Azure Media Services have public access disabled.', - more_info: 'Diagnostic logs provide valuable insights into the operation and health of Media Services. By enabling diagnostic logs, you can gather diagnostic data that could be useful to create notification alerts.', - link: 'https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/media-services-security-baseline', + more_info: 'Disabling public network access improves security by ensuring that Media Services resources are not exposed on the public internet. ', + link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/security-azure-policy', recommended_action: 'Modify the media service network settings and enable private access.', apis: ['mediaServices:listAll'], From 665f5761a4dd98884a16ac0819ce31e320f0bf45 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Mon, 4 Dec 2023 22:37:07 +0500 Subject: [PATCH 192/498] pr comments --- .../azure/mediaServices/amsDiagnosticLogsEnabled.js | 10 ++++++++-- .../mediaServices/amsDiagnosticLogsEnabled.spec.js | 10 ++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js b/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js index f2b9fb1d9c..4190383618 100644 --- a/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js +++ b/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js @@ -2,9 +2,9 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Azure Media Services Diagnostic Logs Enabled', + title: 'Media Services Diagnostic Logs Enabled', category: 'Media Services', - domain: 'Network Access Control', + domain: 'Content Delivery', description: 'Ensure that Microsoft Azure Media Services have diagnostic logs enabled.', more_info: 'Diagnostic logs provide valuable insights into the operation and health of Media Services. By enabling diagnostic logs, you can gather diagnostic data that could be useful to create notification alerts.', link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/monitoring/monitor-media-services', @@ -43,6 +43,12 @@ module.exports = { location, mediaService.id); continue; } + + if (!diagnosticSettings.data.length){ + helpers.addResult(results, 0, 'No Diagnostic settings found', location, mediaService.id); + continue; + } + var found = diagnosticSettings.data.find(ds => ds.logs && ds.logs.length); if (found) { diff --git a/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.spec.js b/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.spec.js index cf226de825..5764d5a8e1 100644 --- a/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.spec.js +++ b/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.spec.js @@ -133,5 +133,15 @@ describe('amsDiagnosticLogsEnabled', function() { done(); }); }); + it('should give passing result if no diagnostic settings found', function(done) { + const cache = createCache([mediaServices[0]], []); + amsDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No Diagnostic settings found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); }); }); From 6c5a2c741bdca8e8b16f65a2a86fb485952ee5a7 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 22:38:03 +0500 Subject: [PATCH 193/498] Update vmDiskDeleteConfig.js --- plugins/azure/virtualmachines/vmDiskDeleteConfig.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/azure/virtualmachines/vmDiskDeleteConfig.js b/plugins/azure/virtualmachines/vmDiskDeleteConfig.js index 5f11135d9b..c0ebdcb499 100644 --- a/plugins/azure/virtualmachines/vmDiskDeleteConfig.js +++ b/plugins/azure/virtualmachines/vmDiskDeleteConfig.js @@ -2,12 +2,12 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Azure VM Automatic Disks Delete Enabled', + title: 'VM Automatic Disks Delete Enabled', category: 'Virtual Machines', domain: 'Compute', - description: 'Ensure the option to automatically delete disks is enabled when the associated VM is terminated to ensure all confidential information is wiped.', + description: 'Ensure the option to automatically delete disks is enabled when the associated VM is terminated.', more_info: 'Disks persist independently from VMs. Enabling this option ensures that all disks associated with a VM are deleted automatically when the VM is terminated, enhancing security.', - recommended_action: 'Configure VMs to automatically delete disks when the VM is terminated to enhance security and prevent lingering confidential information.', + recommended_action: 'Configure VMs to automatically delete disks when the VM is terminated.', link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/delete?tabs=portal2%2Ccli3%2Cportal4%2Cportal5', apis: ['virtualMachines:listAll'], @@ -23,7 +23,7 @@ module.exports = { if (!virtualMachines) return rcb(); if (virtualMachines.err || !virtualMachines.data) { - helpers.addResult(results, 3, 'Unable to query for virtual machines: ' + helpers.addError(virtualMachines), location); + helpers.addResult(results, 3, 'Unable to query for Virtual Machines: ' + helpers.addError(virtualMachines), location); return rcb(); } From 9bf4224d80770a422c577725bb28123befda7ece Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 22:39:51 +0500 Subject: [PATCH 194/498] updated with recommended changes --- plugins/azure/virtualmachines/vmDiskDeleteConfig.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmDiskDeleteConfig.spec.js b/plugins/azure/virtualmachines/vmDiskDeleteConfig.spec.js index add9490730..0eb046e9e8 100644 --- a/plugins/azure/virtualmachines/vmDiskDeleteConfig.spec.js +++ b/plugins/azure/virtualmachines/vmDiskDeleteConfig.spec.js @@ -56,7 +56,7 @@ describe('autoDeleteDisks', function() { autoDeleteDisks.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query for virtual machines'); + expect(results[0].message).to.include('Unable to query for Virtual Machines'); expect(results[0].region).to.equal('eastus'); done(); }); From 2e3473f9c1179afbddfc5b3dd4d7ca91669d0a37 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Mon, 4 Dec 2023 22:40:21 +0500 Subject: [PATCH 195/498] pr comments --- plugins/azure/mediaServices/amsClassicApiDisabled.js | 8 ++++---- plugins/azure/mediaServices/amsClassicApiDisabled.spec.js | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/plugins/azure/mediaServices/amsClassicApiDisabled.js b/plugins/azure/mediaServices/amsClassicApiDisabled.js index 5a9b6baddb..9e51bd9e61 100644 --- a/plugins/azure/mediaServices/amsClassicApiDisabled.js +++ b/plugins/azure/mediaServices/amsClassicApiDisabled.js @@ -2,9 +2,9 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Azure Media Services Classic API Disabled', + title: 'Media Services Classic API Disabled', category: 'Media Services', - domain: 'Media Service Configuration', + domain: 'Content Delivery', description: 'Ensure that Microsoft Azure Media Services do not have the Classic API enabled.', more_info: 'Disabling the Classic API for Azure Media Services is recommended to utilize modern APIs and features. Enabling classic features can enable the use of classic V2 APIs but might disable advanced security features like managed identities.', link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/migrate-v-2-v-3-differences-api-access', @@ -45,9 +45,9 @@ module.exports = { } if (getMediaService.data.identity) { - helpers.addResult(results, 0, 'Classic API is disabled for the Media Service account', location, mediaService.id); + helpers.addResult(results, 0, 'Media Service account has classic API disabled', location, mediaService.id); } else { - helpers.addResult(results, 2, 'Classic API is enabled for the Media Service account', location, mediaService.id); + helpers.addResult(results, 2, 'Media Service account has classic API enabled', location, mediaService.id); } } diff --git a/plugins/azure/mediaServices/amsClassicApiDisabled.spec.js b/plugins/azure/mediaServices/amsClassicApiDisabled.spec.js index d2a9b95c91..a45b8e29aa 100644 --- a/plugins/azure/mediaServices/amsClassicApiDisabled.spec.js +++ b/plugins/azure/mediaServices/amsClassicApiDisabled.spec.js @@ -100,7 +100,7 @@ describe('amsClassicApiDisabled', function() { amsClassicApiDisabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Classic API is disabled for the Media Service account'); + expect(results[0].message).to.include('Media Service account has classic API disabled'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -111,7 +111,7 @@ describe('amsClassicApiDisabled', function() { amsClassicApiDisabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Classic API is enabled for the Media Service account'); + expect(results[0].message).to.include('Media Service account has classic API enabled'); expect(results[0].region).to.equal('eastus'); done(); }); From 88d3fe65df14a25dea40fa793d70edd3d1327bc4 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Mon, 4 Dec 2023 22:41:33 +0500 Subject: [PATCH 196/498] removed application gateway plugins --- helpers/azure/functions.js | 14 -- .../applicationGateway/agAccessLogsEnabled.js | 59 ----- .../agAccessLogsEnabled.spec.js | 219 ------------------ .../agFirewallLogsEnabled.js | 59 ----- .../agFirewallLogsEnabled.spec.js | 219 ------------------ plugins/azure/frontdoor/accessLogsEnabled.js | 12 +- .../azure/frontdoor/accessLogsEnabled.spec.js | 11 - plugins/azure/frontdoor/wafLogsEnabled.js | 12 +- .../azure/frontdoor/wafLogsEnabled.spec.js | 11 - 9 files changed, 16 insertions(+), 600 deletions(-) delete mode 100644 plugins/azure/applicationGateway/agAccessLogsEnabled.js delete mode 100644 plugins/azure/applicationGateway/agAccessLogsEnabled.spec.js delete mode 100644 plugins/azure/applicationGateway/agFirewallLogsEnabled.js delete mode 100644 plugins/azure/applicationGateway/agFirewallLogsEnabled.spec.js diff --git a/helpers/azure/functions.js b/helpers/azure/functions.js index 40759337ab..2cef51ad34 100644 --- a/helpers/azure/functions.js +++ b/helpers/azure/functions.js @@ -692,19 +692,6 @@ function remediateOpenPorts(putCall, pluginName, protocol, port, config, cache, }); } -function diagnosticSettingLogs(diagnosticSettings, logsCategory, categoryGroup) { - var logsEnabled = false; - diagnosticSettings.data.forEach(setting => { - var logs = setting.logs; - if (logs.some(log => (categoryGroup.indexOf(log.categoryGroup) > -1 || log.category == logsCategory) && log.enabled)) { - logsEnabled = true; - return; - } - }); - - return logsEnabled; -} - module.exports = { addResult: addResult, findOpenPorts: findOpenPorts, @@ -716,5 +703,4 @@ module.exports = { processCall: processCall, remediateOpenPorts: remediateOpenPorts, remediateOpenPortsHelper: remediateOpenPortsHelper, - diagnosticSettingLogs: diagnosticSettingLogs, }; diff --git a/plugins/azure/applicationGateway/agAccessLogsEnabled.js b/plugins/azure/applicationGateway/agAccessLogsEnabled.js deleted file mode 100644 index cf72676e3f..0000000000 --- a/plugins/azure/applicationGateway/agAccessLogsEnabled.js +++ /dev/null @@ -1,59 +0,0 @@ -const async = require('async'); -const helpers = require('../../../helpers/azure'); - -module.exports = { - title: 'Application Gateway Access Logs Enabled', - category: 'Application Gateway', - domain: 'Network Access Control', - description: 'Ensures that Application Gateway Access Log is enabled.', - more_info: 'Application Gateway logs provide detailed information for events related to a resource and its operations. Access logs helps to analyze important information including the caller\'s IP, requested URL, response latency, return code, and bytes in and out. An access log is collected every 60 seconds.', - recommended_action: 'Ensure that diagnostic setting for Application Gateway Access Log is enabled.', - link: 'https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics', - apis: ['applicationGateway:listAll', 'diagnosticSettings:listByApplicationGateways'], - - run: function(cache, settings, callback) { - const results = []; - const source = {}; - const locations = helpers.locations(settings.govcloud); - async.each(locations.applicationGateway, (location, rcb) => { - const applicationGateways = helpers.addSource(cache, source, - ['applicationGateway', 'listAll', location]); - - if (!applicationGateways) return rcb(); - - if (applicationGateways.err || !applicationGateways.data) { - helpers.addResult(results, 3, - 'Unable to query Application Gateway: ' + helpers.addError(applicationGateways), location); - return rcb(); - } - - if (!applicationGateways.data.length) { - helpers.addResult(results, 0, 'No existing Application Gateway found', location); - return rcb(); - } - - applicationGateways.data.forEach(function(appGateway) { - if (!appGateway.id) return; - const diagnosticSettings = helpers.addSource(cache, source, - ['diagnosticSettings', 'listByApplicationGateways', location, appGateway.id]); - - if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { - helpers.addResult(results, 3, 'Unable to query Application Gateway diagnostics settings: ' + helpers.addError(diagnosticSettings), location, appGateway.id); - } else if (!diagnosticSettings.data.length) { - helpers.addResult(results, 2, 'No existing Application Gateway diagnostics settings found', location, appGateway.id); - } else { - var accessLogsEnabled = helpers.diagnosticSettingLogs(diagnosticSettings, 'ApplicationGatewayAccessLog', ['allLogs']); - if (accessLogsEnabled) { - helpers.addResult(results, 0, 'Application Gateway access logs are enabled', location, appGateway.id); - } else { - helpers.addResult(results, 2, 'Application Gateway access logs are not enabled', location, appGateway.id); - } - } - }); - - rcb(); - }, function() { - callback(null, results, source); - }); - } -}; \ No newline at end of file diff --git a/plugins/azure/applicationGateway/agAccessLogsEnabled.spec.js b/plugins/azure/applicationGateway/agAccessLogsEnabled.spec.js deleted file mode 100644 index a96b30bd35..0000000000 --- a/plugins/azure/applicationGateway/agAccessLogsEnabled.spec.js +++ /dev/null @@ -1,219 +0,0 @@ -var expect = require('chai').expect; -var agAccessLogsEnabled = require('./agAccessLogsEnabled'); - -const appGateway = [ - { - "name": "meerab-test", - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/meerab-rg/providers/Microsoft.Network/applicationGateways/meerab-test", - "etag": "W/\"b3bb388c-f5ff-495a-8163-98edbeb32047\"", - "type": "Microsoft.Network/applicationGateways", - "location": "eastus", - "tags": {}, - "provisioningState": "Succeeded", - "resourceGuid": "c166b007-4ecd-45c2-9faa-74664407558b", - "sku": { - "name": "WAF_v2", - "tier": "WAF_v2", - "family": "Generation_1" - }, - } -]; - -const diagnosticSettings = [ - { - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/microsoft.network/applicationgateways/meerab-test/providers/microsoft.insights/diagnosticSettings/app-ds", - "type": "Microsoft.Insights/diagnosticSettings", - "name": "app-ds", - "logs": [ - { - "category": "ApplicationGatewayAccessLog", - "categoryGroup": null, - "enabled": true, - "retentionPolicy": { - "enabled": false, - "days": 0 - } - }, - { - "category": "ApplicationGatewayFirewallLog", - "categoryGroup": null, - "enabled": true, - "retentionPolicy": { - "enabled": false, - "days": 0 - } - } - ], - "logAnalyticsDestinationType": null - }, - {}, - { - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/microsoft.network/applicationgateways/meerab-test/providers/microsoft.insights/diagnosticSettings/app-ds", - "type": "Microsoft.Insights/diagnosticSettings", - "name": "app-ds", - "logs": [ - { - "category": "ApplicationGatewayAccessLog", - "categoryGroup": null, - "enabled": false, - "retentionPolicy": { - "enabled": false, - "days": 0 - } - }, - ], - "logAnalyticsDestinationType": null - }, -] -const createCache = (applicationGateway, diagnostics) => { - let diagnostic = {}; - if (applicationGateway.length) { - diagnostic[applicationGateway[0].id] = { - data: diagnostics - }; - } - - return { - applicationGateway: { - listAll: { - 'eastus': { - data: applicationGateway - } - } - }, - diagnosticSettings: { - listByApplicationGateways: { - 'eastus': diagnostic - } - } - }; -}; - -const createErrorCache = (key) => { - if (key == 'appGateway') { - return { - applicationGateway: { - listAll: { - 'eastus': {} - } - } - }; - } else if (key === 'noGateway'){ - return { - applicationGateway: { - listAll: { - 'eastus': { - data:{} - } - } - } - }; - }else if (key === 'diagnostic') { - return { - applicationGateway: { - listAll: { - 'eastus': { - data: [appGateway[0]] - } - } - }, - diagnosticSettings: { - listByApplicationGateways: { - 'eastus': {} - } - } - }; - } else { - const appId = (appGateway && appGateway.length) ? appGateway[0].id : null; - const diagnosticSetting = (diagnosticSettings && diagnosticSettings.length) ? diagnosticSettings[0].id : null; - return { - applicationGateway: { - listAll: { - 'eastus': { - data: [appId[0]] - } - } - }, - diagnosticSettings: { - listByApplicationGateways: { - 'eastus': { - data: {} - } - } - } - }; - } -}; - -describe('agAccessLogsEnabled', function() { - describe('run', function() { - it('should give passing result if no Application Gateway found', function(done) { - const cache = createErrorCache('noGateway'); - agAccessLogsEnabled.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('No existing Application Gateway found'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - it('should give unknown result unable to query Application Gateway:', function(done) { - const cache = createErrorCache('appGateway'); - agAccessLogsEnabled.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query Application Gateway'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - - it('should give unknown result unable to query Application Gateway diagnostics settings:', function(done) { - const cache = createErrorCache('diagnostic'); - agAccessLogsEnabled.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query Application Gateway diagnostics settings:'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - it('should give pass result if no existing Application Gateway diagnostics settings found', function(done) { - const cache = createCache([appGateway[0]],diagnosticSettings[1]); - agAccessLogsEnabled.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('No existing Application Gateway diagnostics settings found'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - it('should give pass result if Application Gateway access logs are enabled', function(done) { - const cache = createCache([appGateway[0]],[diagnosticSettings[0]]); - agAccessLogsEnabled.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Application Gateway access logs are enabled'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - it('should give pass result if Application Gateway access logs are not enabled', function(done) { - const cache = createCache([appGateway[0]],[diagnosticSettings[2]]); - agAccessLogsEnabled.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Application Gateway access logs are not enabled'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - }); -}); - diff --git a/plugins/azure/applicationGateway/agFirewallLogsEnabled.js b/plugins/azure/applicationGateway/agFirewallLogsEnabled.js deleted file mode 100644 index 1befe89a30..0000000000 --- a/plugins/azure/applicationGateway/agFirewallLogsEnabled.js +++ /dev/null @@ -1,59 +0,0 @@ -const async = require('async'); -const helpers = require('../../../helpers/azure'); - -module.exports = { - title: 'Application Gateway Firewall Logs Enabled', - category: 'Application Gateway', - domain: 'Network Access Control', - description: 'Ensures that Application Gateway Firewall Log is enabled.', - more_info: 'Application Gateway logs provide detailed information for events related to a resource and its operations. Firewall logs helps to analyze the requests that are logged through either detection or prevention mode of an application gateway that is configured with the web application firewall.', - recommended_action: 'Ensure that diagnostic setting for Application Gateway Firewall Log is enabled.', - link: 'https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics', - apis: ['applicationGateway:listAll', 'diagnosticSettings:listByApplicationGateways'], - - run: function(cache, settings, callback) { - const results = []; - const source = {}; - const locations = helpers.locations(settings.govcloud); - async.each(locations.applicationGateway, (location, rcb) => { - const applicationGateways = helpers.addSource(cache, source, - ['applicationGateway', 'listAll', location]); - - if (!applicationGateways) return rcb(); - - if (applicationGateways.err || !applicationGateways.data) { - helpers.addResult(results, 3, - 'Unable to query Application Gateway: ' + helpers.addError(applicationGateways), location); - return rcb(); - } - - if (!applicationGateways.data.length) { - helpers.addResult(results, 0, 'No existing Application Gateway found', location); - return rcb(); - } - applicationGateways.data.forEach(function(appGateway) { - if (!appGateway.id) return; - - const diagnosticSettings = helpers.addSource(cache, source, - ['diagnosticSettings', 'listByApplicationGateways', location, appGateway.id]); - - if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { - helpers.addResult(results, 3, 'Unable to query Application Gateway diagnostics settings: ' + helpers.addError(diagnosticSettings), location, appGateway.id); - } else if (!diagnosticSettings.data.length) { - helpers.addResult(results, 2, 'No existing Application Gateway diagnostics settings found', location, appGateway.id); - } else { - var accessLogsEnabled = helpers.diagnosticSettingLogs(diagnosticSettings, 'ApplicationGatewayFirewallLog', ['allLogs']); - if (accessLogsEnabled) { - helpers.addResult(results, 0, 'Application Gateway firewall logs are enabled', location, appGateway.id); - } else { - helpers.addResult(results, 2, 'Application Gateway firewall logs are not enabled', location, appGateway.id); - } - } - }); - - rcb(); - }, function() { - callback(null, results, source); - }); - } -}; \ No newline at end of file diff --git a/plugins/azure/applicationGateway/agFirewallLogsEnabled.spec.js b/plugins/azure/applicationGateway/agFirewallLogsEnabled.spec.js deleted file mode 100644 index 04e9f5710c..0000000000 --- a/plugins/azure/applicationGateway/agFirewallLogsEnabled.spec.js +++ /dev/null @@ -1,219 +0,0 @@ -var expect = require('chai').expect; -var agFirewallLogsEnabled = require('./agFirewallLogsEnabled'); - -const appGateway = [ - { - "name": "meerab-test", - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/meerab-rg/providers/Microsoft.Network/applicationGateways/meerab-test", - "etag": "W/\"b3bb388c-f5ff-495a-8163-98edbeb32047\"", - "type": "Microsoft.Network/applicationGateways", - "location": "eastus", - "tags": {}, - "provisioningState": "Succeeded", - "resourceGuid": "c166b007-4ecd-45c2-9faa-74664407558b", - "sku": { - "name": "WAF_v2", - "tier": "WAF_v2", - "family": "Generation_1" - }, - } -]; - -const diagnosticSettings = [ - { - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/microsoft.network/applicationgateways/meerab-test/providers/microsoft.insights/diagnosticSettings/app-ds", - "type": "Microsoft.Insights/diagnosticSettings", - "name": "app-ds", - "logs": [ - { - "category": "ApplicationGatewayAccessLog", - "categoryGroup": null, - "enabled": true, - "retentionPolicy": { - "enabled": false, - "days": 0 - } - }, - { - "category": "ApplicationGatewayFirewallLog", - "categoryGroup": null, - "enabled": true, - "retentionPolicy": { - "enabled": false, - "days": 0 - } - } - ], - "logAnalyticsDestinationType": null - }, - {}, - { - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/microsoft.network/applicationgateways/meerab-test/providers/microsoft.insights/diagnosticSettings/app-ds", - "type": "Microsoft.Insights/diagnosticSettings", - "name": "app-ds", - "logs": [ - { - "category": "ApplicationGatewayAccessLog", - "categoryGroup": null, - "enabled": false, - "retentionPolicy": { - "enabled": false, - "days": 0 - } - }, - ], - "logAnalyticsDestinationType": null - }, -] -const createCache = (applicationGateway, diagnostics) => { - let diagnostic = {}; - if (applicationGateway.length) { - diagnostic[applicationGateway[0].id] = { - data: diagnostics - }; - } - - return { - applicationGateway: { - listAll: { - 'eastus': { - data: applicationGateway - } - } - }, - diagnosticSettings: { - listByApplicationGateways: { - 'eastus': diagnostic - } - } - }; -}; - -const createErrorCache = (key) => { - if (key == 'appGateway') { - return { - applicationGateway: { - listAll: { - 'eastus': {} - } - } - }; - } else if (key === 'noGateway'){ - return { - applicationGateway: { - listAll: { - 'eastus': { - data:{} - } - } - } - }; - }else if (key === 'diagnostic') { - return { - applicationGateway: { - listAll: { - 'eastus': { - data: [appGateway[0]] - } - } - }, - diagnosticSettings: { - listByApplicationGateways: { - 'eastus': {} - } - } - }; - } else { - const appId = (appGateway && appGateway.length) ? appGateway[0].id : null; - const diagnosticSetting = (diagnosticSettings && diagnosticSettings.length) ? diagnosticSettings[0].id : null; - return { - applicationGateway: { - listAll: { - 'eastus': { - data: [appId[0]] - } - } - }, - diagnosticSettings: { - listByApplicationGateways: { - 'eastus': { - data: {} - } - } - } - }; - } -}; - -describe('agFirewallLogsEnabled', function() { - describe('run', function() { - it('should give passing result if no Application Gateway found', function(done) { - const cache = createErrorCache('noGateway'); - agFirewallLogsEnabled.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('No existing Application Gateway found'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - it('should give unknown result unable to query Application Gateway:', function(done) { - const cache = createErrorCache('appGateway'); - agFirewallLogsEnabled.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query Application Gateway'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - - it('should give unknown result unable to query Application Gateway diagnostics settings:', function(done) { - const cache = createErrorCache('diagnostic'); - agFirewallLogsEnabled.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query Application Gateway diagnostics settings:'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - it('should give pass result if no existing Application Gateway diagnostics settings found', function(done) { - const cache = createCache([appGateway[0]],diagnosticSettings[1]); - agFirewallLogsEnabled.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('No existing Application Gateway diagnostics settings found'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - it('should give pass result if Application Gateway firewall logs are enabled', function(done) { - const cache = createCache([appGateway[0]],[diagnosticSettings[0]]); - agFirewallLogsEnabled.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Application Gateway firewall logs are enabled'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - it('should give pass result if Application Gateway firewall logs are not enabled', function(done) { - const cache = createCache([appGateway[0]],[diagnosticSettings[2]]); - agFirewallLogsEnabled.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Application Gateway firewall logs are not enabled'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); - - }); -}); - diff --git a/plugins/azure/frontdoor/accessLogsEnabled.js b/plugins/azure/frontdoor/accessLogsEnabled.js index cdfd229be8..b017622c78 100644 --- a/plugins/azure/frontdoor/accessLogsEnabled.js +++ b/plugins/azure/frontdoor/accessLogsEnabled.js @@ -42,11 +42,15 @@ module.exports = { if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { helpers.addResult(results, 3, 'Unable to query Front Door diagnostics settings: ' + helpers.addError(diagnosticSettings), location, profile.id); - } else if (!diagnosticSettings.data.length) { - helpers.addResult(results, 2, 'No existing Front Door diagnostics settings found', location, profile.id); } else { - var accessLogsEnabled = helpers.diagnosticSettingLogs(diagnosticSettings, 'FrontDoorAccessLog', ['audit','allLogs']); - if (accessLogsEnabled) { + var frontDoorAccessLogEnabled = false; + diagnosticSettings.data.forEach(setting => { + var logs = setting.logs; + if (logs.some(log => (log.categoryGroup === 'audit' || log.categoryGroup === 'allLogs' || log.category === 'FrontDoorAccessLog') && log.enabled)) { + frontDoorAccessLogEnabled = true; + } + }); + if (frontDoorAccessLogEnabled) { helpers.addResult(results, 0, 'Front Door access logs are enabled', location, profile.id); } else { helpers.addResult(results, 2, 'Front Door access logs are not enabled', location, profile.id); diff --git a/plugins/azure/frontdoor/accessLogsEnabled.spec.js b/plugins/azure/frontdoor/accessLogsEnabled.spec.js index 2cc245ab56..990adc58f6 100644 --- a/plugins/azure/frontdoor/accessLogsEnabled.spec.js +++ b/plugins/azure/frontdoor/accessLogsEnabled.spec.js @@ -191,17 +191,6 @@ describe('accessLogsEnabled', function () { }); }); - it('should give pass result if No existing Front Door diagnostics settings', function (done) { - const cache = createCache([profiles[1]], diagnosticSettings[2]); - accessLogsEnabled.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('No existing Front Door diagnostics settings'); - expect(results[0].region).to.equal('global'); - done(); - }); - }); - it('should give passing result if Access Log are enabled for Azure Front Door', function (done) { const cache = createCache([profiles[0]], [diagnosticSettings[0]]); accessLogsEnabled.run(cache, {}, (err, results) => { diff --git a/plugins/azure/frontdoor/wafLogsEnabled.js b/plugins/azure/frontdoor/wafLogsEnabled.js index 526da63264..7387cac8e0 100644 --- a/plugins/azure/frontdoor/wafLogsEnabled.js +++ b/plugins/azure/frontdoor/wafLogsEnabled.js @@ -42,11 +42,15 @@ module.exports = { if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { helpers.addResult(results, 3, 'Unable to query Front Door diagnostics settings: ' + helpers.addError(diagnosticSettings), location, profile.id); - } else if (!diagnosticSettings.data.length) { - helpers.addResult(results, 2, 'No existing Front Door diagnostics settings found', location, profile.id); } else { - var frontDoorWafLogsEnabled = helpers.diagnosticSettingLogs(diagnosticSettings, 'FrontDoorWebApplicationFirewallLog', ['allLogs']); - if (frontDoorWafLogsEnabled) { + var frontDoorWafLogsEnabled = false; + diagnosticSettings.data.forEach(setting => { + var logs = setting.logs; + if (logs.some(log => (log.categoryGroup === 'allLogs' || log.category === 'FrontDoorWebApplicationFirewallLog') && log.enabled)) { + frontDoorWafLogsEnabled = true; + } + }); + if (frontDoorWafLogsEnabled) { helpers.addResult(results, 0, 'Front Door profile WAF logs are enabled', location, profile.id); } else { helpers.addResult(results, 2, 'Front Door profile WAF logs are not enabled', location, profile.id); diff --git a/plugins/azure/frontdoor/wafLogsEnabled.spec.js b/plugins/azure/frontdoor/wafLogsEnabled.spec.js index 456de2714c..8bec80ddfc 100644 --- a/plugins/azure/frontdoor/wafLogsEnabled.spec.js +++ b/plugins/azure/frontdoor/wafLogsEnabled.spec.js @@ -192,17 +192,6 @@ describe('wafLogsEnabled', function () { }); }); - it('should give pass result if No existing Front Door diagnostics settings', function (done) { - const cache = createCache([profiles[1]], diagnosticSettings[2]); - wafLogsEnabled.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('No existing Front Door diagnostics settings'); - expect(results[0].region).to.equal('global'); - done(); - }); - }); - it('should give passing result if Front Door profile WAF logs are enabled for Azure Front Door', function (done) { const cache = createCache([profiles[0]], [diagnosticSettings[1]]); wafLogsEnabled.run(cache, {}, (err, results) => { From 0341ae6d861fc681644816195e606b1be075be07 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 22:42:21 +0500 Subject: [PATCH 197/498] Update plugins/azure/virtualmachines/vmVTPMEnabled.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/virtualmachines/vmVTPMEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmVTPMEnabled.js b/plugins/azure/virtualmachines/vmVTPMEnabled.js index 4f15a70453..64037b4f3f 100644 --- a/plugins/azure/virtualmachines/vmVTPMEnabled.js +++ b/plugins/azure/virtualmachines/vmVTPMEnabled.js @@ -2,7 +2,7 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Azure VMs vTPM Enabled', + title: 'VM vTPM Enabled', category: 'Virtual Machines', domain: 'Compute', description: 'Ensure Virtual Trusted Platform Module (vTPM) is enabled for Azure virtual machines (VM) to validate boot integrity, securely store keys and secrets, and support advanced threat detection.', From 2da6030626e89513ae531889c2d27b63d3ad5882 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 22:42:37 +0500 Subject: [PATCH 198/498] Update plugins/azure/virtualmachines/vmVTPMEnabled.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/virtualmachines/vmVTPMEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmVTPMEnabled.js b/plugins/azure/virtualmachines/vmVTPMEnabled.js index 64037b4f3f..a514d9efee 100644 --- a/plugins/azure/virtualmachines/vmVTPMEnabled.js +++ b/plugins/azure/virtualmachines/vmVTPMEnabled.js @@ -5,7 +5,7 @@ module.exports = { title: 'VM vTPM Enabled', category: 'Virtual Machines', domain: 'Compute', - description: 'Ensure Virtual Trusted Platform Module (vTPM) is enabled for Azure virtual machines (VM) to validate boot integrity, securely store keys and secrets, and support advanced threat detection.', + description: 'Ensure Virtual Trusted Platform Module (vTPM) is enabled for Azure virtual machines (VM).', more_info: 'vTPM is TPM2.0 compliant and enhances security by validating VM boot integrity and providing a secure storage mechanism for keys and secrets.', recommended_action: 'Enable vTPM for Azure virtual machines to leverage advanced security features and support Guest Attestation in Azure Security Center.', link: 'https://learn.microsoft.com/en-us/azure/confidential-computing/virtual-tpms-in-azure-confidential-vm', From 60e60f1c0fe8e1ebef49796a0b9fbfa1dfbf9660 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Mon, 4 Dec 2023 22:42:42 +0500 Subject: [PATCH 199/498] removed from exports --- exports.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/exports.js b/exports.js index fb4396705e..84d847377b 100644 --- a/exports.js +++ b/exports.js @@ -976,8 +976,6 @@ module.exports = { 'agWafEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agWafEnabled'), 'agPreventionModeEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agPreventionModeEnabled.js'), - 'agAccessLogsEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agAccessLogsEnabled.js'), - 'agFirewallLogsEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agFirewallLogsEnabled.js'), 'subscriptionHasTags' : require(__dirname + '/plugins/azure/subscription/subscriptionHasTags.js'), 'rgHasTags' : require(__dirname + '/plugins/azure/resourceGroup/rgHasTags.js'), From 5870771b2d63a7c96bdc2398eca3c60565b9cf52 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 4 Dec 2023 22:43:11 +0500 Subject: [PATCH 200/498] Update helpers/azure/functions.js --- helpers/azure/functions.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helpers/azure/functions.js b/helpers/azure/functions.js index 2cef51ad34..0a40c0a0e1 100644 --- a/helpers/azure/functions.js +++ b/helpers/azure/functions.js @@ -702,5 +702,5 @@ module.exports = { remediatePlugin: remediatePlugin, processCall: processCall, remediateOpenPorts: remediateOpenPorts, - remediateOpenPortsHelper: remediateOpenPortsHelper, + remediateOpenPortsHelper: remediateOpenPortsHelper }; From b0be9e7570c16454df5629b6090f8e81aba42285 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 4 Dec 2023 22:43:31 +0500 Subject: [PATCH 201/498] Update plugins/azure/frontdoor/wafLogsEnabled.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/frontdoor/wafLogsEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/frontdoor/wafLogsEnabled.js b/plugins/azure/frontdoor/wafLogsEnabled.js index 7387cac8e0..bdf895b406 100644 --- a/plugins/azure/frontdoor/wafLogsEnabled.js +++ b/plugins/azure/frontdoor/wafLogsEnabled.js @@ -5,7 +5,7 @@ module.exports = { title: 'Front Door WAF Logs Enabled', category: 'Front Door', domain: 'Content Delivery', - description: 'Ensures that Azure Front Door WAF Log is enabled.', + description: 'Ensures that Azure Front Door WAF logs are enabled.', more_info: 'Azure Front Door captures several types of logs. Web application firewall (WAF) logs can be used to detect potential attacks, and false positive detections that might indicate legitimate requests that the WAF blocked.', recommended_action: 'Ensure that diagnostic setting for Front Door WAF Log is enabled.', link: 'https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-logs', From fb6b769ce9c53b03a53dd1819920a169e3058fd2 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 4 Dec 2023 22:43:40 +0500 Subject: [PATCH 202/498] Update plugins/azure/frontdoor/wafLogsEnabled.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/frontdoor/wafLogsEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/frontdoor/wafLogsEnabled.js b/plugins/azure/frontdoor/wafLogsEnabled.js index bdf895b406..288930b75d 100644 --- a/plugins/azure/frontdoor/wafLogsEnabled.js +++ b/plugins/azure/frontdoor/wafLogsEnabled.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Content Delivery', description: 'Ensures that Azure Front Door WAF logs are enabled.', more_info: 'Azure Front Door captures several types of logs. Web application firewall (WAF) logs can be used to detect potential attacks, and false positive detections that might indicate legitimate requests that the WAF blocked.', - recommended_action: 'Ensure that diagnostic setting for Front Door WAF Log is enabled.', + recommended_action: 'Ensure that diagnostic setting for Front Door WAF logs is enabled.', link: 'https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-logs', apis: ['profiles:list', 'diagnosticSettings:listByAzureFrontDoor'], From a2069808410e33e29ab5e35bc75f9b0c7923ce09 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 4 Dec 2023 22:44:00 +0500 Subject: [PATCH 203/498] Update plugins/azure/frontdoor/wafLogsEnabled.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/frontdoor/wafLogsEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/frontdoor/wafLogsEnabled.js b/plugins/azure/frontdoor/wafLogsEnabled.js index 288930b75d..871bef2ccd 100644 --- a/plugins/azure/frontdoor/wafLogsEnabled.js +++ b/plugins/azure/frontdoor/wafLogsEnabled.js @@ -8,7 +8,7 @@ module.exports = { description: 'Ensures that Azure Front Door WAF logs are enabled.', more_info: 'Azure Front Door captures several types of logs. Web application firewall (WAF) logs can be used to detect potential attacks, and false positive detections that might indicate legitimate requests that the WAF blocked.', recommended_action: 'Ensure that diagnostic setting for Front Door WAF logs is enabled.', - link: 'https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-logs', + link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-monitor?pivots=front-door-standard-premium', apis: ['profiles:list', 'diagnosticSettings:listByAzureFrontDoor'], run: function(cache, settings, callback) { From 4b278a64a2df7f64795c815dac86f6c9075f6f89 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 22:45:14 +0500 Subject: [PATCH 204/498] Update plugins/azure/virtualmachines/vmVTPMEnabled.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/virtualmachines/vmVTPMEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmVTPMEnabled.js b/plugins/azure/virtualmachines/vmVTPMEnabled.js index a514d9efee..4bd1760795 100644 --- a/plugins/azure/virtualmachines/vmVTPMEnabled.js +++ b/plugins/azure/virtualmachines/vmVTPMEnabled.js @@ -33,7 +33,7 @@ module.exports = { } virtualMachines.data.forEach(virtualMachine => { - if (virtualMachine.securityProfile && virtualMachine.securityProfile.uefiSettings.vTpmEnabled) { + if (virtualMachine.securityProfile && virtualMachine.securityProfile.uefiSettings && virtualMachine.securityProfile.uefiSettings.vTpmEnabled) { helpers.addResult(results, 0, 'vTPM is enabled for Azure Virtual Machine', location, virtualMachine.id); } else { helpers.addResult(results, 2, 'vTPM is not enabled for Azure Virtual Machine', location, virtualMachine.id); From e8f2023b9498224d1ff539097bf0a08fa0e3059c Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 22:45:22 +0500 Subject: [PATCH 205/498] Update plugins/azure/virtualmachines/vmVTPMEnabled.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/virtualmachines/vmVTPMEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmVTPMEnabled.js b/plugins/azure/virtualmachines/vmVTPMEnabled.js index 4bd1760795..9af2c907df 100644 --- a/plugins/azure/virtualmachines/vmVTPMEnabled.js +++ b/plugins/azure/virtualmachines/vmVTPMEnabled.js @@ -23,7 +23,7 @@ module.exports = { if (!virtualMachines) return rcb(); if (virtualMachines.err || !virtualMachines.data) { - helpers.addResult(results, 3, 'Unable to query for virtual machines: ' + helpers.addError(virtualMachines), location); + helpers.addResult(results, 3, 'Unable to query for Virtual Machines: ' + helpers.addError(virtualMachines), location); return rcb(); } From c1881656563d38ea6656cd905322430332000280 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Mon, 4 Dec 2023 22:45:49 +0500 Subject: [PATCH 206/498] pr comments --- .../amsStorageAccountIdentityEnabled.js | 12 ++++++------ .../amsStorageAccountIdentityEnabled.spec.js | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js b/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js index e050e7af13..c7419d2c47 100644 --- a/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js +++ b/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js @@ -2,13 +2,13 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Azure Media Services Managed Identity for Storage Account Authentication', + title: 'Media Services Managed Identity for Storage Account Authentication', category: 'Media Services', - domain: 'Identity and Access Management', + domain: 'Content Delivery', description: 'Ensure that Azure Media Services have managed identity enabled for Storage Account authentication.', more_info: 'Enabling managed identity for storage authentication allows secure access to Azure Storage without explicit credentials, enhancing security and simplifying access management for Azure Media Services.', - link: 'https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview', - recommended_action: 'Modify the media service\'s storage account settings and enable diagnostic logs.', + link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/concept-managed-identities#media-services-managed-identity-scenarios', + recommended_action: 'Modify the media service\'s storage account settings and enable managed identity.', apis: ['mediaServices:listAll'], run: function(cache, settings, callback) { @@ -36,9 +36,9 @@ module.exports = { if (!mediaService.id) continue; if (mediaService.storageAuthentication && mediaService.storageAuthentication.toLowerCase() === 'managedidentity') { - helpers.addResult(results, 0, 'Managed Identity is enabled for Azure Media Service storage authentication', location, mediaService.id); + helpers.addResult(results, 0, 'Media Service account has managed identity enabled for storage account authentication', location, mediaService.id); } else { - helpers.addResult(results, 2, 'Managed Identity is not enabled for Azure Media Service storage authentication', location, mediaService.id); + helpers.addResult(results, 2, 'Media Service account has managed identity disabled for storage account authentication', location, mediaService.id); } } diff --git a/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.spec.js b/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.spec.js index 0312127799..4d79f162c9 100644 --- a/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.spec.js +++ b/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.spec.js @@ -67,7 +67,7 @@ describe('amsStorageAccountIdentityEnabled', function() { amsStorageAccountIdentityEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Managed Identity is enabled for Azure Media Service storage authentication'); + expect(results[0].message).to.include('Media Service account has managed identity enabled for storage account authentication'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -78,7 +78,7 @@ describe('amsStorageAccountIdentityEnabled', function() { amsStorageAccountIdentityEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Managed Identity is not enabled for Azure Media Service storage authentication'); + expect(results[0].message).to.include('Media Service account has managed identity disabled for storage account authentication'); expect(results[0].region).to.equal('eastus'); done(); }); From 1abe3beb12ad59db39a241ef7e7eea16bd2ed461 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 22:46:09 +0500 Subject: [PATCH 207/498] Update vmVTPMEnabled.js --- plugins/azure/virtualmachines/vmVTPMEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmVTPMEnabled.js b/plugins/azure/virtualmachines/vmVTPMEnabled.js index 9af2c907df..25e011d36d 100644 --- a/plugins/azure/virtualmachines/vmVTPMEnabled.js +++ b/plugins/azure/virtualmachines/vmVTPMEnabled.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Compute', description: 'Ensure Virtual Trusted Platform Module (vTPM) is enabled for Azure virtual machines (VM).', more_info: 'vTPM is TPM2.0 compliant and enhances security by validating VM boot integrity and providing a secure storage mechanism for keys and secrets.', - recommended_action: 'Enable vTPM for Azure virtual machines to leverage advanced security features and support Guest Attestation in Azure Security Center.', + recommended_action: 'Enable vTPM for Azure virtual machines.', link: 'https://learn.microsoft.com/en-us/azure/confidential-computing/virtual-tpms-in-azure-confidential-vm', apis: ['virtualMachines:listAll'], From b2e5138c7b6f152dfb0fa34ea884b576a5941129 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Mon, 4 Dec 2023 22:46:56 +0500 Subject: [PATCH 208/498] review comments --- plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js b/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js index c7419d2c47..338e974d4a 100644 --- a/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js +++ b/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js @@ -2,7 +2,7 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Media Services Managed Identity for Storage Account Authentication', + title: 'Media Services Storage Account Managed Identity', category: 'Media Services', domain: 'Content Delivery', description: 'Ensure that Azure Media Services have managed identity enabled for Storage Account authentication.', From df08950f0982b615f0b73548cc8e0c9ad59e7ce4 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Mon, 4 Dec 2023 22:47:31 +0500 Subject: [PATCH 209/498] updated with recommended changes --- plugins/azure/virtualmachines/vmVTPMEnabled.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmVTPMEnabled.spec.js b/plugins/azure/virtualmachines/vmVTPMEnabled.spec.js index ba03d7888d..2970817cb6 100644 --- a/plugins/azure/virtualmachines/vmVTPMEnabled.spec.js +++ b/plugins/azure/virtualmachines/vmVTPMEnabled.spec.js @@ -56,7 +56,7 @@ describe('selectVTPM', function() { selectVTPM.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query for virtual machines'); + expect(results[0].message).to.include('Unable to query for Virtual Machines'); expect(results[0].region).to.equal('eastus'); done(); }); From 43ee2724c0a1b7c0c2da48e92de5b29df7d02839 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Mon, 4 Dec 2023 22:50:17 +0500 Subject: [PATCH 210/498] linting --- plugins/azure/frontdoor/wafLogsEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/frontdoor/wafLogsEnabled.js b/plugins/azure/frontdoor/wafLogsEnabled.js index 871bef2ccd..fac1d10a8e 100644 --- a/plugins/azure/frontdoor/wafLogsEnabled.js +++ b/plugins/azure/frontdoor/wafLogsEnabled.js @@ -50,7 +50,7 @@ module.exports = { frontDoorWafLogsEnabled = true; } }); - if (frontDoorWafLogsEnabled) { + if (frontDoorWafLogsEnabled) { helpers.addResult(results, 0, 'Front Door profile WAF logs are enabled', location, profile.id); } else { helpers.addResult(results, 2, 'Front Door profile WAF logs are not enabled', location, profile.id); From c018528821d4ce22bc784b8e4b5a53894488327b Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 22:51:11 +0500 Subject: [PATCH 211/498] Update vmSecurityType.js --- plugins/azure/virtualmachines/vmSecurityType.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/azure/virtualmachines/vmSecurityType.js b/plugins/azure/virtualmachines/vmSecurityType.js index 84bfd6e84f..ccadaeb8ed 100644 --- a/plugins/azure/virtualmachines/vmSecurityType.js +++ b/plugins/azure/virtualmachines/vmSecurityType.js @@ -2,12 +2,12 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Azure VMs Security Type', + title: 'VM Security Type', category: 'Virtual Machines', domain: 'Compute', - description: 'Ensure Trusted Launch is selected for Azure virtual machines (VM) to enhance security against advanced and persistent attack techniques.', + description: 'Ensure Trusted Launch is selected for Azure virtual machines (VM).', more_info: 'Trusted Launch provides additional security features on Gen 2 virtual machines, offering defense against sophisticated threats.', - recommended_action: 'Enable Trusted Launch for Azure virtual machines to leverage coordinated infrastructure technologies for enhanced security.', + recommended_action: 'Select Trusted Launch as security type for Azure virtual machines.', link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-portal?tabs=portal%2Cportal3%2Cportal2', apis: ['virtualMachines:listAll'], @@ -23,7 +23,7 @@ module.exports = { if (!virtualMachines) return rcb(); if (virtualMachines.err || !virtualMachines.data) { - helpers.addResult(results, 3, 'Unable to query for virtual machines: ' + helpers.addError(virtualMachines), location); + helpers.addResult(results, 3, 'Unable to query for Virtual Machines: ' + helpers.addError(virtualMachines), location); return rcb(); } From e8fbe64b070a8e1a2e312b0d4adfcdef391c25d7 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Mon, 4 Dec 2023 22:51:27 +0500 Subject: [PATCH 212/498] review --- plugins/azure/mediaServices/amsManagedIdentityEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/mediaServices/amsManagedIdentityEnabled.js b/plugins/azure/mediaServices/amsManagedIdentityEnabled.js index ff999a94ac..9b008caba3 100644 --- a/plugins/azure/mediaServices/amsManagedIdentityEnabled.js +++ b/plugins/azure/mediaServices/amsManagedIdentityEnabled.js @@ -2,7 +2,7 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Media Service Managed Identity Enabled', + title: 'Media Services Managed Identity Enabled', category: 'Media Services', domain: 'Content Delivery', description: 'Ensure that Azure Media Services have managed identity enabled.', From f44428d6f28051da266568fa703c27d5fd76d0d5 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 22:51:34 +0500 Subject: [PATCH 213/498] Update vmSecurityType.spec.js --- plugins/azure/virtualmachines/vmSecurityType.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmSecurityType.spec.js b/plugins/azure/virtualmachines/vmSecurityType.spec.js index 618adf5343..33daab7796 100644 --- a/plugins/azure/virtualmachines/vmSecurityType.spec.js +++ b/plugins/azure/virtualmachines/vmSecurityType.spec.js @@ -52,7 +52,7 @@ describe('selectTrustedLaunch', function() { selectTrustedLaunch.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query for virtual machines'); + expect(results[0].message).to.include('Unable to query for Virtual Machines'); expect(results[0].region).to.equal('eastus'); done(); }); From d2bde53159d3a89e5000938c22321dd3d5f1bbaa Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Mon, 4 Dec 2023 22:52:52 +0500 Subject: [PATCH 214/498] pr comments --- plugins/azure/mediaServices/amsContentKeyPolicy.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/mediaServices/amsContentKeyPolicy.js b/plugins/azure/mediaServices/amsContentKeyPolicy.js index c56d698054..f4f2c88263 100644 --- a/plugins/azure/mediaServices/amsContentKeyPolicy.js +++ b/plugins/azure/mediaServices/amsContentKeyPolicy.js @@ -2,9 +2,9 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Azure Media Services Content Key Policy Exists', + title: 'Media Service Content Key Policy Exists', category: 'Media Services', - domain: 'Media Service Configuration', + domain: 'Content Delivery', description: 'Ensure that Microsoft Azure Media Services have Content Key Policy configured.', more_info: 'A Content Key Policy in Azure Media Services dictates how content keys, ensuring secure asset access, are delivered to end clients. It allows setting requirements or restrictions that keys with specific configurations must meet before being delivered to clients.', link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/drm-content-key-policy-concept', From 4f16d5e6d0619aa7a2963a2700c27cedf724ac73 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Mon, 4 Dec 2023 22:53:26 +0500 Subject: [PATCH 215/498] . --- plugins/azure/mediaServices/amsContentKeyPolicy.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/mediaServices/amsContentKeyPolicy.js b/plugins/azure/mediaServices/amsContentKeyPolicy.js index f4f2c88263..afa5c75b41 100644 --- a/plugins/azure/mediaServices/amsContentKeyPolicy.js +++ b/plugins/azure/mediaServices/amsContentKeyPolicy.js @@ -2,7 +2,7 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Media Service Content Key Policy Exists', + title: 'Media Services Content Key Policy Exists', category: 'Media Services', domain: 'Content Delivery', description: 'Ensure that Microsoft Azure Media Services have Content Key Policy configured.', From 9deb78107b181f2d61c8bb507c38051b8156f58e Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 23:03:30 +0500 Subject: [PATCH 216/498] Update dbLedgerEnabled.js --- plugins/azure/sqldatabases/dbLedgerEnabled.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/azure/sqldatabases/dbLedgerEnabled.js b/plugins/azure/sqldatabases/dbLedgerEnabled.js index 88cbf73f4d..daeb64077d 100644 --- a/plugins/azure/sqldatabases/dbLedgerEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerEnabled.js @@ -2,10 +2,10 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Database Azure Ledger Enabled', + title: 'Database Ledger Enabled', category: 'SQL Databases', domain: 'Databases', - description: 'Ensure Azure ledger is enabled to protect the integrity of data for SQL databases.', + description: 'Ensure ledger is enabled to protect the integrity of data for SQL databases.', more_info: 'Azure ledger helps protect the integrity of data by enabling customers to use cryptographic seals on their data.', recommended_action: 'Enable Azure ledger for all future tables in the SQL database to enhance data integrity.', link: 'https://learn.microsoft.com/en-us/sql/relational-databases/security/ledger/ledger-overview?view=sql-server-ver16', @@ -48,9 +48,9 @@ module.exports = { databases.data.forEach(database=> { if (database.isLedgerOn == true) { - helpers.addResult(results, 0, 'Azure ledger is enabled for SQL database', location, database.id); + helpers.addResult(results, 0, 'Ledger is enabled for SQL database', location, database.id); } else { - helpers.addResult(results, 2, 'Azure ledger is not enabled for SQL database', location, database.id); + helpers.addResult(results, 2, 'Ledger is not enabled for SQL database', location, database.id); } }); From 6c0150e05ce55d0db68b24371d6abd6723b3e659 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 23:04:08 +0500 Subject: [PATCH 217/498] Update dbLedgerEnabled.spec.js --- plugins/azure/sqldatabases/dbLedgerEnabled.spec.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js b/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js index 1a09922984..7b62257fdc 100644 --- a/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js +++ b/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js @@ -77,11 +77,11 @@ describe('enableAzureLedger', function() { enableAzureLedger.run(cache, {}, callback); }); - it('should give passing result if Azure ledger is enabled for the database', function(done) { + it('should give passing result if Ledger is enabled for the database', function(done) { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Azure ledger is enabled for SQL database'); + expect(results[0].message).to.include('Ledger is enabled for SQL database'); expect(results[0].region).to.equal('eastus'); done(); }; @@ -94,11 +94,11 @@ describe('enableAzureLedger', function() { enableAzureLedger.run(cache, {}, callback); }); - it('should give failing result if Azure ledger is not enabled for the database', function(done) { + it('should give failing result if Ledger is not enabled for the database', function(done) { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Azure ledger is not enabled for SQL database'); + expect(results[0].message).to.include('Ledger is not enabled for SQL database'); expect(results[0].region).to.equal('eastus'); done(); }; From 3ff547fba04191d7a56398e4af4ea513fec6d022 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 23:07:22 +0500 Subject: [PATCH 218/498] Update dbEnableSecureEnclaves.js --- plugins/azure/sqldatabases/dbEnableSecureEnclaves.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js index bdaaaec179..0b9c848ef4 100644 --- a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js +++ b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js @@ -5,9 +5,9 @@ module.exports = { title: 'Database Secure Enclaves Encryption Enabled', category: 'SQL Databases', domain: 'Databases', - description: 'Ensure Always Encrypted with secure enclaves is enabled at the database level for enhanced data security.', + description: 'Ensure Always Encrypted with secure enclaves is enabled at the database level.', more_info: 'Always Encrypted with secure enclaves allows encrypted data to be processed inside a secure enclave for improved security.', - recommended_action: 'Enable Always Encrypted with secure enclaves for the SQL database to enhance data security.', + recommended_action: 'Enable Always Encrypted with secure enclaves for the SQL database.', link: 'https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves?view=sql-server-ver16', apis: ['servers:listSql', 'databases:listByServer'], From 2bedcc3603e88270e5e2ca3cc35b239d6d5cb812 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 23:08:48 +0500 Subject: [PATCH 219/498] Update dbTDEEnabled.js --- plugins/azure/sqldatabases/dbTDEEnabled.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/sqldatabases/dbTDEEnabled.js b/plugins/azure/sqldatabases/dbTDEEnabled.js index 86d5b33276..2551ee99b9 100644 --- a/plugins/azure/sqldatabases/dbTDEEnabled.js +++ b/plugins/azure/sqldatabases/dbTDEEnabled.js @@ -5,9 +5,9 @@ module.exports = { title: 'Transparent Data Encryption Enabled', category: 'SQL Databases', domain: 'Databases', - description: 'Ensure Transparent Data Encryption (TDE) is enabled on SQL databases for enhanced security', + description: 'Ensure Transparent Data Encryption (TDE) is enabled on SQL databases.', more_info: 'Transparent data encryption (TDE) helps protect Azure SQL Database against the threat of malicious offline activity by encrypting data at rest.', - recommended_action: 'Enable TDE for SQL databases to enhance data security.', + recommended_action: 'Enable Transparent Data Encryption (TDE) for SQL databases.', link: 'https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15', apis: ['servers:listSql','databases:listByServer','transparentDataEncryption:list'], From 79a620efe8555be77b570b665af4714c640ea658 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 23:11:38 +0500 Subject: [PATCH 220/498] Update dbSyncGroupPrivateLink.js --- plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js index c579f4a873..7ae4dced83 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js @@ -2,7 +2,7 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'SQL Databases Private Link Enabled', + title: 'Database Private Link Enabled', category: 'SQL Databases', domain: 'Databases', description: 'Ensures SQL Database sync groups use private link when SQL DB sync with others databases.', @@ -60,9 +60,9 @@ module.exports = { syncGroups.data.forEach(syncGroup=> { if (syncGroup.usePrivateLinkConnection) { - helpers.addResult(results, 0, 'SQL Database sync group uses private link to sync with other databases', location, syncGroup.id); + helpers.addResult(results, 0, 'Database sync group uses private link to sync with other databases', location, syncGroup.id); } else { - helpers.addResult(results, 2, 'SQL Database sync group does not uses private link to sync with other databases', location, syncGroup.id); + helpers.addResult(results, 2, 'Database sync group does not uses private link to sync with other databases', location, syncGroup.id); } }); }); From d6c58cc57d53edd1ed3fbc8d442b38e0718a5e9d Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 23:12:03 +0500 Subject: [PATCH 221/498] Update dbSyncGroupPrivateLink.spec.js --- plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js index 7107fb58eb..b10bb785b3 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js @@ -97,7 +97,7 @@ describe('sqlDatabaseSyncGroups', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('SQL Database sync group uses private link to sync with other databases'); + expect(results[0].message).to.include('Database sync group uses private link to sync with other databases'); expect(results[0].region).to.equal('eastus'); done(); }; @@ -115,7 +115,7 @@ describe('sqlDatabaseSyncGroups', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('SQL Database sync group does not uses private link to sync with other databases'); + expect(results[0].message).to.include('Database sync group does not uses private link to sync with other databases'); expect(results[0].region).to.equal('eastus'); done(); }; From 08c16942d95156e8ebb0e4c4d92b9fa08b2d97e8 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 23:18:11 +0500 Subject: [PATCH 222/498] Update dbLedgerDigestStorageEnabled.js --- plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js index 52b3dd8911..734ff1b2b9 100644 --- a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js @@ -5,7 +5,7 @@ module.exports = { title: 'Ledger Digest Storage Enabled', category: 'SQL Databases', domain: 'Databases', - description: 'Ensure automatic Ledger digest storage is enabled for enhanced data integrity.', + description: 'Ensure automatic Ledger digest storage is enabled.', more_info: 'Configuring automatic Ledger digest storage allows for the generation and storage of digests for later verification.', recommended_action: 'Configure an Azure Storage account or Azure Confidential Ledger for automatic Ledger digest storage. ', link: 'https://docs.microsoft.com/en-us/azure/sql-database/sql-database-ledger-overview', @@ -46,10 +46,10 @@ module.exports = { } else { databases.data.forEach(database=> { var ledgerDigestUploads = helpers.addSource(cache, source, ['ledgerDigestUploads', 'list', location, database.id]); - if (!ledgerDigestUploads || ledgerDigestUploads.err) { + if (!ledgerDigestUploads || ledgerDigestUploads.err || !ledgerDigestUploads.data) { helpers.addResult(results, 3, 'Unable to query for Azure ledger: ' + helpers.addError(ledgerDigestUploads), location, database.id); } else { - if (ledgerDigestUploads.data[0].state.toLowerCase() == 'enabled') { + if (ledgerDigestUploads.data.length && ledgerDigestUploads.data[0].state.toLowerCase() == 'enabled') { helpers.addResult(results, 0, 'Automatic Ledger digest storage is enabled for SQL database', location, database.id); } else { helpers.addResult(results, 2, 'Automatic Ledger digest storage is not enabled for SQL database', location, database.id); From 4978726f0c2161755b8af64304fdaab0b99f4ada Mon Sep 17 00:00:00 2001 From: fatima99s Date: Mon, 4 Dec 2023 23:22:53 +0500 Subject: [PATCH 223/498] resolve issue --- plugins/aws/bedrock/modelInvocationLoggingEnabled.js | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/plugins/aws/bedrock/modelInvocationLoggingEnabled.js b/plugins/aws/bedrock/modelInvocationLoggingEnabled.js index 7025578be7..216dfb05c0 100644 --- a/plugins/aws/bedrock/modelInvocationLoggingEnabled.js +++ b/plugins/aws/bedrock/modelInvocationLoggingEnabled.js @@ -22,15 +22,13 @@ module.exports = { if (!invocationLoggingConfiguration) return rcb(); - if (invocationLoggingConfiguration.err && invocationLoggingConfiguration.err.message.includes('This service may not be available in')) { - helpers.addResult(results, 0, 'Bedrock service is not available in this region', region); - return rcb(); - } else if (invocationLoggingConfiguration.err ) { + if (invocationLoggingConfiguration.err) { helpers.addResult(results, 3, - `Unable to query for Invocation Logging Configuration: ${helpers.addError(invocationLoggingConfiguration)}`, region); - return rcb(); + `Unable to query for Bedrock custom model list: ${helpers.addError(invocationLoggingConfiguration)}`, region); + return rcb(); } + if (!invocationLoggingConfiguration.data) { helpers.addResult(results, 2, 'Invocation logging is not enabled for bedrock models', region); } else { From ec21f399c1b181f2f0d084b276d5eb9a47101cb8 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 23:25:02 +0500 Subject: [PATCH 224/498] Update dbDataMaskingEnabled.js --- plugins/azure/sqldatabases/dbDataMaskingEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js index 1d9734067e..9b54650a4f 100644 --- a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js +++ b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Databases', description: 'Ensures dynamic data masking is enabled for all SQL databases.', more_info: 'Dynamic data masking helps prevent unauthorized access to sensitive data by hiding it in query results.', - recommended_action: 'Set up dynamic data masking to protect sensitive data exposure in SQL databases.', + recommended_action: 'Enable dynamic data masking for SQL databases.', link: 'https://docs.microsoft.com/en-us/azure/sql-database/sql-database-dynamic-data-masking-get-started-portal', apis: ['servers:listSql', 'databases:listByServer', 'dataMaskingPolicies:get'], From 1351366a149b56de1ab4ea60c593a7f8f5c57de8 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Mon, 4 Dec 2023 23:35:37 +0500 Subject: [PATCH 225/498] Update vmVTPMEnabled.js --- plugins/azure/virtualmachines/vmVTPMEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmVTPMEnabled.js b/plugins/azure/virtualmachines/vmVTPMEnabled.js index 25e011d36d..6daeaf9bcb 100644 --- a/plugins/azure/virtualmachines/vmVTPMEnabled.js +++ b/plugins/azure/virtualmachines/vmVTPMEnabled.js @@ -6,7 +6,7 @@ module.exports = { category: 'Virtual Machines', domain: 'Compute', description: 'Ensure Virtual Trusted Platform Module (vTPM) is enabled for Azure virtual machines (VM).', - more_info: 'vTPM is TPM2.0 compliant and enhances security by validating VM boot integrity and providing a secure storage mechanism for keys and secrets.', + more_info: 'vTPM is TPM2.0 compliant and enhances security by validating VM boot integrity and providing a secure storage mechanism for keys and secrets. The vTPM enables attestation by measuring the entire boot chain of your VM (UEFI, OS, system, and drivers).', recommended_action: 'Enable vTPM for Azure virtual machines.', link: 'https://learn.microsoft.com/en-us/azure/confidential-computing/virtual-tpms-in-azure-confidential-vm', apis: ['virtualMachines:listAll'], From 120a6ec0ec7bcee982d02588f7ccbbdc7d292b85 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 4 Dec 2023 23:39:28 +0500 Subject: [PATCH 226/498] Apply suggestions from code review --- plugins/azure/mediaServices/amsPublicAccessDisabled.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/azure/mediaServices/amsPublicAccessDisabled.js b/plugins/azure/mediaServices/amsPublicAccessDisabled.js index 281a3a4bd7..fa0464b540 100644 --- a/plugins/azure/mediaServices/amsPublicAccessDisabled.js +++ b/plugins/azure/mediaServices/amsPublicAccessDisabled.js @@ -5,10 +5,10 @@ module.exports = { title: 'Media Services Public Access Disabled', category: 'Media Services', domain: 'Content Delivery', - description: 'Ensure that Microsoft Azure Media Services have public access disabled.', - more_info: 'Disabling public network access improves security by ensuring that Media Services resources are not exposed on the public internet. ', - link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/security-azure-policy', - recommended_action: 'Modify the media service network settings and enable private access.', + description: 'Ensures that Azure Media Services have public access disabled.', + more_info: 'Disabling public network access improves security by ensuring that Media Services resources are not exposed on the public internet.', + link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/security-azure-policy#azure-policies-private-endpoints-and-media-services', + recommended_action: 'Modify Media Service network settings and enable private access.', apis: ['mediaServices:listAll'], run: function(cache, settings, callback) { From 1a8d401b66d9e395f4e03f302dc71dac79b7f966 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 4 Dec 2023 23:53:41 +0500 Subject: [PATCH 227/498] Apply suggestions from code review --- plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js b/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js index 4190383618..dec8312598 100644 --- a/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js +++ b/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js @@ -5,10 +5,10 @@ module.exports = { title: 'Media Services Diagnostic Logs Enabled', category: 'Media Services', domain: 'Content Delivery', - description: 'Ensure that Microsoft Azure Media Services have diagnostic logs enabled.', + description: 'Ensures that Azure Media Services have diagnostic logs enabled.', more_info: 'Diagnostic logs provide valuable insights into the operation and health of Media Services. By enabling diagnostic logs, you can gather diagnostic data that could be useful to create notification alerts.', link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/monitoring/monitor-media-services', - recommended_action: 'Modify the media service settings and enable diagnostic logs.', + recommended_action: 'Modify Media Service settings and enable diagnostic logs.', apis: ['mediaServices:listAll', 'diagnosticSettings:listByMediaService'], run: function(cache, settings, callback) { @@ -44,10 +44,6 @@ module.exports = { continue; } - if (!diagnosticSettings.data.length){ - helpers.addResult(results, 0, 'No Diagnostic settings found', location, mediaService.id); - continue; - } var found = diagnosticSettings.data.find(ds => ds.logs && ds.logs.length); From 1b0a9ead464646f89a1430e797cb4c3436840be4 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 4 Dec 2023 23:54:11 +0500 Subject: [PATCH 228/498] Update plugins/azure/mediaServices/amsDiagnosticLogsEnabled.spec.js --- .../mediaServices/amsDiagnosticLogsEnabled.spec.js | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.spec.js b/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.spec.js index 5764d5a8e1..cf226de825 100644 --- a/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.spec.js +++ b/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.spec.js @@ -133,15 +133,5 @@ describe('amsDiagnosticLogsEnabled', function() { done(); }); }); - it('should give passing result if no diagnostic settings found', function(done) { - const cache = createCache([mediaServices[0]], []); - amsDiagnosticLogsEnabled.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('No Diagnostic settings found'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); }); }); From 9d1c3859445eff471150d089b2bc01c10c24921f Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 5 Dec 2023 00:03:15 +0500 Subject: [PATCH 229/498] Update plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js --- plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js b/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js index 338e974d4a..ba092689aa 100644 --- a/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js +++ b/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js @@ -8,7 +8,7 @@ module.exports = { description: 'Ensure that Azure Media Services have managed identity enabled for Storage Account authentication.', more_info: 'Enabling managed identity for storage authentication allows secure access to Azure Storage without explicit credentials, enhancing security and simplifying access management for Azure Media Services.', link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/concept-managed-identities#media-services-managed-identity-scenarios', - recommended_action: 'Modify the media service\'s storage account settings and enable managed identity.', + recommended_action: 'Modify Media Service storage account settings and enable managed identity.', apis: ['mediaServices:listAll'], run: function(cache, settings, callback) { From 0f3b987676d3b794363c07621a4265321feef26c Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 5 Dec 2023 00:03:35 +0500 Subject: [PATCH 230/498] Update plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js --- plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js b/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js index ba092689aa..c28b842050 100644 --- a/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js +++ b/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js @@ -5,7 +5,7 @@ module.exports = { title: 'Media Services Storage Account Managed Identity', category: 'Media Services', domain: 'Content Delivery', - description: 'Ensure that Azure Media Services have managed identity enabled for Storage Account authentication.', + description: 'Ensures that Azure Media Services have managed identity enabled for Storage Account authentication.', more_info: 'Enabling managed identity for storage authentication allows secure access to Azure Storage without explicit credentials, enhancing security and simplifying access management for Azure Media Services.', link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/concept-managed-identities#media-services-managed-identity-scenarios', recommended_action: 'Modify Media Service storage account settings and enable managed identity.', From 3523f7be3ebd96d3cc60f85c89f371f21c5f46eb Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 5 Dec 2023 00:13:26 +0500 Subject: [PATCH 231/498] Update plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js --- plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js b/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js index c28b842050..3f8092be68 100644 --- a/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js +++ b/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js @@ -5,7 +5,7 @@ module.exports = { title: 'Media Services Storage Account Managed Identity', category: 'Media Services', domain: 'Content Delivery', - description: 'Ensures that Azure Media Services have managed identity enabled for Storage Account authentication.', + description: 'Ensures that Azure Media Service accounts have managed identity enabled for Storage Account authentication.', more_info: 'Enabling managed identity for storage authentication allows secure access to Azure Storage without explicit credentials, enhancing security and simplifying access management for Azure Media Services.', link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/concept-managed-identities#media-services-managed-identity-scenarios', recommended_action: 'Modify Media Service storage account settings and enable managed identity.', From 456b0575122a1d768c0ef5da00d74c7abb91e222 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Tue, 5 Dec 2023 01:21:50 +0500 Subject: [PATCH 232/498] Update plugins/azure/postgresqlserver/postgresqlTlsVersion.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/postgresqlserver/postgresqlTlsVersion.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/postgresqlserver/postgresqlTlsVersion.js b/plugins/azure/postgresqlserver/postgresqlTlsVersion.js index 9af1ade32e..a985effcc9 100644 --- a/plugins/azure/postgresqlserver/postgresqlTlsVersion.js +++ b/plugins/azure/postgresqlserver/postgresqlTlsVersion.js @@ -37,7 +37,7 @@ module.exports = { if (!server.id) return; if (server.minimalTlsVersion && server.minimalTlsVersion !== 'TLSEnforcementDisabled') { - const tlsVersionRegex = /^TLS1_\d$/; + const tlsVersionRegex = /^TLS\d+_\d+$/; if (!tlsVersionRegex.test(server.minimalTlsVersion)) { helpers.addResult(results, 2, 'Postgresql server TLS version cannot be parsed', location, server.id); } else { From 7b56cf112462abe316f2f7a9977c98b286d23f01 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Tue, 5 Dec 2023 11:19:26 +0500 Subject: [PATCH 233/498] Update privateCustomModel.js --- plugins/aws/bedrock/privateCustomModel.js | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/plugins/aws/bedrock/privateCustomModel.js b/plugins/aws/bedrock/privateCustomModel.js index 75c0329124..2d07aa5f16 100644 --- a/plugins/aws/bedrock/privateCustomModel.js +++ b/plugins/aws/bedrock/privateCustomModel.js @@ -22,11 +22,6 @@ module.exports = { if (!listCustomModels) return rcb(); - if (listCustomModels.err && listCustomModels.err.message.includes('This service may not be available in')) { - helpers.addResult(results, 0, 'Bedrock service is not available in this region', region); - return rcb(); - } - if (listCustomModels.err || !listCustomModels.data) { helpers.addResult(results, 3, `Unable to query for Bedrock custom model list: ${helpers.addError(listCustomModels)}`, region); @@ -106,4 +101,4 @@ module.exports = { callback(null, results, source); }); } -}; \ No newline at end of file +}; From 8dd13f7c384a8326dc259f91d1a834474476e53d Mon Sep 17 00:00:00 2001 From: fatima99s Date: Tue, 5 Dec 2023 12:55:17 +0500 Subject: [PATCH 234/498] resolve issues --- .../bedrock/customModelEncryptionEnabled.js | 37 +++++++------------ .../customModelEncryptionEnabled.spec.js | 6 +-- 2 files changed, 17 insertions(+), 26 deletions(-) diff --git a/plugins/aws/bedrock/customModelEncryptionEnabled.js b/plugins/aws/bedrock/customModelEncryptionEnabled.js index 62aa864d5c..270bc3166e 100644 --- a/plugins/aws/bedrock/customModelEncryptionEnabled.js +++ b/plugins/aws/bedrock/customModelEncryptionEnabled.js @@ -5,9 +5,9 @@ module.exports = { title: 'Custom Model Encryption Enabled', category: 'BedRock', domain: 'Machine Learning', - description: 'Ensure that an Amazon Bedrock custom models are encrypted using KMS customer managed keys (CMKs)', - more_info: 'When you encrypt AWS Bedrock custom model using your own AWS KMS Customer Managed Keys (CMKs) for enhanced protection, you have full control over who can use the encryption keys to access your custom model.', - recommended_action: 'Encrypt Bedrock custom model using AWS KMS Customer Managed Keys', + description: 'Ensure that an Amazon Bedrock custom models are encrypted with desired encryption level.', + more_info: 'When you encrypt AWS Bedrock custom model using your own AWS Customer Managed Keys (CMKs) for enhanced protection, you have full control over who can use the encryption keys to access your custom model.', + recommended_action: 'Encrypt Bedrock custom model with desired encryption level.', link: 'https://docs.aws.amazon.com/bedrock/latest/userguide/encryption-custom-job.html', apis: ['Bedrock:listCustomModels', 'Bedrock:getCustomModel', 'KMS:listKeys', 'KMS:describeKey'], settings: { @@ -15,7 +15,7 @@ module.exports = { name: 'Bedrock Custom Model Encryption Level', description: 'In order (lowest to highest) awskms=AWS-managed KMS; awscmk=Customer managed KMS; externalcmk=Customer managed externally sourced KMS; cloudhsm=Customer managed CloudHSM sourced KMS', regex: '^(awskms|awscmk|externalcmk|cloudhsm)$', - default: 'awscmk', + default: 'awskms', } }, @@ -55,7 +55,7 @@ module.exports = { return rcb(); } - for (let model of listCustomModels.data){ + for (let model of listCustomModels.data) { if (!model.modelArn|| !model.modelName) continue; let resource = model.modelArn; @@ -71,7 +71,7 @@ module.exports = { if (getCustomModel.data.modelKmsKeyArn) { var kmsKeyId = getCustomModel.data.modelKmsKeyArn.split('/')[1] ? getCustomModel.data.modelKmsKeyArn.split('/')[1] : getCustomModel.data.modelKmsKeyArn; - + var describeKey = helpers.addSource(cache, source, ['kms', 'describeKey', region, kmsKeyId]); if (!describeKey || describeKey.err || !describeKey.data || !describeKey.data.KeyMetadata) { @@ -81,31 +81,22 @@ module.exports = { continue; } currentEncryptionLevel = helpers.getEncryptionLevel(describeKey.data.KeyMetadata, helpers.ENCRYPTION_LEVELS); - var currentEncryptionLevelString = helpers.ENCRYPTION_LEVELS[currentEncryptionLevel]; - + + } else currentEncryptionLevel = 2; + var currentEncryptionLevelString = helpers.ENCRYPTION_LEVELS[currentEncryptionLevel]; + if (currentEncryptionLevel >= desiredEncryptionLevel) { helpers.addResult(results, 0, - `Bedrock Custom model is encrypted with ${currentEncryptionLevelString} \ - which is greater than or equal to the desired encryption level ${config.desiredEncryptionLevelString}`, + `Bedrock Custom model is encrypted with ${currentEncryptionLevelString} + which is greater than or equal to the desired encryption level ${config.desiredEncryptionLevelString}`, region, resource); } else { helpers.addResult(results, 2, - `Bedrock Custom model is encrypted with ${currentEncryptionLevelString} \ - which is less than the desired encryption level ${config.desiredEncryptionLevelString}`, + `Bedrock Custom model is encrypted with ${currentEncryptionLevelString} + which is less than the desired encryption level ${config.desiredEncryptionLevelString}`, region, resource); } - } else if (desiredEncryptionLevel == 2){ - helpers.addResult(results, 0, - `Bedrock Custom model is encrypted with awskms \ - which is greater than or equal to the desired encryption level ${config.desiredEncryptionLevelString}`, - region, resource); - } else { - helpers.addResult(results, 2, - `Bedrock Custom model is encrypted with awskms \ - which is less than the desired encryption level ${config.desiredEncryptionLevelString}`, - region, resource); - } } rcb(); diff --git a/plugins/aws/bedrock/customModelEncryptionEnabled.spec.js b/plugins/aws/bedrock/customModelEncryptionEnabled.spec.js index 8130f7848d..94ab75fb4e 100644 --- a/plugins/aws/bedrock/customModelEncryptionEnabled.spec.js +++ b/plugins/aws/bedrock/customModelEncryptionEnabled.spec.js @@ -160,7 +160,7 @@ describe('customModelEncryptionEnabled', function () { describe('run', function () { it('should PASS if Bedrock Custom Model is Encrypted using CMK', function (done) { const cache = createCache([listCustomModels[0]], getCustomModel[0], listKeys, describeKey[0]); - customModelEncryptionEnabled.run(cache, {}, (err, results) => { + customModelEncryptionEnabled.run(cache, {bedrock_model_desired_encryption_level: 'awscmk'}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].region).to.equal('us-east-1'); @@ -170,7 +170,7 @@ describe('customModelEncryptionEnabled', function () { it('should FAIL if Bedrock Custom Model is encrypted with AWS owned key', function (done) { const cache = createCache([listCustomModels[1]], getCustomModel[1], listKeys, describeKey[1]); - customModelEncryptionEnabled.run(cache, {}, (err, results) => { + customModelEncryptionEnabled.run(cache, {bedrock_model_desired_encryption_level: 'awscmk'}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); expect(results[0].region).to.equal('us-east-1'); @@ -180,7 +180,7 @@ describe('customModelEncryptionEnabled', function () { it('should PASS if the desired encryption level for bedrock custom model is awskms', function (done) { const cache = createCache([listCustomModels[1]], getCustomModel[1], listKeys, describeKey[1]); - customModelEncryptionEnabled.run(cache, {bedrock_model_desired_encryption_level: 'awskms'}, (err, results) => { + customModelEncryptionEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].region).to.equal('us-east-1'); From 3813e692bfe79d0157109297b1cd961a36509d19 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Tue, 5 Dec 2023 12:58:04 +0500 Subject: [PATCH 235/498] resolve issues --- .../bedrock/customModelEncryptionEnabled.js | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/plugins/aws/bedrock/customModelEncryptionEnabled.js b/plugins/aws/bedrock/customModelEncryptionEnabled.js index 270bc3166e..e0ffe166f8 100644 --- a/plugins/aws/bedrock/customModelEncryptionEnabled.js +++ b/plugins/aws/bedrock/customModelEncryptionEnabled.js @@ -85,17 +85,17 @@ module.exports = { } else currentEncryptionLevel = 2; var currentEncryptionLevelString = helpers.ENCRYPTION_LEVELS[currentEncryptionLevel]; - if (currentEncryptionLevel >= desiredEncryptionLevel) { - helpers.addResult(results, 0, - `Bedrock Custom model is encrypted with ${currentEncryptionLevelString} + if (currentEncryptionLevel >= desiredEncryptionLevel) { + helpers.addResult(results, 0, + `Bedrock Custom model is encrypted with ${currentEncryptionLevelString} which is greater than or equal to the desired encryption level ${config.desiredEncryptionLevelString}`, - region, resource); - } else { - helpers.addResult(results, 2, - `Bedrock Custom model is encrypted with ${currentEncryptionLevelString} + region, resource); + } else { + helpers.addResult(results, 2, + `Bedrock Custom model is encrypted with ${currentEncryptionLevelString} which is less than the desired encryption level ${config.desiredEncryptionLevelString}`, - region, resource); - } + region, resource); + } } From b114954361fb4bb75de86088346c902a50c020fd Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 5 Dec 2023 13:04:38 +0500 Subject: [PATCH 236/498] Apply suggestions from code review --- .../azure/mediaServices/amsManagedIdentityEnabled.js | 10 +++++----- .../mediaServices/amsManagedIdentityEnabled.spec.js | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/plugins/azure/mediaServices/amsManagedIdentityEnabled.js b/plugins/azure/mediaServices/amsManagedIdentityEnabled.js index 9b008caba3..8f2a2cf8e3 100644 --- a/plugins/azure/mediaServices/amsManagedIdentityEnabled.js +++ b/plugins/azure/mediaServices/amsManagedIdentityEnabled.js @@ -5,10 +5,10 @@ module.exports = { title: 'Media Services Managed Identity Enabled', category: 'Media Services', domain: 'Content Delivery', - description: 'Ensure that Azure Media Services have managed identity enabled.', + description: 'Ensures that Azure Media Service accounts have managed identity enabled.', more_info: 'Enabling managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.', link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/concept-managed-identities', - recommended_action: 'Remove Azure Media Services accounts and create a new account with managed identity enabled.', + recommended_action: 'Create a new Media service account with managed identity for storage account enabled.', apis: ['mediaServices:listAll', 'mediaServices:get'], run: function(cache, settings, callback) { @@ -39,7 +39,7 @@ module.exports = { ['mediaServices', 'get', location, mediaService.id]); if (!getMediaService || getMediaService.err || !getMediaService.data) { - helpers.addResult(results, 3, `Unable to query for Media Service: ${helpers.addError(getMediaService)}`, + helpers.addResult(results, 3, `Unable to query for Media Service data: ${helpers.addError(getMediaService)}`, location, mediaService.id); continue; } @@ -48,9 +48,9 @@ module.exports = { && (getMediaService.data.identity.type.toLowerCase() === 'userassigned' || getMediaService.data.identity.type.toLowerCase() === 'systemassigned')) { - helpers.addResult(results, 0, 'Media Service account has managed Identity enabled', location, mediaService.id); + helpers.addResult(results, 0, 'Media Service account has managed identity enabled', location, mediaService.id); } else { - helpers.addResult(results, 2, 'Media Service account does not have managed Identity enabled', location, mediaService.id); + helpers.addResult(results, 2, 'Media Service account does not have managed identity enabled', location, mediaService.id); } } diff --git a/plugins/azure/mediaServices/amsManagedIdentityEnabled.spec.js b/plugins/azure/mediaServices/amsManagedIdentityEnabled.spec.js index 49f3457e97..94e4c8977f 100644 --- a/plugins/azure/mediaServices/amsManagedIdentityEnabled.spec.js +++ b/plugins/azure/mediaServices/amsManagedIdentityEnabled.spec.js @@ -100,7 +100,7 @@ describe('amsManagedIdentityEnabled', function() { amsManagedIdentityEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Media Service account does not have managed Identity enabled'); + expect(results[0].message).to.include('Media Service account does not have managed identity enabled'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -111,7 +111,7 @@ describe('amsManagedIdentityEnabled', function() { amsManagedIdentityEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Media Service account has managed Identity enabled'); + expect(results[0].message).to.include('Media Service account has managed identity enabled'); expect(results[0].region).to.equal('eastus'); done(); }); From 5e8f6949e11f0ab7a19585e74730414d5f22b670 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 5 Dec 2023 13:35:14 +0500 Subject: [PATCH 237/498] Apply suggestions from code review --- plugins/azure/mediaServices/amsContentKeyPolicy.js | 12 ++++++------ .../azure/mediaServices/amsContentKeyPolicy.spec.js | 6 +++--- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/plugins/azure/mediaServices/amsContentKeyPolicy.js b/plugins/azure/mediaServices/amsContentKeyPolicy.js index afa5c75b41..0baed2f7c4 100644 --- a/plugins/azure/mediaServices/amsContentKeyPolicy.js +++ b/plugins/azure/mediaServices/amsContentKeyPolicy.js @@ -2,13 +2,13 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Media Services Content Key Policy Exists', + title: 'Media Services Content Key Policy', category: 'Media Services', domain: 'Content Delivery', - description: 'Ensure that Microsoft Azure Media Services have Content Key Policy configured.', + description: 'Ensure that Azure Media Services have Content Key Policy configured.', more_info: 'A Content Key Policy in Azure Media Services dictates how content keys, ensuring secure asset access, are delivered to end clients. It allows setting requirements or restrictions that keys with specific configurations must meet before being delivered to clients.', link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/drm-content-key-policy-concept', - recommended_action: 'Modify media service account and add a content key policy.', + recommended_action: 'Modify media service account and add content key policy.', apis: ['mediaServices:listAll', 'mediaServices:listContentKeyPolicies'], run: function(cache, settings, callback) { @@ -39,14 +39,14 @@ module.exports = { ['mediaServices', 'listContentKeyPolicies', location, mediaService.id]); if (!listContentKeyPolicies || listContentKeyPolicies.err || !listContentKeyPolicies.data) { - helpers.addResult(results, 3, `Unable to query for Content Key Policy: ${helpers.addError(listContentKeyPolicies)}`, + helpers.addResult(results, 3, `Unable to query Content Key Policy for Media service account: ${helpers.addError(listContentKeyPolicies)}`, location, mediaService.id); continue; } if (listContentKeyPolicies.data.length > 0) { - helpers.addResult(results, 0, 'Azure Media Service has content key policy configured', location, mediaService.id); + helpers.addResult(results, 0, 'Media Service account has content key policy configured', location, mediaService.id); } else { - helpers.addResult(results, 2, 'Azure Media Service does not have content key policy configured', location, mediaService.id); + helpers.addResult(results, 2, 'Media Service account does not have content key policy configured', location, mediaService.id); } } diff --git a/plugins/azure/mediaServices/amsContentKeyPolicy.spec.js b/plugins/azure/mediaServices/amsContentKeyPolicy.spec.js index f7319c64e7..4a1be9ddb5 100644 --- a/plugins/azure/mediaServices/amsContentKeyPolicy.spec.js +++ b/plugins/azure/mediaServices/amsContentKeyPolicy.spec.js @@ -77,7 +77,7 @@ describe('amsContentKeyPolicy', function() { amsContentKeyPolicy.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query for Content Key Policy'); + expect(results[0].message).to.include('Unable to query Content Key Policy for Media service account:'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -88,7 +88,7 @@ describe('amsContentKeyPolicy', function() { amsContentKeyPolicy.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Azure Media Service has content key policy configured'); + expect(results[0].message).to.include('Media Service account has content key policy configured'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -99,7 +99,7 @@ describe('amsContentKeyPolicy', function() { amsContentKeyPolicy.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Azure Media Service does not have content key policy configured'); + expect(results[0].message).to.include('Media Service account does not have content key policy configured'); expect(results[0].region).to.equal('eastus'); done(); }); From a0538ad4ba0649243f788c3a8f4debb0f49b32ba Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 5 Dec 2023 13:37:42 +0500 Subject: [PATCH 238/498] Update plugins/azure/mediaServices/amsContentKeyPolicy.js --- plugins/azure/mediaServices/amsContentKeyPolicy.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/mediaServices/amsContentKeyPolicy.js b/plugins/azure/mediaServices/amsContentKeyPolicy.js index 0baed2f7c4..6cd000942f 100644 --- a/plugins/azure/mediaServices/amsContentKeyPolicy.js +++ b/plugins/azure/mediaServices/amsContentKeyPolicy.js @@ -8,7 +8,7 @@ module.exports = { description: 'Ensure that Azure Media Services have Content Key Policy configured.', more_info: 'A Content Key Policy in Azure Media Services dictates how content keys, ensuring secure asset access, are delivered to end clients. It allows setting requirements or restrictions that keys with specific configurations must meet before being delivered to clients.', link: 'https://learn.microsoft.com/en-us/azure/media-services/latest/drm-content-key-policy-concept', - recommended_action: 'Modify media service account and add content key policy.', + recommended_action: 'Modify Media Service account and add content key policy.', apis: ['mediaServices:listAll', 'mediaServices:listContentKeyPolicies'], run: function(cache, settings, callback) { From 8cf15c428b10ccda0bbd75cf9a47bc50b98aeb72 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 5 Dec 2023 13:52:40 +0500 Subject: [PATCH 239/498] Apply suggestions from code review --- .../recoveryVaultDiagnosticLogsEnabled.js | 14 ++++---------- .../recoveryVaultDiagnosticLogsEnabled.spec.js | 4 +--- 2 files changed, 5 insertions(+), 13 deletions(-) diff --git a/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.js b/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.js index b9659d7f34..dda88faac0 100644 --- a/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.js +++ b/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.js @@ -5,7 +5,7 @@ module.exports = { title: 'Recovery Services Vault Diagnostic Logs Enabled', category: 'Recovery Service Vault', domain: 'Backup', - description: 'Ensure that Microsoft Azure Recovery Services Vaults have Diagnostic logs enabled.', + description: 'Ensure that Azure Recovery Services Vaults have diagnostic logs enabled.', more_info: 'Diagnostic logs provide valuable insights into the operation and health of the Recovery Services Vault. By enabling diagnostic logs, you can monitor and troubleshoot issues more effectively.', recommended_action: 'Modify the Recovery Service vault and enable diagnostic logs.', link: 'https://learn.microsoft.com/en-us/azure/backup/backup-azure-diagnostic-events?tabs=recovery-services-vaults', @@ -39,18 +39,12 @@ module.exports = { const diagnosticSettings = helpers.addSource(cache, source, ['diagnosticSettings', 'listByRecoveryServiceVault', location, vault.id]); - if (!diagnosticSettings.data || diagnosticSettings.err) { + if (!diagnosticSettings || !diagnosticSettings.data || diagnosticSettings.err) { helpers.addResult(results, 3, - 'Unable to query for Diagnostic settings: ' + helpers.addError(diagnosticSettings), location, vault.id); + 'Unable to query for Recovery Service Vault diagnostic settings: ' + helpers.addError(diagnosticSettings), location, vault.id); continue; } - var found = false; - for (let ds of diagnosticSettings.data) { - if (ds.logs && ds.logs.length) { - found = true; - break; - } - } + var found = diagnosticSettings.data.find(ds => ds.logs && ds.logs.length); if (found) { helpers.addResult(results, 0, 'Recovery Service Vault has diagnostic logs enabled', location, vault.id); diff --git a/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.spec.js b/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.spec.js index 0e682e2104..62a99ece31 100644 --- a/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.spec.js +++ b/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.spec.js @@ -26,13 +26,11 @@ const diagnosticSettings = [ category: 'RecoveryServiceVault', categoryGroup: null, enabled: true, - retentionPolicy: [Object] }, { category: 'RecoveryServiceVault', categoryGroup: null, enabled: true, - retentionPolicy: [Object] } ], logAnalyticsDestinationType: null @@ -100,7 +98,7 @@ describe('recoveryVaultDiagnosticLogsEnabled', function() { recoveryVaultDiagnosticLogsEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query for Diagnostic settings:'); + expect(results[0].message).to.include('Unable to query for Recovery Service Vault diagnostic settings: '); expect(results[0].region).to.equal('eastus'); done(); }); From 633048ec5ea1ea3194bff1bbd75625a1e62bcccf Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Tue, 5 Dec 2023 14:56:30 +0500 Subject: [PATCH 240/498] Update plugins/azure/virtualmachines/vmDiskDeleteConfig.js --- plugins/azure/virtualmachines/vmDiskDeleteConfig.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmDiskDeleteConfig.js b/plugins/azure/virtualmachines/vmDiskDeleteConfig.js index c0ebdcb499..cf8ff17782 100644 --- a/plugins/azure/virtualmachines/vmDiskDeleteConfig.js +++ b/plugins/azure/virtualmachines/vmDiskDeleteConfig.js @@ -33,7 +33,7 @@ module.exports = { } virtualMachines.data.forEach(virtualMachine => { - if (virtualMachine.storageProfile && virtualMachine.storageProfile.osDisk && virtualMachine.storageProfile.osDisk.deleteOption=='Delete') { + if (virtualMachine.storageProfile && virtualMachine.storageProfile.osDisk && virtualMachine.storageProfile.osDisk.deleteOption && virtualMachine.storageProfile.osDisk === 'Delete') { helpers.addResult(results, 0, 'Automatic disks delete with VM is enabled', location, virtualMachine.id); } else { helpers.addResult(results, 2, 'Automatic disks delete with VM is not enabled', location, virtualMachine.id); From 5ffbb1c77d91713e59e8a828d90f8ce13fa612a1 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Tue, 5 Dec 2023 15:09:49 +0500 Subject: [PATCH 241/498] updated with recommended changes --- plugins/azure/virtualmachines/vmDiskDeleteConfig.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmDiskDeleteConfig.js b/plugins/azure/virtualmachines/vmDiskDeleteConfig.js index cf8ff17782..30fae52b72 100644 --- a/plugins/azure/virtualmachines/vmDiskDeleteConfig.js +++ b/plugins/azure/virtualmachines/vmDiskDeleteConfig.js @@ -33,7 +33,7 @@ module.exports = { } virtualMachines.data.forEach(virtualMachine => { - if (virtualMachine.storageProfile && virtualMachine.storageProfile.osDisk && virtualMachine.storageProfile.osDisk.deleteOption && virtualMachine.storageProfile.osDisk === 'Delete') { + if (virtualMachine.storageProfile && virtualMachine.storageProfile.osDisk && virtualMachine.storageProfile.osDisk.deleteOption && virtualMachine.storageProfile.osDisk.deleteOption === 'Delete') { helpers.addResult(results, 0, 'Automatic disks delete with VM is enabled', location, virtualMachine.id); } else { helpers.addResult(results, 2, 'Automatic disks delete with VM is not enabled', location, virtualMachine.id); From c56d88f6c615073c12cb823267b01470469f848b Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Tue, 5 Dec 2023 15:16:36 +0500 Subject: [PATCH 242/498] Update vmSecureBootEnabled.js --- plugins/azure/virtualmachines/vmSecureBootEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmSecureBootEnabled.js b/plugins/azure/virtualmachines/vmSecureBootEnabled.js index df68dfb09a..b3bea8932b 100644 --- a/plugins/azure/virtualmachines/vmSecureBootEnabled.js +++ b/plugins/azure/virtualmachines/vmSecureBootEnabled.js @@ -6,7 +6,7 @@ module.exports = { category: 'Virtual Machines', domain: 'Compute', description: 'Ensure Secure Boot is enabled for Azure virtual machines (VM).', - more_info: 'Secure Boot helps protect VMs by ensuring that only signed and trusted components are allowed to execute during the boot process.', + more_info: 'Secure Boot, which is implemented in platform firmware, protects against the installation of malware-based rootkits and boot kits. Secure Boot works to ensure that only signed operating systems and drivers can boot. It establishes a "root of trust" for the software stack on your VM.', recommended_action: 'Enable Secure Boot for Azure virtual machines.', link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#secure-boot', apis: ['virtualMachines:listAll'], From 66fa89fc08e9bf46fcabe4c2cca96d8b5fea1c36 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Tue, 5 Dec 2023 15:18:50 +0500 Subject: [PATCH 243/498] Update vmSecurityType.js --- plugins/azure/virtualmachines/vmSecurityType.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmSecurityType.js b/plugins/azure/virtualmachines/vmSecurityType.js index ccadaeb8ed..3395875570 100644 --- a/plugins/azure/virtualmachines/vmSecurityType.js +++ b/plugins/azure/virtualmachines/vmSecurityType.js @@ -6,7 +6,7 @@ module.exports = { category: 'Virtual Machines', domain: 'Compute', description: 'Ensure Trusted Launch is selected for Azure virtual machines (VM).', - more_info: 'Trusted Launch provides additional security features on Gen 2 virtual machines, offering defense against sophisticated threats.', + more_info: 'Trusted launch protects against advanced and persistent attack techniques. Trusted launch is composed of several, coordinated infrastructure technologies that can be enabled independently. Each technology provides another layer of defense against sophisticated threats.', recommended_action: 'Select Trusted Launch as security type for Azure virtual machines.', link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-portal?tabs=portal%2Cportal3%2Cportal2', apis: ['virtualMachines:listAll'], From 31e990847c4be73b13a5089253e94c603745ddfa Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 5 Dec 2023 15:51:55 +0500 Subject: [PATCH 244/498] SAAS-20297/ag-security-logging --- exports.js | 1 + helpers/azure/api.js | 5 + .../agSecurityLoggingEnabled.js | 70 ++++++ .../agSecurityLoggingEnabled.spec.js | 208 ++++++++++++++++++ 4 files changed, 284 insertions(+) create mode 100644 plugins/azure/applicationGateway/agSecurityLoggingEnabled.js create mode 100644 plugins/azure/applicationGateway/agSecurityLoggingEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..5761f4f8c9 100644 --- a/exports.js +++ b/exports.js @@ -976,6 +976,7 @@ module.exports = { 'agWafEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agWafEnabled'), 'agPreventionModeEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agPreventionModeEnabled.js'), + 'agSecurityLoggingEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js'), 'subscriptionHasTags' : require(__dirname + '/plugins/azure/subscription/subscriptionHasTags.js'), 'rgHasTags' : require(__dirname + '/plugins/azure/resourceGroup/rgHasTags.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..0e18c859ee 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -932,6 +932,11 @@ var tertiarycalls = { properties: ['id'], url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' }, + listByApplicationGateways: { + reliesOnPath: 'applicationGateway.listAll', + properties: ['id'], + url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' + }, listByKeyVault: { reliesOnPath: 'vaults.list', properties: ['id'], diff --git a/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js b/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js new file mode 100644 index 0000000000..845bd1f5d8 --- /dev/null +++ b/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js @@ -0,0 +1,70 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Application Gateway Security Logging Enabled', + category: 'Application Gateway', + domain: 'Network Access Control', + description: 'Ensures that Application Gateway Access and Firewall logs are enabled.', + more_info: 'Application Gateway access logs helps to analyze important information including the caller\'s IP, requested URL, response latency, return code, and bytes in and out. Web application firewall (WAF) logs can be used to detect potential attacks, and false positive detections that might indicate legitimate requests that the WAF blocked.', + recommended_action: 'Modify Application Gateway and add diagnostic settings for Access and Firewall Logs.', + link: 'https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics', + apis: ['applicationGateway:listAll', 'diagnosticSettings:listByApplicationGateways'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + async.each(locations.applicationGateway, (location, rcb) => { + const applicationGateways = helpers.addSource(cache, source, + ['applicationGateway', 'listAll', location]); + + if (!applicationGateways) return rcb(); + + if (applicationGateways.err || !applicationGateways.data) { + helpers.addResult(results, 3, + 'Unable to query Application Gateway: ' + helpers.addError(applicationGateways), location); + return rcb(); + } + + if (!applicationGateways.data.length) { + helpers.addResult(results, 0, 'No existing Application Gateway found', location); + return rcb(); + } + + applicationGateways.data.forEach(function(appGateway) { + if (!appGateway.id) return; + const diagnosticSettings = helpers.addSource(cache, source, + ['diagnosticSettings', 'listByApplicationGateways', location, appGateway.id]); + + if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { + helpers.addResult(results, 3, 'Unable to query Application Gateway diagnostics settings: ' + helpers.addError(diagnosticSettings), location, appGateway.id); + } else { + + var logs = diagnosticSettings.data[0] && diagnosticSettings.data[0].logs ? diagnosticSettings.data[0].logs : []; + const allLogsEnabled = logs.some(log => log.categoryGroup === 'allLogs' && log.enabled); + if (allLogsEnabled) { + helpers.addResult(results, 0, 'Application Gateway has security logging enabled', location, appGateway.id); + } else { + const requiredLogs = ['ApplicationGatewayAccessLog', 'ApplicationGatewayFirewallLog']; + const missingLogs = requiredLogs.filter(requiredCategory => + !logs.find(log => (log.category === requiredCategory && log.enabled)) + ); + + if (missingLogs.length) { + helpers.addResult(results, 2, `Application Gateway does not have security logging enabled. Missing Logs ${missingLogs}`, location, appGateway.id); + } else { + helpers.addResult(results, 0, 'Application Gateway has security logging enabled', location, appGateway.id); + } + + } + + } + }); + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/applicationGateway/agSecurityLoggingEnabled.spec.js b/plugins/azure/applicationGateway/agSecurityLoggingEnabled.spec.js new file mode 100644 index 0000000000..1c891e48a2 --- /dev/null +++ b/plugins/azure/applicationGateway/agSecurityLoggingEnabled.spec.js @@ -0,0 +1,208 @@ +var expect = require('chai').expect; +var agSecurityLoggingEnabled = require('./agSecurityLoggingEnabled'); + +const appGateway = [ + { + "name": "meerab-test", + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/meerab-rg/providers/Microsoft.Network/applicationGateways/meerab-test", + "etag": "W/\"b3bb388c-f5ff-495a-8163-98edbeb32047\"", + "type": "Microsoft.Network/applicationGateways", + "location": "eastus", + "tags": {}, + "provisioningState": "Succeeded", + "resourceGuid": "c166b007-4ecd-45c2-9faa-74664407558b", + "sku": { + "name": "WAF_v2", + "tier": "WAF_v2", + "family": "Generation_1" + }, + } +]; + +const diagnosticSettings = [ + { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/microsoft.network/applicationgateways/meerab-test/providers/microsoft.insights/diagnosticSettings/app-ds", + "type": "Microsoft.Insights/diagnosticSettings", + "name": "app-ds", + "logs": [ + { + "category": "ApplicationGatewayAccessLog", + "categoryGroup": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + { + "category": "ApplicationGatewayFirewallLog", + "categoryGroup": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logAnalyticsDestinationType": null + }, + {}, + { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/microsoft.network/applicationgateways/meerab-test/providers/microsoft.insights/diagnosticSettings/app-ds", + "type": "Microsoft.Insights/diagnosticSettings", + "name": "app-ds", + "logs": [ + { + "category": "ApplicationGatewayAccessLog", + "categoryGroup": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + ], + "logAnalyticsDestinationType": null + }, +] +const createCache = (applicationGateway, diagnostics) => { + let diagnostic = {}; + if (applicationGateway.length) { + diagnostic[applicationGateway[0].id] = { + data: diagnostics + }; + } + + return { + applicationGateway: { + listAll: { + 'eastus': { + data: applicationGateway + } + } + }, + diagnosticSettings: { + listByApplicationGateways: { + 'eastus': diagnostic + } + } + }; +}; + +const createErrorCache = (key) => { + if (key == 'appGateway') { + return { + applicationGateway: { + listAll: { + 'eastus': {} + } + } + }; + } else if (key === 'noGateway'){ + return { + applicationGateway: { + listAll: { + 'eastus': { + data:{} + } + } + } + }; + }else if (key === 'diagnostic') { + return { + applicationGateway: { + listAll: { + 'eastus': { + data: [appGateway[0]] + } + } + }, + diagnosticSettings: { + listByApplicationGateways: { + 'eastus': {} + } + } + }; + } else { + const appId = (appGateway && appGateway.length) ? appGateway[0].id : null; + const diagnosticSetting = (diagnosticSettings && diagnosticSettings.length) ? diagnosticSettings[0].id : null; + return { + applicationGateway: { + listAll: { + 'eastus': { + data: [appId[0]] + } + } + }, + diagnosticSettings: { + listByApplicationGateways: { + 'eastus': { + data: {} + } + } + } + }; + } +}; + +describe('agSecurityLoggingEnabled', function() { + describe('run', function() { + it('should give passing result if no Application Gateway found', function(done) { + const cache = createErrorCache('noGateway'); + agSecurityLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Application Gateway found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result unable to query Application Gateway:', function(done) { + const cache = createErrorCache('appGateway'); + agSecurityLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Application Gateway'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + + it('should give unknown result unable to query Application Gateway diagnostics settings:', function(done) { + const cache = createErrorCache('diagnostic'); + agSecurityLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Application Gateway diagnostics settings:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give pass result if Application Gateway has security logging enabled', function(done) { + const cache = createCache([appGateway[0]],[diagnosticSettings[0]]); + agSecurityLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Application Gateway has security logging enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give fail result if Application Gateway have missing logs', function(done) { + const cache = createCache([appGateway[0]],[diagnosticSettings[2]]); + agSecurityLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Application Gateway does not have security logging enabled due to ApplicationGatewayFirewallLog'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + }); +}); + From 622212f3e318c8e19d96eacc5326bf983c456eb5 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Tue, 5 Dec 2023 16:00:38 +0500 Subject: [PATCH 245/498] Added check ENI seeting for open all port plugins --- plugins/aws/ec2/openAllPortsProtocols.js | 11 ++++ plugins/aws/ec2/openAllPortsProtocols.spec.js | 53 +++++++++++++++++- .../aws/ec2/openAllPortsProtocolsEgress.js | 11 ++++ .../ec2/openAllPortsProtocolsEgress.spec.js | 56 +++++++++++++++++-- 4 files changed, 125 insertions(+), 6 deletions(-) diff --git a/plugins/aws/ec2/openAllPortsProtocols.js b/plugins/aws/ec2/openAllPortsProtocols.js index 5d03950029..4ddaec2383 100644 --- a/plugins/aws/ec2/openAllPortsProtocols.js +++ b/plugins/aws/ec2/openAllPortsProtocols.js @@ -16,6 +16,12 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'flase', } }, compliance: { @@ -31,9 +37,11 @@ module.exports = { run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; @@ -109,6 +117,9 @@ module.exports = { usedGroups.length && !usedGroups.includes(groups[g].GroupId)) { helpers.addResult(results, 1, `Security Group: ${groups[g].GroupId} is not in use`, region, resource); + } else if( config.check_network_interface) { + var resultString = `Security group:${groups[g].GroupId} (${groups[g].GroupName}) has ${strings.join(' and ')}`; + helpers.checkNetworkInterface(groups[g].GroupId, groups[g].GroupName, resultString, region, results, resource, cache); } else { helpers.addResult(results, 2, 'Security group: ' + groups[g].GroupId + diff --git a/plugins/aws/ec2/openAllPortsProtocols.spec.js b/plugins/aws/ec2/openAllPortsProtocols.spec.js index 56ed709542..791ce54ae5 100644 --- a/plugins/aws/ec2/openAllPortsProtocols.spec.js +++ b/plugins/aws/ec2/openAllPortsProtocols.spec.js @@ -76,6 +76,47 @@ const describeSecurityGroups = [ } ], "VpcId": "vpc-99de2fe4" + }, + { + "Description": "Allows SSh access to developer", + "GroupName": "spec-test-sg2", + "IpPermissions": [{ + "IpProtocol": "tcp", + "IpRanges": [ + { + "CidrIp": "0.0.0.0/0" + } + ], + "Ipv6Ranges": [ + { + "CidrIpv6": "::/0" + } + ], + "PrefixListIds": [], + "UserIdGroupPairs": [] + }], + "OwnerId": "12345654321", + "GroupId": "sg-001", + "IpPermissionsEgress": [ + { + "FromPort": 25, + "IpProtocol": "tcp", + "IpRanges": [ + { + "CidrIp": "0.0.0.0/0" + } + ], + "Ipv6Ranges": [ + { + "CidrIpv6": "::/0" + } + ], + "PrefixListIds": [], + "ToPort": 25, + "UserIdGroupPairs": [] + } + ], + "VpcId": "vpc-99de2fe4" } ]; @@ -90,7 +131,7 @@ const describeNetworkInterfaces = [ }, { "GroupName": "HTTP-Access", - "GroupId": "sg-02e2c70cd463dca29" + "GroupId": "sg-001639e564442dfec" }, ], "InterfaceType": "interface", @@ -261,7 +302,7 @@ describe('openAllPortsProtocols', function () { }); it('should WARN if security group is unused', function (done) { - const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], []); + const cache = createCache([describeSecurityGroups[2]], [describeNetworkInterfaces[0]], []); openAllPortsProtocols.run(cache, {ec2_skip_unused_groups: 'true'}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(1); @@ -294,6 +335,14 @@ describe('openAllPortsProtocols', function () { done(); }); }); + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openAllPortsProtocols.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); }); }); diff --git a/plugins/aws/ec2/openAllPortsProtocolsEgress.js b/plugins/aws/ec2/openAllPortsProtocolsEgress.js index 6b9d4e9e8b..303ae4438c 100644 --- a/plugins/aws/ec2/openAllPortsProtocolsEgress.js +++ b/plugins/aws/ec2/openAllPortsProtocolsEgress.js @@ -16,14 +16,22 @@ module.exports = { description: 'When set to true, skip checking ports for unused security groups and produce a WARN result', regex: '^(true|false)$', default: 'false', + }, + check_network_interface: { + name: 'Check Associated ENI', + description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', + regex: '^(true|false)$', + default: 'flase', } }, run: function(cache, settings, callback) { var config = { ec2_skip_unused_groups: settings.ec2_skip_unused_groups || this.settings.ec2_skip_unused_groups.default, + check_network_interface: settings.check_network_interface || this.settings.check_network_interface.default, }; config.ec2_skip_unused_groups = (config.ec2_skip_unused_groups == 'true'); + config.check_network_interface = (config.check_network_interface == 'true'); var results = []; var source = {}; @@ -89,6 +97,9 @@ module.exports = { usedGroups.length && !usedGroups.includes(group.GroupId)) { helpers.addResult(results, 1, `Security Group: ${group.GroupId} is not in use`, region, resource); + } else if( config.check_network_interface) { + var resultString = `Security group:${group.GroupId} (${group.GroupName}) has ${strings.join(' and ')}`; + helpers.checkNetworkInterface(group.GroupId, group.GroupName, resultString, region, results, resource, cache); } else { helpers.addResult(results, 2, 'Security group: ' + group.GroupId + diff --git a/plugins/aws/ec2/openAllPortsProtocolsEgress.spec.js b/plugins/aws/ec2/openAllPortsProtocolsEgress.spec.js index ef79214a63..07815e77c4 100644 --- a/plugins/aws/ec2/openAllPortsProtocolsEgress.spec.js +++ b/plugins/aws/ec2/openAllPortsProtocolsEgress.spec.js @@ -76,7 +76,48 @@ const describeSecurityGroups = [ } ], "VpcId": "vpc-99de2fe4" - } + }, + { + "Description": "Allows SSh access to developer", + "GroupName": "spec-test-sg2", + "IpPermissionsEgress": [{ + "IpProtocol": "tcp", + "IpRanges": [ + { + "CidrIp": "0.0.0.0/0" + } + ], + "Ipv6Ranges": [ + { + "CidrIpv6": "::/0" + } + ], + "PrefixListIds": [], + "UserIdGroupPairs": [] + }], + "OwnerId": "12345654321", + "GroupId": "sg-001639e5", + "IpPermissions": [ + { + "FromPort": 25, + "IpProtocol": "tcp", + "IpRanges": [ + { + "CidrIp": "0.0.0.0/0" + } + ], + "Ipv6Ranges": [ + { + "CidrIpv6": "::/0" + } + ], + "PrefixListIds": [], + "ToPort": 25, + "UserIdGroupPairs": [] + } + ], + "VpcId": "vpc-99de2fe4" + }, ]; const describeNetworkInterfaces = [ @@ -90,7 +131,7 @@ const describeNetworkInterfaces = [ }, { "GroupName": "HTTP-Access", - "GroupId": "sg-02e2c70cd463dca29" + "GroupId": "sg-001639e564442dfec" }, ], "InterfaceType": "interface", @@ -261,7 +302,7 @@ describe('openAllPortsEgress', function () { }); it('should WARN if security group is unused', function (done) { - const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], []); + const cache = createCache([describeSecurityGroups[2]], [describeNetworkInterfaces[0]], []); openAllPortsEgress.run(cache, {ec2_skip_unused_groups: 'true'}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(1); @@ -294,6 +335,13 @@ describe('openAllPortsEgress', function () { done(); }); }); - + it('should PASS if open port security group attached to the network interface has no public IP associated', function (done) { + const cache = createCache([describeSecurityGroups[1]], [describeNetworkInterfaces[0]], [listFunctions[0]]); + openAllPortsEgress.run(cache, {check_network_interface:'true'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); }); }); From 5d9c41fca60e3e9cfb2fec704068dd84c78bbf1d Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Tue, 5 Dec 2023 16:01:49 +0500 Subject: [PATCH 246/498] Update auditMicrosoftOperationsEnabled.js --- plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js b/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js index 730901e390..d631c5cc57 100644 --- a/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js +++ b/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js @@ -6,7 +6,7 @@ module.exports = { category: 'SQL Server', domain: 'Databases', description: 'Ensure auditing of Microsoft support operations is enabled on SQL server.', - more_info: 'Enabling this option captures Microsoft support engineers (DevOps) operations for enhanced monitoring and troubleshooting.', + more_info: 'Auditing Microsoft support operations for your Azure SQL Database server enhances transparency during support requests. This feature, combined with your existing auditing, facilitates anomaly detection, trend visualization, and data loss prevention.', recommended_action: 'Enable the option to capture Microsoft support operations and write them to a selected Storage account, Log Analytics workspace, or Event Hub.', link: 'https://learn.microsoft.com/en-us/azure/azure-sql/database/auditing-microsoft-support-operations?view=azuresql', apis: ['servers:listSql', 'devOpsAuditingSettings:list'], From 46160f2aeeb7bb98f8a7ff364ff36e38e8c43594 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Tue, 5 Dec 2023 16:01:58 +0500 Subject: [PATCH 247/498] lint --- plugins/aws/ec2/openAllPortsProtocols.js | 2 +- plugins/aws/ec2/openAllPortsProtocolsEgress.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/aws/ec2/openAllPortsProtocols.js b/plugins/aws/ec2/openAllPortsProtocols.js index 4ddaec2383..420f23853c 100644 --- a/plugins/aws/ec2/openAllPortsProtocols.js +++ b/plugins/aws/ec2/openAllPortsProtocols.js @@ -117,7 +117,7 @@ module.exports = { usedGroups.length && !usedGroups.includes(groups[g].GroupId)) { helpers.addResult(results, 1, `Security Group: ${groups[g].GroupId} is not in use`, region, resource); - } else if( config.check_network_interface) { + } else if ( config.check_network_interface) { var resultString = `Security group:${groups[g].GroupId} (${groups[g].GroupName}) has ${strings.join(' and ')}`; helpers.checkNetworkInterface(groups[g].GroupId, groups[g].GroupName, resultString, region, results, resource, cache); } else { diff --git a/plugins/aws/ec2/openAllPortsProtocolsEgress.js b/plugins/aws/ec2/openAllPortsProtocolsEgress.js index 303ae4438c..7b1bf389e0 100644 --- a/plugins/aws/ec2/openAllPortsProtocolsEgress.js +++ b/plugins/aws/ec2/openAllPortsProtocolsEgress.js @@ -97,7 +97,7 @@ module.exports = { usedGroups.length && !usedGroups.includes(group.GroupId)) { helpers.addResult(results, 1, `Security Group: ${group.GroupId} is not in use`, region, resource); - } else if( config.check_network_interface) { + } else if ( config.check_network_interface) { var resultString = `Security group:${group.GroupId} (${group.GroupName}) has ${strings.join(' and ')}`; helpers.checkNetworkInterface(group.GroupId, group.GroupName, resultString, region, results, resource, cache); } else { From 58dbaff9ac349fd8aeb9d415c1e1cdcea4f21960 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Tue, 5 Dec 2023 16:13:03 +0500 Subject: [PATCH 248/498] Update dbLedgerEnabled.js --- plugins/azure/sqldatabases/dbLedgerEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbLedgerEnabled.js b/plugins/azure/sqldatabases/dbLedgerEnabled.js index daeb64077d..b4ad3c678a 100644 --- a/plugins/azure/sqldatabases/dbLedgerEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerEnabled.js @@ -6,7 +6,7 @@ module.exports = { category: 'SQL Databases', domain: 'Databases', description: 'Ensure ledger is enabled to protect the integrity of data for SQL databases.', - more_info: 'Azure ledger helps protect the integrity of data by enabling customers to use cryptographic seals on their data.', + more_info: 'Azure ledger helps protect the integrity of data by enabling customers to use cryptographic seals on their data. The database ledger incrementally captures the state of a database as the database evolves over time, while updates occur on ledger tables', recommended_action: 'Enable Azure ledger for all future tables in the SQL database to enhance data integrity.', link: 'https://learn.microsoft.com/en-us/sql/relational-databases/security/ledger/ledger-overview?view=sql-server-ver16', apis: ['servers:listSql', 'databases:listByServer'], From 2ca5e969cecf1fd64c6f32d11e29146b6adc15c9 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 5 Dec 2023 16:15:11 +0500 Subject: [PATCH 249/498] Security_logging --- exports.js | 2 +- ...nabled.js => afdSecurityLoggingEnabled.js} | 37 +++++++++------ ...c.js => afdSecurityLoggingEnabled.spec.js} | 47 +++++++++++-------- 3 files changed, 51 insertions(+), 35 deletions(-) rename plugins/azure/frontdoor/{wafLogsEnabled.js => afdSecurityLoggingEnabled.js} (57%) rename plugins/azure/frontdoor/{wafLogsEnabled.spec.js => afdSecurityLoggingEnabled.spec.js} (81%) diff --git a/exports.js b/exports.js index 84d847377b..90aebbfadc 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,7 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'wafLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/wafLogsEnabled.js'), + 'afdSecurityLoggingEnabled' : require(__dirname + '/plugins/azure/frontdoor/afdSecurityLoggingEnabled.js'), 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), }, github: { diff --git a/plugins/azure/frontdoor/wafLogsEnabled.js b/plugins/azure/frontdoor/afdSecurityLoggingEnabled.js similarity index 57% rename from plugins/azure/frontdoor/wafLogsEnabled.js rename to plugins/azure/frontdoor/afdSecurityLoggingEnabled.js index fac1d10a8e..ae3e60ba5e 100644 --- a/plugins/azure/frontdoor/wafLogsEnabled.js +++ b/plugins/azure/frontdoor/afdSecurityLoggingEnabled.js @@ -2,12 +2,12 @@ const async = require('async'); const helpers = require('../../../helpers/azure'); module.exports = { - title: 'Front Door WAF Logs Enabled', + title: 'Front Door Security Logging Enabled', category: 'Front Door', domain: 'Content Delivery', - description: 'Ensures that Azure Front Door WAF logs are enabled.', - more_info: 'Azure Front Door captures several types of logs. Web application firewall (WAF) logs can be used to detect potential attacks, and false positive detections that might indicate legitimate requests that the WAF blocked.', - recommended_action: 'Ensure that diagnostic setting for Front Door WAF logs is enabled.', + description: 'Ensures that Azure Front Door Access and WAF logs are enabled.', + more_info: 'Azure Front Door captures several types of logs. Access logs can be used to identify slow requests, determine error rates, and understand how Front Door\'s caching behavior is working for your solution. Web application firewall (WAF) logs can be used to detect potential attacks, and false positive detections that might indicate legitimate requests that the WAF blocked.', + recommended_action: 'Modify Front Door profile and add diagnostic settings for Access and WAF Logs.', link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-monitor?pivots=front-door-standard-premium', apis: ['profiles:list', 'diagnosticSettings:listByAzureFrontDoor'], @@ -43,18 +43,25 @@ module.exports = { if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { helpers.addResult(results, 3, 'Unable to query Front Door diagnostics settings: ' + helpers.addError(diagnosticSettings), location, profile.id); } else { - var frontDoorWafLogsEnabled = false; - diagnosticSettings.data.forEach(setting => { - var logs = setting.logs; - if (logs.some(log => (log.categoryGroup === 'allLogs' || log.category === 'FrontDoorWebApplicationFirewallLog') && log.enabled)) { - frontDoorWafLogsEnabled = true; - } - }); - if (frontDoorWafLogsEnabled) { - helpers.addResult(results, 0, 'Front Door profile WAF logs are enabled', location, profile.id); + var logs = diagnosticSettings.data[0] && diagnosticSettings.data[0].logs ? diagnosticSettings.data[0].logs : []; + + const allLogsEnabled = logs.some(log => log.categoryGroup === 'allLogs' && log.enabled); + if (allLogsEnabled) { + helpers.addResult(results, 0, 'Front Door profile has security logging enabled', location, profile.id); } else { - helpers.addResult(results, 2, 'Front Door profile WAF logs are not enabled', location, profile.id); - } + const requiredLogs = ['FrontDoorAccessLog', 'FrontDoorWebApplicationFirewallLog']; + const missingLogs = requiredLogs.filter(requiredCategory => + !logs.find(log => (log.category === requiredCategory && log.enabled)) + ); + + if (missingLogs.length) { + helpers.addResult(results, 2, `Front Door profile does not have security logging enabled. Missing Logs ${missingLogs}`, location, profile.id); + } else { + helpers.addResult(results, 0, 'Front Door profile has security logging enabled', location, profile.id); + } + + } + } }); diff --git a/plugins/azure/frontdoor/wafLogsEnabled.spec.js b/plugins/azure/frontdoor/afdSecurityLoggingEnabled.spec.js similarity index 81% rename from plugins/azure/frontdoor/wafLogsEnabled.spec.js rename to plugins/azure/frontdoor/afdSecurityLoggingEnabled.spec.js index 8bec80ddfc..d518b14fdc 100644 --- a/plugins/azure/frontdoor/wafLogsEnabled.spec.js +++ b/plugins/azure/frontdoor/afdSecurityLoggingEnabled.spec.js @@ -1,5 +1,5 @@ var expect = require('chai').expect; -var wafLogsEnabled = require('./wafLogsEnabled.js'); +var afdSecurityLoggingEnabled = require('./afdSecurityLoggingEnabled.js'); const profiles = [ { @@ -43,14 +43,14 @@ const diagnosticSettings = [ location: 'global', logs: [ { - "category": "FrontDoorAccessLog", - "categoryGroup": null, - "enabled": true, - "retentionPolicy": { - "enabled": false, - "days": 0 - } - }, + "category": "FrontDoorWebApplicationFirewallLog", + "categoryGroup": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, ], "logAnalyticsDestinationType": null }, @@ -69,6 +69,15 @@ const diagnosticSettings = [ "days": 0 } }, + { + "category": "FrontDoorAccessLog", + "categoryGroup": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, ], "logAnalyticsDestinationType": null }, @@ -156,12 +165,12 @@ const createErrorCache = (key) => { } }; -describe('wafLogsEnabled', function () { +describe('afdSecurityLoggingEnabled', function () { describe('run', function () { it('should give pass result if No existing Azure Front Door profiles found', function (done) { const cache = createErrorCache('noprofile'); - wafLogsEnabled.run(cache, {}, (err, results) => { + afdSecurityLoggingEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('No existing Azure Front Door profiles found'); @@ -172,7 +181,7 @@ describe('wafLogsEnabled', function () { it('should give unknown result if Unable to query Front Door profiles:', function (done) { const cache = createErrorCache('profile'); - wafLogsEnabled.run(cache, {}, (err, results) => { + afdSecurityLoggingEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].message).to.include('Unable to query Front Door profiles:'); @@ -183,7 +192,7 @@ describe('wafLogsEnabled', function () { it('should give unknown result if Unable to query diagnostics settings', function (done) { const cache = createErrorCache('policy'); - wafLogsEnabled.run(cache, {}, (err, results) => { + afdSecurityLoggingEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].message).to.include('Unable to query Front Door diagnostics settings'); @@ -192,23 +201,23 @@ describe('wafLogsEnabled', function () { }); }); - it('should give passing result if Front Door profile WAF logs are enabled for Azure Front Door', function (done) { + it('should give passing result if front Door profile has security logging enabled', function (done) { const cache = createCache([profiles[0]], [diagnosticSettings[1]]); - wafLogsEnabled.run(cache, {}, (err, results) => { + afdSecurityLoggingEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Front Door profile WAF logs are enabled'); + expect(results[0].message).to.include('Front Door profile has security logging enabled'); expect(results[0].region).to.equal('global'); done(); }); }); - it('should give failing result if Front Door profile WAF logs are not enabled for Azure Front Door', function (done) { + it('should give failing result if Front Door profile does not have security logging enabled', function (done) { const cache = createCache([profiles[1]], [diagnosticSettings[0]]); - wafLogsEnabled.run(cache, {}, (err, results) => { + afdSecurityLoggingEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Front Door profile WAF logs are not enabled'); + expect(results[0].message).to.include('Front Door profile does not have security logging enabled. Missing Logs FrontDoorAccessLog'); expect(results[0].region).to.equal('global'); done(); }); From 466fe1c5af62cb99e4cc751debe61ce2c1129df9 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Tue, 5 Dec 2023 16:15:12 +0500 Subject: [PATCH 250/498] fixed --- plugins/aws/bedrock/customModelEncryptionEnabled.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/aws/bedrock/customModelEncryptionEnabled.js b/plugins/aws/bedrock/customModelEncryptionEnabled.js index e0ffe166f8..2a6870e748 100644 --- a/plugins/aws/bedrock/customModelEncryptionEnabled.js +++ b/plugins/aws/bedrock/customModelEncryptionEnabled.js @@ -28,7 +28,6 @@ module.exports = { }; var desiredEncryptionLevel = helpers.ENCRYPTION_LEVELS.indexOf(config.desiredEncryptionLevelString); - var currentEncryptionLevel; async.each(regions.bedrock, function(region, rcb){ var listCustomModels = helpers.addSource(cache, source, @@ -56,7 +55,7 @@ module.exports = { } for (let model of listCustomModels.data) { - if (!model.modelArn|| !model.modelName) continue; + if (!model.modelArn) continue; let resource = model.modelArn; @@ -69,6 +68,8 @@ module.exports = { continue; } + let currentEncryptionLevel = 2; + if (getCustomModel.data.modelKmsKeyArn) { var kmsKeyId = getCustomModel.data.modelKmsKeyArn.split('/')[1] ? getCustomModel.data.modelKmsKeyArn.split('/')[1] : getCustomModel.data.modelKmsKeyArn; @@ -82,9 +83,8 @@ module.exports = { } currentEncryptionLevel = helpers.getEncryptionLevel(describeKey.data.KeyMetadata, helpers.ENCRYPTION_LEVELS); - } else currentEncryptionLevel = 2; + } var currentEncryptionLevelString = helpers.ENCRYPTION_LEVELS[currentEncryptionLevel]; - if (currentEncryptionLevel >= desiredEncryptionLevel) { helpers.addResult(results, 0, `Bedrock Custom model is encrypted with ${currentEncryptionLevelString} From dddcabc78048dad4dfb433c364f4b9b9e4f37042 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Tue, 5 Dec 2023 16:16:41 +0500 Subject: [PATCH 251/498] Update dbEnableSecureEnclaves.js --- plugins/azure/sqldatabases/dbEnableSecureEnclaves.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js index 0b9c848ef4..dce7e242fd 100644 --- a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js +++ b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js @@ -6,7 +6,7 @@ module.exports = { category: 'SQL Databases', domain: 'Databases', description: 'Ensure Always Encrypted with secure enclaves is enabled at the database level.', - more_info: 'Always Encrypted with secure enclaves allows encrypted data to be processed inside a secure enclave for improved security.', + more_info: 'Always Encrypted with secure enclaves allows encrypted data to be processed inside a secure enclave for improved security. These properties make the secure enclave a trusted execution environment that can safely access cryptographic keys and sensitive data in plaintext, without compromising data confidentiality.', recommended_action: 'Enable Always Encrypted with secure enclaves for the SQL database.', link: 'https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves?view=sql-server-ver16', apis: ['servers:listSql', 'databases:listByServer'], From bb29571951e4e61c175b5dddd3e7761563d56d5a Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Tue, 5 Dec 2023 16:17:58 +0500 Subject: [PATCH 252/498] Update dbEnableSecureEnclaves.js --- plugins/azure/sqldatabases/dbEnableSecureEnclaves.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js index dce7e242fd..a5aad9641f 100644 --- a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js +++ b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js @@ -6,7 +6,7 @@ module.exports = { category: 'SQL Databases', domain: 'Databases', description: 'Ensure Always Encrypted with secure enclaves is enabled at the database level.', - more_info: 'Always Encrypted with secure enclaves allows encrypted data to be processed inside a secure enclave for improved security. These properties make the secure enclave a trusted execution environment that can safely access cryptographic keys and sensitive data in plaintext, without compromising data confidentiality.', + more_info: 'Always Encrypted protects the data by encrypting it on the client side and never allowing the data or the corresponding cryptographic keys to appear in plaintext inside the Database Engine. As a result, the functionality on encrypted columns inside the database is severely restricted.', recommended_action: 'Enable Always Encrypted with secure enclaves for the SQL database.', link: 'https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves?view=sql-server-ver16', apis: ['servers:listSql', 'databases:listByServer'], From 41f3d1b3253e393a7ad4bb980e844675183de7b9 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Tue, 5 Dec 2023 16:19:35 +0500 Subject: [PATCH 253/498] Update dbTDEEnabled.js --- plugins/azure/sqldatabases/dbTDEEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbTDEEnabled.js b/plugins/azure/sqldatabases/dbTDEEnabled.js index 2551ee99b9..7ed1b10b80 100644 --- a/plugins/azure/sqldatabases/dbTDEEnabled.js +++ b/plugins/azure/sqldatabases/dbTDEEnabled.js @@ -6,7 +6,7 @@ module.exports = { category: 'SQL Databases', domain: 'Databases', description: 'Ensure Transparent Data Encryption (TDE) is enabled on SQL databases.', - more_info: 'Transparent data encryption (TDE) helps protect Azure SQL Database against the threat of malicious offline activity by encrypting data at rest.', + more_info: 'Transparent data encryption (TDE) helps protect Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.', recommended_action: 'Enable Transparent Data Encryption (TDE) for SQL databases.', link: 'https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15', apis: ['servers:listSql','databases:listByServer','transparentDataEncryption:list'], From 5251cdcadf8d3f9f0641e59094373395117e1e91 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 5 Dec 2023 16:20:19 +0500 Subject: [PATCH 254/498] Optimized --- .../agSecurityLoggingEnabled.js | 34 +++++++++---------- .../agSecurityLoggingEnabled.spec.js | 2 +- 2 files changed, 17 insertions(+), 19 deletions(-) diff --git a/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js b/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js index 845bd1f5d8..4d98a5b629 100644 --- a/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js +++ b/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics', apis: ['applicationGateway:listAll', 'diagnosticSettings:listByApplicationGateways'], - run: function(cache, settings, callback) { + run: function (cache, settings, callback) { const results = []; const source = {}; const locations = helpers.locations(settings.govcloud); @@ -32,7 +32,7 @@ module.exports = { return rcb(); } - applicationGateways.data.forEach(function(appGateway) { + applicationGateways.data.forEach(function (appGateway) { if (!appGateway.id) return; const diagnosticSettings = helpers.addSource(cache, source, ['diagnosticSettings', 'listByApplicationGateways', location, appGateway.id]); @@ -42,28 +42,26 @@ module.exports = { } else { var logs = diagnosticSettings.data[0] && diagnosticSettings.data[0].logs ? diagnosticSettings.data[0].logs : []; + const allLogsEnabled = logs.some(log => log.categoryGroup === 'allLogs' && log.enabled); - if (allLogsEnabled) { - helpers.addResult(results, 0, 'Application Gateway has security logging enabled', location, appGateway.id); + const requiredLogs = ['ApplicationGatewayAccessLog', 'ApplicationGatewayFirewallLog']; + const missingLogs = requiredLogs.filter(requiredCategory => + !logs.find(log => (log.category === requiredCategory && log.enabled)) + ); + + if (!allLogsEnabled && missingLogs.length) { + helpers.addResult(results, 2, `Application Gateway does not have security logging enabled. Missing Logs ${missingLogs}`, location, appGateway.id); } else { - const requiredLogs = ['ApplicationGatewayAccessLog', 'ApplicationGatewayFirewallLog']; - const missingLogs = requiredLogs.filter(requiredCategory => - !logs.find(log => (log.category === requiredCategory && log.enabled)) - ); - - if (missingLogs.length) { - helpers.addResult(results, 2, `Application Gateway does not have security logging enabled. Missing Logs ${missingLogs}`, location, appGateway.id); - } else { - helpers.addResult(results, 0, 'Application Gateway has security logging enabled', location, appGateway.id); - } - - } - + helpers.addResult(results, 0, 'Application Gateway has security logging enabled', location, appGateway.id); + } + + + } }); rcb(); - }, function() { + }, function () { callback(null, results, source); }); } diff --git a/plugins/azure/applicationGateway/agSecurityLoggingEnabled.spec.js b/plugins/azure/applicationGateway/agSecurityLoggingEnabled.spec.js index 1c891e48a2..d800764fdb 100644 --- a/plugins/azure/applicationGateway/agSecurityLoggingEnabled.spec.js +++ b/plugins/azure/applicationGateway/agSecurityLoggingEnabled.spec.js @@ -197,7 +197,7 @@ describe('agSecurityLoggingEnabled', function() { agSecurityLoggingEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Application Gateway does not have security logging enabled due to ApplicationGatewayFirewallLog'); + expect(results[0].message).to.include('Application Gateway does not have security logging enabled. Missing Logs ApplicationGatewayFirewallLog'); expect(results[0].region).to.equal('eastus'); done(); }); From 30093780c1e5031242d9317218abe25cfbba6ea2 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 5 Dec 2023 16:22:20 +0500 Subject: [PATCH 255/498] optimized --- .../frontdoor/afdSecurityLoggingEnabled.js | 36 ++++++++----------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/plugins/azure/frontdoor/afdSecurityLoggingEnabled.js b/plugins/azure/frontdoor/afdSecurityLoggingEnabled.js index ae3e60ba5e..28178aa080 100644 --- a/plugins/azure/frontdoor/afdSecurityLoggingEnabled.js +++ b/plugins/azure/frontdoor/afdSecurityLoggingEnabled.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-monitor?pivots=front-door-standard-premium', apis: ['profiles:list', 'diagnosticSettings:listByAzureFrontDoor'], - run: function(cache, settings, callback) { + run: function (cache, settings, callback) { const results = []; const source = {}; const locations = helpers.locations(settings.govcloud); @@ -33,9 +33,9 @@ module.exports = { } var frontDoorProfile = false; - profiles.data.forEach(function(profile) { - if (!profile.id || profile.kind!='frontdoor') return; - + profiles.data.forEach(function (profile) { + if (!profile.id || profile.kind != 'frontdoor') return; + frontDoorProfile = true; const diagnosticSettings = helpers.addSource(cache, source, ['diagnosticSettings', 'listByAzureFrontDoor', location, profile.id]); @@ -44,24 +44,18 @@ module.exports = { helpers.addResult(results, 3, 'Unable to query Front Door diagnostics settings: ' + helpers.addError(diagnosticSettings), location, profile.id); } else { var logs = diagnosticSettings.data[0] && diagnosticSettings.data[0].logs ? diagnosticSettings.data[0].logs : []; - + const allLogsEnabled = logs.some(log => log.categoryGroup === 'allLogs' && log.enabled); - if (allLogsEnabled) { - helpers.addResult(results, 0, 'Front Door profile has security logging enabled', location, profile.id); + const requiredLogs = ['FrontDoorAccessLog', 'FrontDoorWebApplicationFirewallLog']; + const missingLogs = requiredLogs.filter(requiredCategory => + !logs.find(log => (log.category === requiredCategory && log.enabled)) + ); + + if (!allLogsEnabled && missingLogs.length) { + helpers.addResult(results, 2, `Front Door profile does not have security logging enabled. Missing Logs ${missingLogs}`, location, profile.id); } else { - const requiredLogs = ['FrontDoorAccessLog', 'FrontDoorWebApplicationFirewallLog']; - const missingLogs = requiredLogs.filter(requiredCategory => - !logs.find(log => (log.category === requiredCategory && log.enabled)) - ); - - if (missingLogs.length) { - helpers.addResult(results, 2, `Front Door profile does not have security logging enabled. Missing Logs ${missingLogs}`, location, profile.id); - } else { - helpers.addResult(results, 0, 'Front Door profile has security logging enabled', location, profile.id); - } - - } - + helpers.addResult(results, 0, 'Front Door profile has security logging enabled', location, profile.id); + } } }); @@ -69,7 +63,7 @@ module.exports = { helpers.addResult(results, 0, 'No existing Azure Front Door profiles found', location); } rcb(); - }, function() { + }, function () { callback(null, results, source); }); } From 4e9a7a5b4d6622a0eca887316d1b254a4d9bf3d8 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 5 Dec 2023 16:24:38 +0500 Subject: [PATCH 256/498] linting --- plugins/azure/frontdoor/afdSecurityLoggingEnabled.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/azure/frontdoor/afdSecurityLoggingEnabled.js b/plugins/azure/frontdoor/afdSecurityLoggingEnabled.js index 28178aa080..5ecb911993 100644 --- a/plugins/azure/frontdoor/afdSecurityLoggingEnabled.js +++ b/plugins/azure/frontdoor/afdSecurityLoggingEnabled.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-monitor?pivots=front-door-standard-premium', apis: ['profiles:list', 'diagnosticSettings:listByAzureFrontDoor'], - run: function (cache, settings, callback) { + run: function(cache, settings, callback) { const results = []; const source = {}; const locations = helpers.locations(settings.govcloud); @@ -33,7 +33,7 @@ module.exports = { } var frontDoorProfile = false; - profiles.data.forEach(function (profile) { + profiles.data.forEach(function(profile) { if (!profile.id || profile.kind != 'frontdoor') return; frontDoorProfile = true; @@ -63,7 +63,7 @@ module.exports = { helpers.addResult(results, 0, 'No existing Azure Front Door profiles found', location); } rcb(); - }, function () { + }, function() { callback(null, results, source); }); } From 66c2bdc8df5192add851bc88b9662d3ef972c3d9 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Tue, 5 Dec 2023 16:26:46 +0500 Subject: [PATCH 257/498] Update dbSyncGroupPrivateLink.js --- plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js index 7ae4dced83..2eba2fc87d 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js @@ -6,7 +6,7 @@ module.exports = { category: 'SQL Databases', domain: 'Databases', description: 'Ensures SQL Database sync groups use private link when SQL DB sync with others databases.', - more_info: 'Using private link for SQL Database sync groups adds an extra layer of security by requiring manual approval for private endpoint connections.', + more_info: 'Private Link is the way to create Sync groups using secure connection with databases sitting behind a firewall. SQL Data Sync Private Link is Microsoft-managed endpoint and internally creates a subnet within the existing virtual network, so there is no need to create another virtual network or subnet.', recommended_action: 'Configure SQL Database sync groups to use private link and mandate manual approval for private endpoint connections.', link: 'https://learn.microsoft.com/en-us/azure/private-link/private-link-overview', apis: ['servers:listSql','databases:listByServer','syncGroups:list'], From 59f16710dad1b432b608a99f537f7c535594f3f5 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Tue, 5 Dec 2023 16:34:15 +0500 Subject: [PATCH 258/498] Update dbDataMaskingEnabled.js --- plugins/azure/sqldatabases/dbDataMaskingEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js index 9b54650a4f..217cd28030 100644 --- a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js +++ b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js @@ -6,7 +6,7 @@ module.exports = { category: 'SQL Databases', domain: 'Databases', description: 'Ensures dynamic data masking is enabled for all SQL databases.', - more_info: 'Dynamic data masking helps prevent unauthorized access to sensitive data by hiding it in query results.', + more_info: 'Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to specify how much sensitive data to reveal with minimal effect on the application layer. DDM can be configured on designated database fields to hide sensitive data in the result sets of queries.', recommended_action: 'Enable dynamic data masking for SQL databases.', link: 'https://docs.microsoft.com/en-us/azure/sql-database/sql-database-dynamic-data-masking-get-started-portal', apis: ['servers:listSql', 'databases:listByServer', 'dataMaskingPolicies:get'], From ed04b135044835d229b7a0b5039687eb99da190a Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 5 Dec 2023 16:34:18 +0500 Subject: [PATCH 259/498] linting fixed --- plugins/azure/applicationGateway/agSecurityLoggingEnabled.js | 4 ---- 1 file changed, 4 deletions(-) diff --git a/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js b/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js index 4d98a5b629..7f5f56f189 100644 --- a/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js +++ b/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js @@ -40,7 +40,6 @@ module.exports = { if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { helpers.addResult(results, 3, 'Unable to query Application Gateway diagnostics settings: ' + helpers.addError(diagnosticSettings), location, appGateway.id); } else { - var logs = diagnosticSettings.data[0] && diagnosticSettings.data[0].logs ? diagnosticSettings.data[0].logs : []; const allLogsEnabled = logs.some(log => log.categoryGroup === 'allLogs' && log.enabled); @@ -54,9 +53,6 @@ module.exports = { } else { helpers.addResult(results, 0, 'Application Gateway has security logging enabled', location, appGateway.id); } - - - } }); From 0a1c4484c6a745095cb6c8385435b023a552e566 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Tue, 5 Dec 2023 16:41:25 +0500 Subject: [PATCH 260/498] Update openAllPortsProtocols.js --- plugins/aws/ec2/openAllPortsProtocols.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/ec2/openAllPortsProtocols.js b/plugins/aws/ec2/openAllPortsProtocols.js index 420f23853c..584f3996a9 100644 --- a/plugins/aws/ec2/openAllPortsProtocols.js +++ b/plugins/aws/ec2/openAllPortsProtocols.js @@ -21,7 +21,7 @@ module.exports = { name: 'Check Associated ENI', description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', regex: '^(true|false)$', - default: 'flase', + default: 'false', } }, compliance: { From 9543b548faf98670dd85975b120359e884caf902 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Tue, 5 Dec 2023 16:41:45 +0500 Subject: [PATCH 261/498] Update openAllPortsProtocolsEgress.js --- plugins/aws/ec2/openAllPortsProtocolsEgress.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/ec2/openAllPortsProtocolsEgress.js b/plugins/aws/ec2/openAllPortsProtocolsEgress.js index 7b1bf389e0..c02270ec94 100644 --- a/plugins/aws/ec2/openAllPortsProtocolsEgress.js +++ b/plugins/aws/ec2/openAllPortsProtocolsEgress.js @@ -21,7 +21,7 @@ module.exports = { name: 'Check Associated ENI', description: 'When set to true, checks elastic network interfaces associated to the security group and returns FAIL if both the security group and ENI are publicly exposed', regex: '^(true|false)$', - default: 'flase', + default: 'false', } }, run: function(cache, settings, callback) { From 58559e1d345e5a3b4d966c867fc87546ea6c67ba Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 5 Dec 2023 16:42:33 +0500 Subject: [PATCH 262/498] linting : --- .../azure/applicationGateway/agSecurityLoggingEnabled.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js b/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js index 7f5f56f189..2d951c5621 100644 --- a/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js +++ b/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics', apis: ['applicationGateway:listAll', 'diagnosticSettings:listByApplicationGateways'], - run: function (cache, settings, callback) { + run: function(cache, settings, callback) { const results = []; const source = {}; const locations = helpers.locations(settings.govcloud); @@ -32,7 +32,7 @@ module.exports = { return rcb(); } - applicationGateways.data.forEach(function (appGateway) { + applicationGateways.data.forEach(function(appGateway) { if (!appGateway.id) return; const diagnosticSettings = helpers.addSource(cache, source, ['diagnosticSettings', 'listByApplicationGateways', location, appGateway.id]); @@ -57,7 +57,7 @@ module.exports = { }); rcb(); - }, function () { + }, function() { callback(null, results, source); }); } From 61e87dffc73b92fdabe4f1b0db41981645e16d1d Mon Sep 17 00:00:00 2001 From: fatima99s Date: Tue, 5 Dec 2023 16:52:53 +0500 Subject: [PATCH 263/498] change the catagory for azure plugin --- exports.js | 2 +- .../applicationGatewayHasTags.js | 4 ++-- .../applicationGatewayHasTags.spec.js | 0 3 files changed, 3 insertions(+), 3 deletions(-) rename plugins/azure/{loadbalancer => applicationGateway}/applicationGatewayHasTags.js (96%) rename plugins/azure/{loadbalancer => applicationGateway}/applicationGatewayHasTags.spec.js (100%) diff --git a/exports.js b/exports.js index 53c1523d03..b209b104ef 100644 --- a/exports.js +++ b/exports.js @@ -940,7 +940,6 @@ module.exports = { 'lbHttpsOnly' : require(__dirname + '/plugins/azure/loadbalancer/lbHttpsOnly.js'), 'lbNoInstances' : require(__dirname + '/plugins/azure/loadbalancer/lbNoInstances.js'), 'lbHasTags' : require(__dirname + '/plugins/azure/loadbalancer/lbHasTags.js'), - 'applicationGatewayHasTags' : require(__dirname + '/plugins/azure/loadbalancer/applicationGatewayHasTags.js'), 'lbLogAnalyticsEnabled' : require(__dirname + '/plugins/azure/loadbalancer/lbLogAnalyticsEnabled.js'), 'kvRecoveryEnabled' : require(__dirname + '/plugins/azure/keyvaults/kvRecoveryEnabled.js'), @@ -976,6 +975,7 @@ module.exports = { 'agWafEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agWafEnabled'), 'agPreventionModeEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agPreventionModeEnabled.js'), + 'applicationGatewayHasTags' : require(__dirname + '/plugins/azure/applicationGateway/applicationGatewayHasTags.js'), 'subscriptionHasTags' : require(__dirname + '/plugins/azure/subscription/subscriptionHasTags.js'), 'rgHasTags' : require(__dirname + '/plugins/azure/resourceGroup/rgHasTags.js'), diff --git a/plugins/azure/loadbalancer/applicationGatewayHasTags.js b/plugins/azure/applicationGateway/applicationGatewayHasTags.js similarity index 96% rename from plugins/azure/loadbalancer/applicationGatewayHasTags.js rename to plugins/azure/applicationGateway/applicationGatewayHasTags.js index f5c4cd2d08..1007dd3012 100644 --- a/plugins/azure/loadbalancer/applicationGatewayHasTags.js +++ b/plugins/azure/applicationGateway/applicationGatewayHasTags.js @@ -3,8 +3,8 @@ const helpers = require('../../../helpers/azure'); module.exports = { title: 'Application Gateway Has Tags', - category: 'Load Balancer', - domain: 'Availability', + category: 'Application Gateway', + domain: 'Network Access Control', description: 'Ensures that Microsoft Azure Application Gateway has tags associated.', more_info: 'Tags help you to group resources together that are related to or associated with each other. It is a best practice to tag cloud resources to better organize and gain visibility into their usage.', recommended_action: 'Modify application gateways and add tags.', diff --git a/plugins/azure/loadbalancer/applicationGatewayHasTags.spec.js b/plugins/azure/applicationGateway/applicationGatewayHasTags.spec.js similarity index 100% rename from plugins/azure/loadbalancer/applicationGatewayHasTags.spec.js rename to plugins/azure/applicationGateway/applicationGatewayHasTags.spec.js From b37d9f798505be18ed0355dcbac514f09c3de5c3 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Tue, 5 Dec 2023 17:20:59 +0500 Subject: [PATCH 264/498] Update restrictOutboundNetworking.js --- plugins/azure/sqlserver/restrictOutboundNetworking.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqlserver/restrictOutboundNetworking.js b/plugins/azure/sqlserver/restrictOutboundNetworking.js index 92107eb3b5..f94dbc4f47 100644 --- a/plugins/azure/sqlserver/restrictOutboundNetworking.js +++ b/plugins/azure/sqlserver/restrictOutboundNetworking.js @@ -6,7 +6,7 @@ module.exports = { category: 'SQL Server', domain: 'Databases', description: 'Ensure outbound networking restrictions are configured for the Azure SQL logical server.', - more_info: 'Outbound firewall rules limit network traffic from the Azure SQL logical server to a customer-defined list of Azure Storage accounts and Azure SQL logical servers.', + more_info: 'Outbound firewall rules limit network traffic from the Azure SQL logical server to a customer-defined list of Azure Storage accounts and Azure SQL logical servers. Any attempt to access storage accounts or databases not in this list is denied.', recommended_action: 'Configure outbound networking restrictions to allow access only to specified Azure Storage accounts and Azure SQL logical servers.', link: 'https://learn.microsoft.com/en-us/azure/azure-sql/database/outbound-firewall-rule-overview?view=azuresql', apis: ['servers:listSql'], From b139e7b69004154811b3e2050e7745ef1b2d134a Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Wed, 29 Nov 2023 12:02:55 +0500 Subject: [PATCH 265/498] Azure - PostgreSQL Flexible Server Diagnostic Logging Enabled Plugin --- exports.js | 1 + helpers/azure/api.js | 5 + .../flexibleServerDiagnosticLogs.js | 64 +++++++++ .../flexibleServerDiagnosticLogs.spec.js | 125 ++++++++++++++++++ 4 files changed, 195 insertions(+) create mode 100644 plugins/azure/postgresqlserver/flexibleServerDiagnosticLogs.js create mode 100644 plugins/azure/postgresqlserver/flexibleServerDiagnosticLogs.spec.js diff --git a/exports.js b/exports.js index ea4e832859..26cff61c03 100644 --- a/exports.js +++ b/exports.js @@ -817,6 +817,7 @@ module.exports = { 'postgresqlInfraDoubleEncryption': require(__dirname + '/plugins/azure/postgresqlserver/postgresqlInfraDoubleEncryption.js'), 'azureServicesAccessDisabled' : require(__dirname + '/plugins/azure/postgresqlserver/azureServicesAccessDisabled.js'), 'flexibleServerSCRAMEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/flexibleServerSCRAMEnabled.js'), + 'flexibleServerDiagnosticLogs' : require(__dirname + '/plugins/azure/postgresqlserver/flexibleServerDiagnosticLogs.js'), 'openOracleAutoDataWarehouse' : require(__dirname + '/plugins/azure/networksecuritygroups/openOracleAutoDataWarehouse.js'), 'networkWatcherEnabled' : require(__dirname + '/plugins/azure/networksecuritygroups/networkWatcherEnabled.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index d1e667931c..42c935b70a 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -965,6 +965,11 @@ var tertiarycalls = { reliesOnPath: 'registries.list', properties: ['id'], url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' + }, + listByPostgresFlexibleServers: { + reliesOnPath: 'servers.listPostgresFlexibleServer', + properties: ['id'], + url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' } }, diff --git a/plugins/azure/postgresqlserver/flexibleServerDiagnosticLogs.js b/plugins/azure/postgresqlserver/flexibleServerDiagnosticLogs.js new file mode 100644 index 0000000000..c29587ffd7 --- /dev/null +++ b/plugins/azure/postgresqlserver/flexibleServerDiagnosticLogs.js @@ -0,0 +1,64 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'PostgreSQL Flexible Server Diagnostic Logging', + category: 'PostgreSQL Server', + domain: 'Databases', + description: 'Ensures diagnostic logging is enabled for PostgreSQL flexible servers.', + more_info: 'Enabling diagnostic logging for Azure Database for PostgreSQL flexible servers helps with performance monitoring, troubleshooting, and security optimization.', + recommended_action: 'Enable diagnostic logging for all PostgreSQL servers.', + link: 'https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-logging', + apis: ['servers:listPostgresFlexibleServer', 'diagnosticSettings:listByPostgresFlexibleServers'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, (location, rcb) => { + + const servers = helpers.addSource(cache, source, + ['servers', 'listPostgresFlexibleServer', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, + 'Unable to query for PostgreSQL Flexible Servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No existing PostgreSQL Flexible Servers found', location); + return rcb(); + } + + for (let server of servers.data) { + if (!server.id) continue; + + var diagnosticSettings = helpers.addSource(cache, source, + ['diagnosticSettings', 'listByPostgresFlexibleServers', location, server.id]); + + if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { + helpers.addResult(results, 3, `Unable to query for PostgreSQL Flexible Server diagnostic settings: ${helpers.addError(diagnosticSettings)}`, + location, server.id); + continue; + } + + var found = diagnosticSettings.data.find(ds => ds.logs && ds.logs.length); + + if (found) { + helpers.addResult(results, 0, 'PostgreSQL Flexible Server has diagnostic logs enabled', location, server.id); + } else { + helpers.addResult(results, 2, 'PostgreSQL Flexible Server does not have diagnostic logs enabled', location, server.id); + } + } + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; + diff --git a/plugins/azure/postgresqlserver/flexibleServerDiagnosticLogs.spec.js b/plugins/azure/postgresqlserver/flexibleServerDiagnosticLogs.spec.js new file mode 100644 index 0000000000..d81b96e873 --- /dev/null +++ b/plugins/azure/postgresqlserver/flexibleServerDiagnosticLogs.spec.js @@ -0,0 +1,125 @@ +var expect = require('chai').expect; +var flexibleServerDiagnosticLogs = require('./flexibleServerDiagnosticLogs'); + +const servers = [ + { + "id": "/subscriptions/jk34n234k-dwef/resourceGroups/test-rg/providers/Microsoft.DBforPostgreSQL/servers/test-server", + }, +]; + + +const diagnosticSettings = [ + { + id: '/subscriptions/234/myrg/providers/Microsoft.DBforPostgreSQL/servers/test/providers/microsoft.insights/diagnosticSettings/test-setting', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'server-setting', + location: 'eastus', + kind: null, + tags: null, + eventHubName: null, + metrics: [], + logs: [ + { + "category": null, + "categoryGroup": "allLogs", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + { + "category": null, + "categoryGroup": "audit", + "enabled": false, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + logAnalyticsDestinationType: null + } +]; + +const createCache = (servers, ds) => { + const id = servers && servers.length ? servers[0].id : null; + return { + servers: { + listPostgresFlexibleServer: { + 'eastus': { + data: servers + } + } + }, + diagnosticSettings: { + listByPostgresFlexibleServers: { + 'eastus': { + [id]: { + data: ds + } + } + } + + }, + }; +}; + +describe('flexibleServerDiagnosticLogs', function() { + describe('run', function() { + it('should give a passing result if no PostgreSQL Servers are found', function (done) { + const cache = createCache([], null); + flexibleServerDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing PostgreSQL Flexible Servers found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for PostgreSQL Servers', function (done) { + const cache = createCache(null, ['error']); + flexibleServerDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for PostgreSQL Flexible Servers'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + it('should give unknown result if unable to query for diagnostic settings', function(done) { + const cache = createCache([servers[0]], null); + flexibleServerDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for PostgreSQL Flexible Server diagnostic settings'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if diagnostic logs enabled', function(done) { + const cache = createCache([servers[0]], [diagnosticSettings[0]]); + flexibleServerDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('PostgreSQL Flexible Server has diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if diagnostic logs not enabled', function(done) { + const cache = createCache([servers[0]], [[]]); + flexibleServerDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('PostgreSQL Flexible Server does not have diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); + From 425227da5f480d4f5a80df9f592232dee452fd4c Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Tue, 5 Dec 2023 18:34:44 +0500 Subject: [PATCH 266/498] updated with recommended changes --- exports.js | 2 +- ...OperationsEnabled.js => auditOperationsEnabled.js} | 11 ++++++++--- ...Enabled.spec.js => auditOperationsEnabled.spec.js} | 2 +- 3 files changed, 10 insertions(+), 5 deletions(-) rename plugins/azure/sqlserver/{auditMicrosoftOperationsEnabled.js => auditOperationsEnabled.js} (78%) rename plugins/azure/sqlserver/{auditMicrosoftOperationsEnabled.spec.js => auditOperationsEnabled.spec.js} (98%) diff --git a/exports.js b/exports.js index 138f527e4e..a4683d9eb5 100644 --- a/exports.js +++ b/exports.js @@ -883,7 +883,7 @@ module.exports = { 'sqlServerRecurringScans' : require(__dirname + '/plugins/azure/sqlserver/sqlServerRecurringScans.js'), 'sqlServerSendScanReports' : require(__dirname + '/plugins/azure/sqlserver/sqlServerSendScanReports.js'), 'sqlServerHasTags' : require(__dirname + '/plugins/azure/sqlserver/sqlServerHasTags.js'), - 'auditMicrosoftOperationsEnabled':require(__dirname + '/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js'), + 'auditOperationsEnabled':require(__dirname + '/plugins/azure/sqlserver/auditOperationsEnabled.js'), 'javaVersion' : require(__dirname + '/plugins/azure/appservice/javaVersion.js'), 'phpVersion' : require(__dirname + '/plugins/azure/appservice/phpVersion.js'), diff --git a/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js b/plugins/azure/sqlserver/auditOperationsEnabled.js similarity index 78% rename from plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js rename to plugins/azure/sqlserver/auditOperationsEnabled.js index d631c5cc57..c2bb8f3179 100644 --- a/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.js +++ b/plugins/azure/sqlserver/auditOperationsEnabled.js @@ -41,11 +41,16 @@ module.exports = { helpers.addResult(results, 3, 'Unable to query Auditing Policies: ' + helpers.addError(devOpsAuditingSettings), location, server.id); } else { - if (devOpsAuditingSettings.data[0].state.toLowerCase() == 'enabled') { - helpers.addResult(results, 0, 'Microsoft support operations auditing is enabled on SQL server', location, server.id); + if (devOpsAuditingSettings.data.length) { + if ( devOpsAuditingSettings.data[0].state && devOpsAuditingSettings.data[0].state.toLowerCase() == 'enabled') { + helpers.addResult(results, 0, 'Microsoft support operations auditing is enabled on SQL server', location, server.id); + } else { + helpers.addResult(results, 2, 'Microsoft support operations auditing is not enabled on SQL server', location, server.id); + } } else { - helpers.addResult(results, 2, 'Microsoft support operations auditing is not enabled on SQL server', location, server.id); + helpers.addResult(results, 2, 'No existing auditing policies found', location, server.id); } + } }); diff --git a/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.spec.js b/plugins/azure/sqlserver/auditOperationsEnabled.spec.js similarity index 98% rename from plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.spec.js rename to plugins/azure/sqlserver/auditOperationsEnabled.spec.js index 2da13d0a19..1a7b61a159 100644 --- a/plugins/azure/sqlserver/auditMicrosoftOperationsEnabled.spec.js +++ b/plugins/azure/sqlserver/auditOperationsEnabled.spec.js @@ -1,7 +1,7 @@ // Import necessary modules and the code to be tested var assert = require('assert'); var expect = require('chai').expect; -var auditSupportOperations = require('./auditMicrosoftOperationsEnabled'); +var auditSupportOperations = require('./auditOperationsEnabled'); // Function to create a sample cache const createCache = (err, list, get) => { From eca20d5eb53ab46fd142f4693bfa422a10610e3f Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 5 Dec 2023 19:11:02 +0500 Subject: [PATCH 267/498] syncing with saas --- collectors/google/collector.js | 35 +++++ helpers/azure/api.js | 2 +- helpers/google/api.js | 129 ++++++++++++++++- helpers/google/index.js | 6 +- helpers/google/regions.js | 1 + plugins/aws/ssm/ssmManagedInstances.js | 14 +- plugins/aws/ssm/ssmManagedInstances.spec.js | 153 +++++++++++++++++++- plugins/azure/appservice/javaVersion.js | 6 +- plugins/oracle/identity/adminUserAPIKeys.js | 8 +- 9 files changed, 336 insertions(+), 18 deletions(-) diff --git a/collectors/google/collector.js b/collectors/google/collector.js index fcaf33842b..fd7d448c6a 100644 --- a/collectors/google/collector.js +++ b/collectors/google/collector.js @@ -30,6 +30,9 @@ var tertiarycalls = apiCalls.tertiarycalls; var specialcalls = apiCalls.specialcalls; +var additionalCalls = apiCalls.additionalCalls; + + var collect = function(GoogleConfig, settings, callback) { var collection = {}; @@ -175,6 +178,38 @@ var collect = function(GoogleConfig, settings, callback) { } }); }, + function(cb) { + async.eachOfLimit(additionalCalls, 10, function(additionalCallObj, service, additionalCallCb) { + helpers.processCall(GoogleConfig, collection, settings, regions, additionalCallObj, service, client, function() { + if (settings.identifier && additionalCalls[service].sendIntegration && additionalCalls[service].sendIntegration.enabled) { + if (!additionalCalls[service].sendIntegration.integrationReliesOn) { + integrationCall(collection, settings, service, [], [additionalCalls], function() { + additionalCallCb(); + }); + } else { + services.push(service); + additionalCallCb(); + } + } else { + additionalCallCb(); + } + }); + }, function() { + if (settings.identifier) { + async.each(services, function(serv, callB) { + integrationCall(collection, settings, serv, [], [additionalCalls], callB); + }, function(err) { + if (err) { + console.log(err); + } + services = []; + cb(); + }); + } else { + cb(); + } + }); + }, function(cb) { async.eachOfLimit(specialcalls, 10, function(specialCallObj, service, specialCallCb) { async.eachOfLimit(specialCallObj, 10, function(subCallObj, one, subCallCb) { diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 0c44596e9d..dd57237cd3 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -254,7 +254,7 @@ var calls = { }, redisCaches: { listBySubscription: { - url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Cache/redis?api-version=2020-06-01' + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Cache/redis?api-version=2023-08-01' }, sendIntegration: serviceMap['Redis Cache'] }, diff --git a/helpers/google/api.js b/helpers/google/api.js index c66af69f5a..e0ed933be3 100644 --- a/helpers/google/api.js +++ b/helpers/google/api.js @@ -489,7 +489,11 @@ var calls = { url: 'https://dns.googleapis.com/dns/v1/projects/{projectId}/policies', location: null, pagination: true - } + }, + projectDenyPolicies: { //GET https://iam.googleapis.com/v2/policies/cloudresourcemanager.googleapis.com%252Fprojects%252Fprojectid/denypolicies + url: 'https://iam.googleapis.com/v2/policies/cloudresourcemanager.googleapis.com%252Fprojects%252F{projectId}/denypolicies', + pagination: true + }, }, topics: { list: { @@ -606,11 +610,11 @@ var postcalls = { }, }, - instances: { + compute: { getIamPolicy: { url: 'https://compute.googleapis.com/compute/v1/projects/{projectId}/zones/{locationId}/instances/{id}/getIamPolicy', location: 'zone', - reliesOnService: ['instances'], + reliesOnService: ['compute'], reliesOnCall: ['list'], properties: ['id'], pagination: false @@ -769,6 +773,16 @@ var postcalls = { paginationKey: 'pageSize' } }, + folders:{ // https://cloudresourcemanager.googleapis.com/v2/folders + list: { + url: 'https://cloudresourcemanager.googleapis.com/v2/folders?parent=organizations/{organizationId}', + reliesOnService: ['organizations'], + reliesOnCall: ['list'], + properties: ['organizationId'], + pagination: true, + paginationKey: 'pageSize' + } + }, apiKeys: { get: { url: 'https://apikeys.googleapis.com/v2/{name}', @@ -808,6 +822,65 @@ var postcalls = { pagination: false } }, + policies: { + getProjectDenyPolicies: {// GET https://iam.googleapis.com/v2/policies/cloudresourcemanager.googleapis.com%252Fprojects%2projectId/denypolicies/policyId + url:'https://iam.googleapis.com/v2/{name}', + reliesOnService: ['policies'], + reliesOnCall: ['projectDenyPolicies'], + properties: ['name'], + method: 'GET', + pagination: false + }, + orgDenyPolicies: {// GET https://iam.googleapis.com/v2/policies/cloudresourcemanager.googleapis.com%252Forganizations%252ForganizationId/denypolicies + url: 'https://iam.googleapis.com/v2/policies/cloudresourcemanager.googleapis.com%252F{name}/denypolicies', + reliesOnService: ['organizations'], + reliesOnCall: ['list'], + properties: ['name'], + encodeProperty: true, + method: 'GET', + pagination: false + }, + }, + bigtable: { + getIamPolicy: {//POST https://bigtableadmin.googleapis.com/v2/{resource=projects/*/instances/*}:getIamPolicy + url: 'https://bigtableadmin.googleapis.com/v2/{name}:getIamPolicy', + reliesOnService: ['bigtable'], + reliesOnCall: ['list'], + properties: ['name'], + method: 'POST', + pagination: false + }, + }, + spanner: { + getIamPolicy: {//POST https://spanner.googleapis.com/v1/{resource=projects/*/instances/*}:getIamPolicy + url: 'https://spanner.googleapis.com/v1/{name}:getIamPolicy', + reliesOnService: ['spanner'], + reliesOnCall: ['list'], + properties: ['name'], + method: 'POST', + pagination: false + }, + }, + deployments: { + getIamPolicy: {//GET https://www.googleapis.com/deploymentmanager/v2/projects/project/global/deployments/resource/getIamPolicy + url: 'https://www.googleapis.com/deploymentmanager/v2/projects/{projectId}/global/deployments/{name}/getIamPolicy', + reliesOnService: ['deployments'], + reliesOnCall: ['list'], + properties: ['name'], + method: 'GET', + pagination: false + }, + }, + dataproc: { + getIamPolicy: {//POST https://dataproc.googleapis.com/v1/{resource=projects/*/regions/*/operations/*}:getIamPolicy + url: 'https://dataproc.googleapis.com/v1/projects/{projectId}/regions/{locationId}/clusters/{clusterName}:getIamPolicy', + reliesOnService: ['dataproc'], + reliesOnCall: ['list'], + properties: ['clusterName'], + method: 'POST', + pagination: false + }, + }, }; var tertiarycalls = { @@ -852,19 +925,62 @@ var tertiarycalls = { pagination: true, paginationKey: 'nextPageToken' } + }, + folders: { //https://cloudresourcemanager.googleapis.com/v2/{resource=folders/!*}:getIamPolicy + getIamPolicy: { + url: 'https://cloudresourcemanager.googleapis.com/v2/{name}:getIamPolicy', + // name = resource name of the Folder. Its format is folders/{folder_id}, for example: "folders/1234". + reliesOnService: ['folders'], + reliesOnCall: ['list'], + properties: ['name'], + method: 'POST', + pagination: false + }, + }, + policies: { // GET https://iam.googleapis.com/v2/policies/cloudresourcemanager.googleapis.com%252Forganizations%252ForganizationId/denypolicies/policyId + getOrgDenyPolicies: { + url: 'https://iam.googleapis.com/v2/{name}', + reliesOnService: ['policies'], + reliesOnCall: ['orgDenyPolicies'], + properties: ['name'], + method: 'GET', + pagination: false + }, + folderDenyPolicies: {// GET https://iam.googleapis.com/v2/policies/cloudresourcemanager.googleapis.com%252Ffolders%252FfolderId/denypolicies + url: 'https://iam.googleapis.com/v2/policies/cloudresourcemanager.googleapis.com%252F{name}/denypolicies', + reliesOnService: ['folders'], + reliesOnCall: ['list'], + properties: ['name'], + encodeProperty: true, + method: 'GET', + pagination: false + }, } }; +var additionalCalls = { + policies: { + getFolderDenyPolicies: {// GET https://iam.googleapis.com/v2/policies/cloudresourcemanager.googleapis.com%252Ffolders%252FfolderId/denypolicies/policyId + url: 'https://iam.googleapis.com/v2/{name}', + reliesOnService: ['policies'], + reliesOnCall: ['folderDenyPolicies'], + properties: ['name'], + method: 'GET', + pagination: false + }, + }, +}; + var specialcalls = { iam: { list: { pagination: true, - reliesOnService: ['projects'], - reliesOnCall: ['getIamPolicy'] + reliesOnService: ['projects','folders','organizations','memberships','policies'], + reliesOnCall: ['getIamPolicy','getProjectDenyPolicies','getOrgDenyPolicies','getFolderDenyPolicies'] }, sendIntegration: { integrationReliesOn: { - serviceName: ['roles'] + serviceName: ['roles','projects','folders','organizations','memberships','policies'] }, enabled: true } @@ -876,5 +992,6 @@ module.exports = { postcalls: postcalls, tertiarycalls: tertiarycalls, specialcalls: specialcalls, + additionalCalls:additionalCalls, serviceMap: serviceMap }; diff --git a/helpers/google/index.js b/helpers/google/index.js index 8862db0722..6affc980da 100644 --- a/helpers/google/index.js +++ b/helpers/google/index.js @@ -164,7 +164,11 @@ var run = function(GoogleConfig, collection, settings, service, callObj, callKey async.eachLimit(records, callObj.maxLimit ? 35 : 10, function(record, recordCb) { callObj.urlToCall = callObj.url; for (var property in callObj.properties) { - callObj.urlToCall = callObj.urlToCall.replace(`{${callObj.properties[property]}}`, !callObj.subObj ? record[callObj.properties[property]] : record[callObj.subObj][callObj.properties[property]]); + let data = !callObj.subObj ? record[callObj.properties[property]] : record[callObj.subObj][callObj.properties[property]]; + if (callObj.encodeProperty){ + data = encodeURIComponent(data); + } + callObj.urlToCall = callObj.urlToCall.replace(`{${callObj.properties[property]}}`, data); } if (!callObj.maxLimit || (callObj.maxLimit && collectionItems.data && collectionItems.data.length < callObj.maxLimit)) { execute(LocalGoogleConfig, collection, service, callObj, callKey, region, recordCb, client, options, myEngine, true, record); diff --git a/helpers/google/regions.js b/helpers/google/regions.js index 572a839e9a..850c6ff33e 100644 --- a/helpers/google/regions.js +++ b/helpers/google/regions.js @@ -143,6 +143,7 @@ module.exports = { subscriptions: ['global'], jobs: regions, organizations: ['global'], + folders: ['global'], groups: ['global'], memberships: ['global'], iam: ['global'], diff --git a/plugins/aws/ssm/ssmManagedInstances.js b/plugins/aws/ssm/ssmManagedInstances.js index 1c0fa1a3b5..47974a44e3 100644 --- a/plugins/aws/ssm/ssmManagedInstances.js +++ b/plugins/aws/ssm/ssmManagedInstances.js @@ -52,12 +52,16 @@ module.exports = { for (let ec2Instance of ec2Instances) { const arn = `arn:${awsOrGov}:ec2:${region}:${accountId}:instance/${ec2Instance.InstanceId}`; - let instanceInfo = describeInstanceInformation.data.find((instanceInfo) => instanceInfo.InstanceId && instanceInfo.InstanceId === ec2Instance.InstanceId); + if (ec2Instance.State.Name === 'running') { + let instanceInfo = describeInstanceInformation.data.find((instanceInfo) => instanceInfo.InstanceId && instanceInfo.InstanceId === ec2Instance.InstanceId); - if (instanceInfo) { - helpers.addResult(results, 0, `EC2 Instance: ${ec2Instance.InstanceId} is managed by AWS Systems Manager`, region, arn); - } else { - helpers.addResult(results, 2, `EC2 Instance: ${ec2Instance.InstanceId} is not managed by AWS Systems Manager`, region, arn); + if (instanceInfo) { + helpers.addResult(results, 0, `EC2 Instance: ${ec2Instance.InstanceId} is managed by AWS Systems Manager`, region, arn); + } else { + helpers.addResult(results, 2, `EC2 Instance: ${ec2Instance.InstanceId} is not managed by AWS Systems Manager`, region, arn); + } + } else { + helpers.addResult(results, 0, `EC2 Instance: ${ec2Instance.InstanceId} is not in running state`, region, arn); } } diff --git a/plugins/aws/ssm/ssmManagedInstances.spec.js b/plugins/aws/ssm/ssmManagedInstances.spec.js index 7ae3a7741b..17eab06a7d 100644 --- a/plugins/aws/ssm/ssmManagedInstances.spec.js +++ b/plugins/aws/ssm/ssmManagedInstances.spec.js @@ -136,6 +136,141 @@ const describeInstances = [ ], "OwnerId": "111222333444", "ReservationId": "r-07a34e57731d9d38c" + }, + { + "Groups": [], + "Instances": [ + { + "AmiLaunchIndex": 0, + "ImageId": "ami-0ed9277fb7eb570c9", + "InstanceId": "i-0ccdd1122ddccdd", + "InstanceType": "t2.micro", + "KeyName": "test", + "LaunchTime": "2021-12-19T19:49:14+00:00", + "Monitoring": { + "State": "disabled" + }, + "Placement": { + "AvailabilityZone": "us-east-1a", + "GroupName": "", + "Tenancy": "default" + }, + "PrivateDnsName": "ip-172-31-91-212.ec2.internal", + "PrivateIpAddress": "172.31.91.212", + "ProductCodes": [], + "PublicDnsName": "ec2-54-89-182-216.compute-1.amazonaws.com", + "PublicIpAddress": "54.89.182.216", + "State": { + "Code": 16, + "Name": "stopped" + }, + "StateTransitionReason": "", + "SubnetId": "subnet-02ed4181800d4658b", + "VpcId": "vpc-0f4f4575a74fac014", + "Architecture": "x86_64", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "AttachTime": "2021-12-19T19:49:15+00:00", + "DeleteOnTermination": true, + "Status": "attached", + "VolumeId": "vol-0ebea24b6b5ab89d5" + } + } + ], + "ClientToken": "", + "EbsOptimized": false, + "EnaSupport": true, + "Hypervisor": "xen", + "IamInstanceProfile": { + "Arn": "arn:aws:iam::111222333444:instance-profile/AmazonSSMRoleForInstancesQuickSetup", + "Id": "AIPARPGOCGXS55MJYEHU6" + }, + "NetworkInterfaces": [ + { + "Association": { + "IpOwnerId": "amazon", + "PublicDnsName": "ec2-54-89-182-216.compute-1.amazonaws.com", + "PublicIp": "54.89.182.216" + }, + "Attachment": { + "AttachTime": "2021-12-19T19:49:14+00:00", + "AttachmentId": "eni-attach-0f5bb44c6fbee9f02", + "DeleteOnTermination": true, + "DeviceIndex": 0, + "Status": "attached", + "NetworkCardIndex": 0 + }, + "Description": "", + "Groups": [ + { + "GroupName": "launch-wizard-1", + "GroupId": "sg-06866e2098b1cf826" + } + ], + "Ipv6Addresses": [], + "MacAddress": "12:69:df:6f:57:67", + "NetworkInterfaceId": "eni-0686b6b3e47bdc6c9", + "OwnerId": "111222333444", + "PrivateDnsName": "ip-172-31-91-212.ec2.internal", + "PrivateIpAddress": "172.31.91.212", + "PrivateIpAddresses": [ + { + "Association": { + "IpOwnerId": "amazon", + "PublicDnsName": "ec2-54-89-182-216.compute-1.amazonaws.com", + "PublicIp": "54.89.182.216" + }, + "Primary": true, + "PrivateDnsName": "ip-172-31-91-212.ec2.internal", + "PrivateIpAddress": "172.31.91.212" + } + ], + "SourceDestCheck": true, + "Status": "in-use", + "SubnetId": "subnet-02ed4181800d4658b", + "VpcId": "vpc-0f4f4575a74fac014", + "InterfaceType": "interface" + } + ], + "RootDeviceName": "/dev/xvda", + "RootDeviceType": "ebs", + "SecurityGroups": [ + { + "GroupName": "launch-wizard-1", + "GroupId": "sg-06866e2098b1cf826" + } + ], + "SourceDestCheck": true, + "VirtualizationType": "hvm", + "CpuOptions": { + "CoreCount": 1, + "ThreadsPerCore": 1 + }, + "CapacityReservationSpecification": { + "CapacityReservationPreference": "open" + }, + "HibernationOptions": { + "Configured": false + }, + "MetadataOptions": { + "State": "applied", + "HttpTokens": "optional", + "HttpPutResponseHopLimit": 1, + "HttpEndpoint": "enabled", + "HttpProtocolIpv6": "disabled" + }, + "EnclaveOptions": { + "Enabled": false + }, + "PlatformDetails": "Linux/UNIX", + "UsageOperation": "RunInstances", + "UsageOperationUpdateTime": "2021-12-19T19:49:14+00:00" + } + ], + "OwnerId": "111222333444", + "ReservationId": "r-07a34e57731d9d38c" } ]; @@ -235,7 +370,16 @@ describe('ssmManagedInstances', function () { it('should PASS if EC2 instance is being managed by AWS SSM', function (done) { - const cache = createCache(describeInstances, describeInstanceInformation); + const cache = createCache([describeInstances[0]], [describeInstanceInformation[0]]); + ssmManagedInstances.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + done(); + }); + }); + + it('should PASS if EC2 instance is not in the Running State', function (done) { + const cache = createCache([describeInstances[1]], [describeInstanceInformation[0]]); ssmManagedInstances.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); @@ -248,7 +392,12 @@ describe('ssmManagedInstances', function () { { Instances: [ { - InstanceId: 'i-abc1234' + InstanceId: 'i-abc1234', + "State": { + "Code": 16, + "Name": "running" + } + } ] } diff --git a/plugins/azure/appservice/javaVersion.js b/plugins/azure/appservice/javaVersion.js index eb21363365..8acd57f24f 100644 --- a/plugins/azure/appservice/javaVersion.js +++ b/plugins/azure/appservice/javaVersion.js @@ -48,6 +48,7 @@ module.exports = { } let found = false; for (let webApp of webApps.data) { + found = false; const webConfigs = helpers.addSource( cache, source, ['webApps', 'listConfigurations', location, webApp.id]); if (!webConfigs || webConfigs.err || !webConfigs.data || !webConfigs.data.length) { @@ -73,8 +74,9 @@ module.exports = { if (appConfig.linuxFxVersion && (appConfig.linuxFxVersion.toLowerCase().indexOf('java') > -1)){ found = true; - let version = appConfig.linuxFxVersion; - currentVersion = appConfig.linuxFxVersion.substring(version.indexOf('|')+1, version.lastIndexOf('-')); + const versionPattern =/java\|(\d+)(?:-([\w\d]+))?/i; + const match = appConfig.linuxFxVersion.match(versionPattern); + currentVersion = match ? match[1] : ''; if (currentVersion && currentVersion != '' && parseFloat(currentVersion) >= parseFloat(config.latestJavaVersion)){ versionAvailable = true; } diff --git a/plugins/oracle/identity/adminUserAPIKeys.js b/plugins/oracle/identity/adminUserAPIKeys.js index cb2da86a06..41156ec220 100644 --- a/plugins/oracle/identity/adminUserAPIKeys.js +++ b/plugins/oracle/identity/adminUserAPIKeys.js @@ -80,7 +80,13 @@ module.exports = { if (adminGroup) { - let adminUsers = userGroups.data.map(userGroup => userGroup.userId) || []; + let adminUsers = []; + userGroups.data.forEach(userGroup => { + if (userGroup.groupId === adminGroup.id) { + // User group is part of the 'Administrators' group + adminUsers.push(userGroup.userId); // Add user ID to the array + } + }); for (let user of users.data) { if (!user.id) continue; From 1a56dcad0e804195512d659cb0fda0802d15bddb Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Tue, 5 Dec 2023 19:26:38 +0500 Subject: [PATCH 268/498] Update exports.js Co-authored-by: alphadev4 <113519745+alphadev4@users.noreply.github.com> --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index 7c6bb78a53..2942e5bbee 100644 --- a/exports.js +++ b/exports.js @@ -990,7 +990,7 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), From 655c0bacb70717ecf48c8fdeb21b865127eda283 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 5 Dec 2023 19:36:16 +0500 Subject: [PATCH 269/498] Rebased --- helpers/azure/api.js | 1 + helpers/azure/locations.js | 1 + 2 files changed, 2 insertions(+) diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 188f8ff1c7..fb22b58901 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -945,6 +945,7 @@ var postcalls = { } } + }; var tertiarycalls = { diff --git a/helpers/azure/locations.js b/helpers/azure/locations.js index 7ccb206469..b1e8440193 100644 --- a/helpers/azure/locations.js +++ b/helpers/azure/locations.js @@ -122,4 +122,5 @@ module.exports = { serviceBus: locations, classicFrontDoors: ['global'], afdWafPolicies: ['global'] + }; From 8550edf7058a7735dfb2386b90d460a21c501f78 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 5 Dec 2023 19:39:15 +0500 Subject: [PATCH 270/498] testcase --- plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js index a22415c97c..d6f2adcf1c 100644 --- a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js +++ b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js @@ -92,7 +92,7 @@ describe('frontDoorRequestBodyInspection', function () { }); it('should give pass result if no existing front door waf policy found', function (done) { - const cache = createCache([afdWafPolicies[2]]); + const cache = createCache([]); frontDoorRequestBodyInspection.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); From ccf3924f09a6594df359aa9b47f5c037096bac7f Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 5 Dec 2023 19:54:53 +0500 Subject: [PATCH 271/498] removed duplicates --- exports.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/exports.js b/exports.js index bae0f50855..c921ead10a 100644 --- a/exports.js +++ b/exports.js @@ -993,13 +993,11 @@ module.exports = { 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), 'frontDoorWafDetectionMode' : require(__dirname + '/plugins/azure/frontDoor/frontDoorWafDetectionMode.js'), - 'frontDoorWafDetectionMode' : require(__dirname + '/plugins/azure/frontDoor/frontDoorWafDetectionMode.js'), 'frontDoorRequestBodyInspection': require(__dirname + '/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js'), 'frontDoorWafEnabled' : require(__dirname + '/plugins/azure/frontdoor/frontDoorWafEnabled.js'), 'frontDoorHttpsOnly' : require(__dirname + '/plugins/azure/frontdoor/frontDoorHttpsOnly.js'), 'botProtectionEnabled' : require(__dirname + '/plugins/azure/frontdoor/botProtectionEnabled.js'), - 'namespaceEncryptionAtRest' : require(__dirname + '/plugins/azure/servicebus/namespaceEncryptionAtRest.js'), 'namespaceEncryptionAtRest' : require(__dirname + '/plugins/azure/servicebus/namespaceEncryptionAtRest.js'), 'namespaceTlsVersion' : require(__dirname + '/plugins/azure/servicebus/namespaceTlsVersion.js'), 'namespaceLocalAuth' : require(__dirname + '/plugins/azure/servicebus/namespaceLocalAuth.js'), From e75c587e47b801a04348beda414dece3ad41f39f Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 5 Dec 2023 19:59:48 +0500 Subject: [PATCH 272/498] dummy --- plugins/azure/frontdoor/frontDoorWafDetectionMode.spec.js | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/azure/frontdoor/frontDoorWafDetectionMode.spec.js b/plugins/azure/frontdoor/frontDoorWafDetectionMode.spec.js index f6a31966cb..12fb5b70a7 100644 --- a/plugins/azure/frontdoor/frontDoorWafDetectionMode.spec.js +++ b/plugins/azure/frontdoor/frontDoorWafDetectionMode.spec.js @@ -57,6 +57,7 @@ const createErrorCache = () => { } }; }; + describe('frontDoorWafDetectionMode', function () { describe('run', function () { From dd8c6773ab6c429ecd72f592d5eef57d99590bff Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 5 Dec 2023 20:02:23 +0500 Subject: [PATCH 273/498] case --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index c921ead10a..393a2da39a 100644 --- a/exports.js +++ b/exports.js @@ -992,7 +992,7 @@ module.exports = { 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), - 'frontDoorWafDetectionMode' : require(__dirname + '/plugins/azure/frontDoor/frontDoorWafDetectionMode.js'), + 'frontDoorWafDetectionMode' : require(__dirname + '/plugins/azure/frontdoor/frontDoorWafDetectionMode.js'), 'frontDoorRequestBodyInspection': require(__dirname + '/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js'), 'frontDoorWafEnabled' : require(__dirname + '/plugins/azure/frontdoor/frontDoorWafEnabled.js'), 'frontDoorHttpsOnly' : require(__dirname + '/plugins/azure/frontdoor/frontDoorHttpsOnly.js'), From 2f01b514ac59b019ea40ce2aaa043f6400de0031 Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Tue, 5 Dec 2023 20:09:08 +0500 Subject: [PATCH 274/498] Update plugins/aws/bedrock/modelInvocationLoggingEnabled.js --- plugins/aws/bedrock/modelInvocationLoggingEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/bedrock/modelInvocationLoggingEnabled.js b/plugins/aws/bedrock/modelInvocationLoggingEnabled.js index 216dfb05c0..978c2e90f3 100644 --- a/plugins/aws/bedrock/modelInvocationLoggingEnabled.js +++ b/plugins/aws/bedrock/modelInvocationLoggingEnabled.js @@ -3,7 +3,7 @@ var helpers = require('../../../helpers/aws'); module.exports = { title: 'Bedrock Model Invocation Logging Enabled', - category: 'BedRock', + category: 'Amazon Bedrock', domain: 'Machine Learning', description: 'Ensure that Amazon Bedrock model invocation logging is enabled.', more_info: 'With invocation logging enabled, you can collect the full request data, response data, and metadata associated with all calls performed in account. This detailed logging provides valuable insights into model usage patterns, helps in troubleshooting, and enhances security by allowing for thorough analysis of model interactions. It also facilitates compliance with auditing requirements, offering a comprehensive record of model invocations.', From 09217d94c754a1acf6329ed108fa104eb1640412 Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Tue, 5 Dec 2023 20:10:05 +0500 Subject: [PATCH 275/498] Update plugins/aws/bedrock/customModelInVpc.js --- plugins/aws/bedrock/customModelInVpc.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/bedrock/customModelInVpc.js b/plugins/aws/bedrock/customModelInVpc.js index e397ec88f8..8922ff5c7b 100644 --- a/plugins/aws/bedrock/customModelInVpc.js +++ b/plugins/aws/bedrock/customModelInVpc.js @@ -3,7 +3,7 @@ var helpers = require('../../../helpers/aws'); module.exports = { title: 'Custom Model In VPC', - category: 'BedRock', + category: 'Amazon Bedrock', domain: 'Machine Learning', description: 'Ensure that an Amazon Bedrock custom model is configured with a VPC.', more_info: 'When the custom model is configured within a VPC, it establishes a secure environment that prevents unauthorized internet access to your training data, enhancing the overall security and confidentiality of your model.', From 4d74604968618bcc24b2bf28064323234fd922db Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Tue, 5 Dec 2023 20:11:18 +0500 Subject: [PATCH 276/498] Update plugins/aws/bedrock/privateCustomModel.js --- plugins/aws/bedrock/privateCustomModel.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/bedrock/privateCustomModel.js b/plugins/aws/bedrock/privateCustomModel.js index 2d07aa5f16..ce5c2f239c 100644 --- a/plugins/aws/bedrock/privateCustomModel.js +++ b/plugins/aws/bedrock/privateCustomModel.js @@ -3,7 +3,7 @@ var helpers = require('../../../helpers/aws'); module.exports = { title: 'Private Custom Model', - category: 'BedRock', + category: 'Amazon Bedrock', domain: 'Machine Learning', description: 'Ensure that an Amazon Bedrock custom model is configured within a private VPC.', more_info: 'When the custom model is configured within a private VPC or with a private VPC endpoint, it enhances security by restricting access to authorized networks only, preventing exposure to the public internet.', From afeaa9ae3995192e2ed6ebf585e7525f0720a8c6 Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Tue, 5 Dec 2023 20:11:44 +0500 Subject: [PATCH 277/498] Update plugins/aws/bedrock/customModelEncryptionEnabled.js --- plugins/aws/bedrock/customModelEncryptionEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/bedrock/customModelEncryptionEnabled.js b/plugins/aws/bedrock/customModelEncryptionEnabled.js index 2a6870e748..0870b345d3 100644 --- a/plugins/aws/bedrock/customModelEncryptionEnabled.js +++ b/plugins/aws/bedrock/customModelEncryptionEnabled.js @@ -3,7 +3,7 @@ var helpers = require('../../../helpers/aws'); module.exports = { title: 'Custom Model Encryption Enabled', - category: 'BedRock', + category: 'Amazon Bedrock', domain: 'Machine Learning', description: 'Ensure that an Amazon Bedrock custom models are encrypted with desired encryption level.', more_info: 'When you encrypt AWS Bedrock custom model using your own AWS Customer Managed Keys (CMKs) for enhanced protection, you have full control over who can use the encryption keys to access your custom model.', From b0ecf38d5f255c8f83c134d546513c03ee5cb6a5 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 5 Dec 2023 20:19:47 +0500 Subject: [PATCH 278/498] Update exports.js --- exports.js | 1 - 1 file changed, 1 deletion(-) diff --git a/exports.js b/exports.js index 23c1a738be..a94b8d76ca 100644 --- a/exports.js +++ b/exports.js @@ -997,7 +997,6 @@ module.exports = { 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), 'afdSecurityLoggingEnabled' : require(__dirname + '/plugins/azure/frontdoor/afdSecurityLoggingEnabled.js'), 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), 'frontDoorWafDetectionMode' : require(__dirname + '/plugins/azure/frontdoor/frontDoorWafDetectionMode.js'), 'frontDoorRequestBodyInspection': require(__dirname + '/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js'), 'frontDoorWafEnabled' : require(__dirname + '/plugins/azure/frontdoor/frontDoorWafEnabled.js'), From 3c30f1acc0c6d9d341317434496e8301f2d7f0db Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 5 Dec 2023 20:24:40 +0500 Subject: [PATCH 279/498] Update exports.js --- exports.js | 1 - 1 file changed, 1 deletion(-) diff --git a/exports.js b/exports.js index 0a038ea4ef..99cd6040db 100644 --- a/exports.js +++ b/exports.js @@ -981,7 +981,6 @@ module.exports = { 'enableDefenderForKeyVaults' : require(__dirname + '/plugins/azure/defender/enableDefenderForKeyVaults.js'), 'agWafEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agWafEnabled'), - 'agPreventionModeEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agPreventionModeEnabled.js'), 'agSecurityLoggingEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js'), 'agSslPolicy' : require(__dirname + '/plugins/azure/applicationGateway/agSslPolicy'), 'agPreventionModeEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agPreventionModeEnabled.js'), From 3b274a1a7070a30f2efb4e2047b08366ef3ddc34 Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Tue, 5 Dec 2023 20:27:09 +0500 Subject: [PATCH 280/498] Update plugins/azure/sqldatabases/dbLedgerEnabled.js --- plugins/azure/sqldatabases/dbLedgerEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbLedgerEnabled.js b/plugins/azure/sqldatabases/dbLedgerEnabled.js index b4ad3c678a..8633709dcf 100644 --- a/plugins/azure/sqldatabases/dbLedgerEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerEnabled.js @@ -5,7 +5,7 @@ module.exports = { title: 'Database Ledger Enabled', category: 'SQL Databases', domain: 'Databases', - description: 'Ensure ledger is enabled to protect the integrity of data for SQL databases.', + description: 'Ensure ledger is enabled for SQL databases.', more_info: 'Azure ledger helps protect the integrity of data by enabling customers to use cryptographic seals on their data. The database ledger incrementally captures the state of a database as the database evolves over time, while updates occur on ledger tables', recommended_action: 'Enable Azure ledger for all future tables in the SQL database to enhance data integrity.', link: 'https://learn.microsoft.com/en-us/sql/relational-databases/security/ledger/ledger-overview?view=sql-server-ver16', From a11ea13a975be0cef705f87e8aed64e92270ad9d Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Tue, 5 Dec 2023 20:27:21 +0500 Subject: [PATCH 281/498] Update plugins/azure/sqldatabases/dbLedgerEnabled.js --- plugins/azure/sqldatabases/dbLedgerEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbLedgerEnabled.js b/plugins/azure/sqldatabases/dbLedgerEnabled.js index 8633709dcf..98d6f5fa2c 100644 --- a/plugins/azure/sqldatabases/dbLedgerEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerEnabled.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Databases', description: 'Ensure ledger is enabled for SQL databases.', more_info: 'Azure ledger helps protect the integrity of data by enabling customers to use cryptographic seals on their data. The database ledger incrementally captures the state of a database as the database evolves over time, while updates occur on ledger tables', - recommended_action: 'Enable Azure ledger for all future tables in the SQL database to enhance data integrity.', + recommended_action: 'Enable Azure ledger for all SQL databases.', link: 'https://learn.microsoft.com/en-us/sql/relational-databases/security/ledger/ledger-overview?view=sql-server-ver16', apis: ['servers:listSql', 'databases:listByServer'], From fc2f55f996f5274ee0d1b7d406013e2d3b1ca7c5 Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Tue, 5 Dec 2023 20:27:31 +0500 Subject: [PATCH 282/498] Update plugins/azure/sqldatabases/dbLedgerEnabled.js --- plugins/azure/sqldatabases/dbLedgerEnabled.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/sqldatabases/dbLedgerEnabled.js b/plugins/azure/sqldatabases/dbLedgerEnabled.js index 98d6f5fa2c..0c3ba3bb15 100644 --- a/plugins/azure/sqldatabases/dbLedgerEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerEnabled.js @@ -45,9 +45,9 @@ module.exports = { 'No databases found for SQL server', location, server.id); } else { // Loop through databases - databases.data.forEach(database=> { + databases.data.forEach(database => { - if (database.isLedgerOn == true) { + if (database.isLedgerOn) { helpers.addResult(results, 0, 'Ledger is enabled for SQL database', location, database.id); } else { helpers.addResult(results, 2, 'Ledger is not enabled for SQL database', location, database.id); From 7e116b2ecbdfff5874d35f09ef7d9ef6f70001e6 Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Tue, 5 Dec 2023 20:39:50 +0500 Subject: [PATCH 283/498] Apply suggestions from code review --- plugins/azure/sqldatabases/dbEnableSecureEnclaves.js | 10 +++++----- .../azure/sqldatabases/dbEnableSecureEnclaves.spec.js | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js index a5aad9641f..b89a77dc71 100644 --- a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js +++ b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js @@ -5,9 +5,9 @@ module.exports = { title: 'Database Secure Enclaves Encryption Enabled', category: 'SQL Databases', domain: 'Databases', - description: 'Ensure Always Encrypted with secure enclaves is enabled at the database level.', - more_info: 'Always Encrypted protects the data by encrypting it on the client side and never allowing the data or the corresponding cryptographic keys to appear in plaintext inside the Database Engine. As a result, the functionality on encrypted columns inside the database is severely restricted.', - recommended_action: 'Enable Always Encrypted with secure enclaves for the SQL database.', + description: 'Ensure secure enclaves encryption is enabled for SQL databases.', + more_info: 'Secure enclaves encryption protects the data by encrypting it on the client side and never allowing the data or the corresponding cryptographic keys to appear in plaintext inside the Database Engine. As a result, the functionality on encrypted columns inside the database is severely restricted.', + recommended_action: 'Enable secure enclaves encryption for all SQL databases.', link: 'https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves?view=sql-server-ver16', apis: ['servers:listSql', 'databases:listByServer'], @@ -46,9 +46,9 @@ module.exports = { databases.data.forEach(database=> { if (!database.preferredEnclaveType) { - helpers.addResult(results, 2, 'Always Encrypted with secure enclaves is disabled for SQL database', location, database.id); + helpers.addResult(results, 2, 'Secure enclaves encryption is disabled for SQL database', location, database.id); } else { - helpers.addResult(results, 0, 'Always Encrypted with secure enclaves is enabled for SQL database', location, database.id); + helpers.addResult(results, 0, 'Secure enclaves encryption is enabled for SQL database', location, database.id); } } ); diff --git a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.spec.js b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.spec.js index 83772acc4e..f55ebe699f 100644 --- a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.spec.js +++ b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.spec.js @@ -80,7 +80,7 @@ describe('enableAlwaysEncrypted', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Always Encrypted with secure enclaves is enabled for SQL database'); + expect(results[0].message).to.include('Secure enclaves encryption is enabled for SQL database'); expect(results[0].region).to.equal('eastus'); done(); }; @@ -97,7 +97,7 @@ describe('enableAlwaysEncrypted', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Always Encrypted with secure enclaves is disabled for SQL database'); + expect(results[0].message).to.include('Secure enclaves encryption is disabled for SQL database'); expect(results[0].region).to.equal('eastus'); done(); }; From 41b3c9070080736fb75855f12032560ac9de95ea Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 5 Dec 2023 21:08:46 +0500 Subject: [PATCH 284/498] Apply suggestions from code review --- exports.js | 2 +- .../sqldatabases/dbLedgerDigestStorageEnabled.js | 12 ++++++------ .../dbLedgerDigestStorageEnabled.spec.js | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/exports.js b/exports.js index fd48918ff9..b02151846e 100644 --- a/exports.js +++ b/exports.js @@ -990,7 +990,7 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js index 734ff1b2b9..671eba676a 100644 --- a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js @@ -5,10 +5,10 @@ module.exports = { title: 'Ledger Digest Storage Enabled', category: 'SQL Databases', domain: 'Databases', - description: 'Ensure automatic Ledger digest storage is enabled.', + description: 'Ensure that ledger automatic digest storage is enabled.', more_info: 'Configuring automatic Ledger digest storage allows for the generation and storage of digests for later verification.', recommended_action: 'Configure an Azure Storage account or Azure Confidential Ledger for automatic Ledger digest storage. ', - link: 'https://docs.microsoft.com/en-us/azure/sql-database/sql-database-ledger-overview', + link: 'https://learn.microsoft.com/en-us/sql/relational-databases/security/ledger/ledger-overview?view=sql-server-ver16', apis: ['servers:listSql', 'databases:listByServer', 'ledgerDigestUploads:list'], run: function(cache, settings, callback) { @@ -44,15 +44,15 @@ module.exports = { helpers.addResult(results, 0, 'No databases found for SQL server', location, server.id); } else { - databases.data.forEach(database=> { + databases.data.forEach(database => { var ledgerDigestUploads = helpers.addSource(cache, source, ['ledgerDigestUploads', 'list', location, database.id]); if (!ledgerDigestUploads || ledgerDigestUploads.err || !ledgerDigestUploads.data) { - helpers.addResult(results, 3, 'Unable to query for Azure ledger: ' + helpers.addError(ledgerDigestUploads), location, database.id); + helpers.addResult(results, 3, 'Unable to query for Ledger Digest Uploads for SQL database: ' + helpers.addError(ledgerDigestUploads), location, database.id); } else { if (ledgerDigestUploads.data.length && ledgerDigestUploads.data[0].state.toLowerCase() == 'enabled') { - helpers.addResult(results, 0, 'Automatic Ledger digest storage is enabled for SQL database', location, database.id); + helpers.addResult(results, 0, 'Ledger automatic digest storage is enabled for SQL database', location, database.id); } else { - helpers.addResult(results, 2, 'Automatic Ledger digest storage is not enabled for SQL database', location, database.id); + helpers.addResult(results, 2, 'Ledger automatic digest storage is not enabled for SQL database', location, database.id); } } diff --git a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js index cd1f9d5c41..49baf7bfe3 100644 --- a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js +++ b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js @@ -119,7 +119,7 @@ describe('enableAutomaticLedgerDigestStorage', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Automatic Ledger digest storage is not enabled for SQL database'); + expect(results[0].message).to.include('Ledger automatic digest storage is not enabled for SQL database'); expect(results[0].region).to.equal('eastus'); done(); }; @@ -176,7 +176,7 @@ describe('enableAutomaticLedgerDigestStorage', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query for Azure ledger'); + expect(results[0].message).to.include('Unable to query for Ledger Digest Uploads for SQL database:'); expect(results[0].region).to.equal('eastus'); done(); }; From 2d2ea1bc2b7844e3bd5d2271dfa73584cf211cd5 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 5 Dec 2023 21:19:37 +0500 Subject: [PATCH 285/498] Apply suggestions from code review --- plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js index 671eba676a..ced2b389be 100644 --- a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js @@ -6,8 +6,8 @@ module.exports = { category: 'SQL Databases', domain: 'Databases', description: 'Ensure that ledger automatic digest storage is enabled.', - more_info: 'Configuring automatic Ledger digest storage allows for the generation and storage of digests for later verification.', - recommended_action: 'Configure an Azure Storage account or Azure Confidential Ledger for automatic Ledger digest storage. ', + more_info: 'Configuring Ledger automatic digest storage allows the generation and storage of digests for later verification. Automatic database digests are generated on a predefined interval of 30 seconds and uploaded to the selected storage service.', + recommended_action: 'Modify SQL database ledger and add storage account for automatic digest storage.', link: 'https://learn.microsoft.com/en-us/sql/relational-databases/security/ledger/ledger-overview?view=sql-server-ver16', apis: ['servers:listSql', 'databases:listByServer', 'ledgerDigestUploads:list'], From 2ba26cb06eb8ffaff8c673e153dcd416a4bda976 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 5 Dec 2023 21:19:50 +0500 Subject: [PATCH 286/498] Update plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js --- plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js index 49baf7bfe3..0060548a86 100644 --- a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js +++ b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js @@ -101,7 +101,7 @@ describe('enableAutomaticLedgerDigestStorage', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Automatic Ledger digest storage is enabled for SQL database'); + expect(results[0].message).to.include('Ledger automatic digest storage is enabled for SQL database'); expect(results[0].region).to.equal('eastus'); done(); }; From 2cef91892be487b7c7a57cae47273b23a45ec0be Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Tue, 5 Dec 2023 23:37:08 +0500 Subject: [PATCH 287/498] Update exports.js --- exports.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/exports.js b/exports.js index bc9ffe707e..f94ac5abf7 100644 --- a/exports.js +++ b/exports.js @@ -1008,7 +1008,6 @@ module.exports = { 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), 'afdSecurityLoggingEnabled' : require(__dirname + '/plugins/azure/frontdoor/afdSecurityLoggingEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), 'frontDoorWafDefaultRateLimit' : require(__dirname + '/plugins/azure/frontdoor/frontDoorWafDefaultRateLimit.js'), 'frontDoorAzureManagedDomain' : require(__dirname + '/plugins/azure/frontdoor/frontDoorAzureManagedDomain.js'), 'frontDoorWafDetectionMode' : require(__dirname + '/plugins/azure/frontdoor/frontDoorWafDetectionMode.js'), @@ -1513,4 +1512,4 @@ module.exports = { 'securityNotificationsEnabled' : require(__dirname + '/plugins/alibaba/securitycenter/securityNotificationsEnabled.js'), 'vulnerabilityScanEnabled' : require(__dirname + '/plugins/alibaba/securitycenter/vulnerabilityScanEnabled.js') } -}; \ No newline at end of file +}; From fca73601e70e7edaf6cd502523e774da6b094710 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Wed, 6 Dec 2023 11:29:01 +0500 Subject: [PATCH 288/498] pr comments --- plugins/azure/mediaServices/amsClassicApiDisabled.js | 6 +++--- plugins/azure/mediaServices/amsClassicApiDisabled.spec.js | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/plugins/azure/mediaServices/amsClassicApiDisabled.js b/plugins/azure/mediaServices/amsClassicApiDisabled.js index 9e51bd9e61..7abfdd47f0 100644 --- a/plugins/azure/mediaServices/amsClassicApiDisabled.js +++ b/plugins/azure/mediaServices/amsClassicApiDisabled.js @@ -39,15 +39,15 @@ module.exports = { ['mediaServices', 'get', location, mediaService.id]); if (!getMediaService || getMediaService.err || !getMediaService.data) { - helpers.addResult(results, 3, `Unable to query for Media Service: ${helpers.addError(getMediaService)}`, + helpers.addResult(results, 3, `Unable to query for Media Service data: ${helpers.addError(getMediaService)}`, location, mediaService.id); continue; } if (getMediaService.data.identity) { - helpers.addResult(results, 0, 'Media Service account has classic API disabled', location, mediaService.id); + helpers.addResult(results, 0, 'Media Service account is not using classic v2 APIs', location, mediaService.id); } else { - helpers.addResult(results, 2, 'Media Service account has classic API enabled', location, mediaService.id); + helpers.addResult(results, 2, 'Media Service account is using classic v2 APIs', location, mediaService.id); } } diff --git a/plugins/azure/mediaServices/amsClassicApiDisabled.spec.js b/plugins/azure/mediaServices/amsClassicApiDisabled.spec.js index a45b8e29aa..021fea50dd 100644 --- a/plugins/azure/mediaServices/amsClassicApiDisabled.spec.js +++ b/plugins/azure/mediaServices/amsClassicApiDisabled.spec.js @@ -89,7 +89,7 @@ describe('amsClassicApiDisabled', function() { amsClassicApiDisabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query for Media Service'); + expect(results[0].message).to.include('Unable to query for Media Service data'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -100,7 +100,7 @@ describe('amsClassicApiDisabled', function() { amsClassicApiDisabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Media Service account has classic API disabled'); + expect(results[0].message).to.include('Media Service account is not using classic v2 APIs'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -111,7 +111,7 @@ describe('amsClassicApiDisabled', function() { amsClassicApiDisabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Media Service account has classic API enabled'); + expect(results[0].message).to.include('Media Service account is using classic v2 APIs'); expect(results[0].region).to.equal('eastus'); done(); }); From f3d718e20c5de6f418ea867f54f165107d4f32bc Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:05:48 +0500 Subject: [PATCH 289/498] Update vmDiskDeleteConfig.js --- plugins/azure/virtualmachines/vmDiskDeleteConfig.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmDiskDeleteConfig.js b/plugins/azure/virtualmachines/vmDiskDeleteConfig.js index 30fae52b72..e9d501b092 100644 --- a/plugins/azure/virtualmachines/vmDiskDeleteConfig.js +++ b/plugins/azure/virtualmachines/vmDiskDeleteConfig.js @@ -2,7 +2,7 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'VM Automatic Disks Delete Enabled', + title: 'VM Disks Deletion Config', category: 'Virtual Machines', domain: 'Compute', description: 'Ensure the option to automatically delete disks is enabled when the associated VM is terminated.', From b8fa4507e8af3de1f2c4f12a26fd8bca9c9be079 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:16:24 +0500 Subject: [PATCH 290/498] Update exports.js Co-authored-by: alphadev4 <113519745+alphadev4@users.noreply.github.com> --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index 3112b983ee..3d65a00014 100644 --- a/exports.js +++ b/exports.js @@ -990,7 +990,7 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), From 101bdf53af4a10876837f9c84f112422ef341b52 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:24:26 +0500 Subject: [PATCH 291/498] Apply suggestions from code review --- plugins/azure/virtualmachines/vmSecureBootEnabled.js | 8 ++++---- plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/plugins/azure/virtualmachines/vmSecureBootEnabled.js b/plugins/azure/virtualmachines/vmSecureBootEnabled.js index b3bea8932b..c58b10bed6 100644 --- a/plugins/azure/virtualmachines/vmSecureBootEnabled.js +++ b/plugins/azure/virtualmachines/vmSecureBootEnabled.js @@ -5,9 +5,9 @@ module.exports = { title: 'VM Secure Boot Enabled', category: 'Virtual Machines', domain: 'Compute', - description: 'Ensure Secure Boot is enabled for Azure virtual machines (VM).', + description: 'Ensures that secure boot is enabled for Azure virtual machines (VM).', more_info: 'Secure Boot, which is implemented in platform firmware, protects against the installation of malware-based rootkits and boot kits. Secure Boot works to ensure that only signed operating systems and drivers can boot. It establishes a "root of trust" for the software stack on your VM.', - recommended_action: 'Enable Secure Boot for Azure virtual machines.', + recommended_action: 'Modify Virtual Machine and enable secure boot.', link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#secure-boot', apis: ['virtualMachines:listAll'], @@ -34,9 +34,9 @@ module.exports = { virtualMachines.data.forEach(virtualMachine => { if (virtualMachine.securityProfile && virtualMachine.securityProfile.uefiSettings && virtualMachine.securityProfile.uefiSettings.secureBootEnabled) { - helpers.addResult(results, 0, 'Secure Boot is enabled for Azure Virtual Machine', location, virtualMachine.id); + helpers.addResult(results, 0, 'Secure Boot is enabled for virtual machine', location, virtualMachine.id); } else { - helpers.addResult(results, 2, 'Secure Boot is not enabled for Azure Virtual Machine', location, virtualMachine.id); + helpers.addResult(results, 2, 'Secure Boot is not enabled for virtual machine', location, virtualMachine.id); } }); diff --git a/plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js b/plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js index d7b0ad8ae4..c7d4c1f8c6 100644 --- a/plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js +++ b/plugins/azure/virtualmachines/vmSecureBootEnabled.spec.js @@ -67,7 +67,7 @@ describe('selectSecureBoot', function() { selectSecureBoot.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Secure Boot is enabled for Azure Virtual Machine'); + expect(results[0].message).to.include('Secure Boot is enabled for virtual machine'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -78,7 +78,7 @@ describe('selectSecureBoot', function() { selectSecureBoot.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Secure Boot is not enabled for Azure Virtual Machine'); + expect(results[0].message).to.include('Secure Boot is not enabled for virtual machine'); expect(results[0].region).to.equal('eastus'); done(); }); From 0ecd6ec8e6c63b009253aefa7b890391edb72dc9 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:30:38 +0500 Subject: [PATCH 292/498] Update plugins/azure/virtualmachines/vmSecurityType.js Co-authored-by: alphadev4 <113519745+alphadev4@users.noreply.github.com> --- plugins/azure/virtualmachines/vmSecurityType.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmSecurityType.js b/plugins/azure/virtualmachines/vmSecurityType.js index 3395875570..2b8ee9a0a2 100644 --- a/plugins/azure/virtualmachines/vmSecurityType.js +++ b/plugins/azure/virtualmachines/vmSecurityType.js @@ -5,7 +5,7 @@ module.exports = { title: 'VM Security Type', category: 'Virtual Machines', domain: 'Compute', - description: 'Ensure Trusted Launch is selected for Azure virtual machines (VM).', + description: 'Ensures that Trusted Launch is selected for Azure virtual machines.', more_info: 'Trusted launch protects against advanced and persistent attack techniques. Trusted launch is composed of several, coordinated infrastructure technologies that can be enabled independently. Each technology provides another layer of defense against sophisticated threats.', recommended_action: 'Select Trusted Launch as security type for Azure virtual machines.', link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-portal?tabs=portal%2Cportal3%2Cportal2', From 077da708261e62a70ac6a38a9787d4f47aa518c6 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:31:40 +0500 Subject: [PATCH 293/498] Update plugins/azure/virtualmachines/vmSecurityType.js --- plugins/azure/virtualmachines/vmSecurityType.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmSecurityType.js b/plugins/azure/virtualmachines/vmSecurityType.js index 2b8ee9a0a2..68ba5ee5e7 100644 --- a/plugins/azure/virtualmachines/vmSecurityType.js +++ b/plugins/azure/virtualmachines/vmSecurityType.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Compute', description: 'Ensures that Trusted Launch is selected for Azure virtual machines.', more_info: 'Trusted launch protects against advanced and persistent attack techniques. Trusted launch is composed of several, coordinated infrastructure technologies that can be enabled independently. Each technology provides another layer of defense against sophisticated threats.', - recommended_action: 'Select Trusted Launch as security type for Azure virtual machines.', + recommended_action: 'Select Trusted launch as security type for Azure virtual machines.', link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-portal?tabs=portal%2Cportal3%2Cportal2', apis: ['virtualMachines:listAll'], From da9fd744ae0a05bced208142525a3fda25f80b1a Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:33:49 +0500 Subject: [PATCH 294/498] Apply suggestions from code review --- plugins/azure/virtualmachines/vmSecurityType.js | 4 ++-- plugins/azure/virtualmachines/vmSecurityType.spec.js | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/azure/virtualmachines/vmSecurityType.js b/plugins/azure/virtualmachines/vmSecurityType.js index 68ba5ee5e7..7433a49e94 100644 --- a/plugins/azure/virtualmachines/vmSecurityType.js +++ b/plugins/azure/virtualmachines/vmSecurityType.js @@ -34,9 +34,9 @@ module.exports = { virtualMachines.data.forEach(virtualMachine => { if (virtualMachine.securityProfile && virtualMachine.securityProfile.securityType == 'TrustedLaunch') { - helpers.addResult(results, 0, 'Trusted Launch is selected as security type for Azure Virtual Machine', location, virtualMachine.id); + helpers.addResult(results, 0, 'Trusted launch is selected as security type for virtual machine', location, virtualMachine.id); } else { - helpers.addResult(results, 2, 'Trusted Launch is not selected as security type for Azure Virtual Machine', location, virtualMachine.id); + helpers.addResult(results, 2, 'Trusted launch is not selected as security type for virtual machine', location, virtualMachine.id); } }); diff --git a/plugins/azure/virtualmachines/vmSecurityType.spec.js b/plugins/azure/virtualmachines/vmSecurityType.spec.js index 33daab7796..b7dc503bd9 100644 --- a/plugins/azure/virtualmachines/vmSecurityType.spec.js +++ b/plugins/azure/virtualmachines/vmSecurityType.spec.js @@ -63,7 +63,7 @@ describe('selectTrustedLaunch', function() { selectTrustedLaunch.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Trusted Launch is selected as security type for Azure Virtual Machine'); + expect(results[0].message).to.include('Trusted launch is selected as security type for virtual machine'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -74,7 +74,7 @@ describe('selectTrustedLaunch', function() { selectTrustedLaunch.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Trusted Launch is not selected as security type for Azure Virtual Machine'); + expect(results[0].message).to.include('Trusted launch is not selected as security type for virtual machine'); expect(results[0].region).to.equal('eastus'); done(); }); From 02fd9a4109275edc92680e15cd2609ea0aaa152c Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:34:30 +0500 Subject: [PATCH 295/498] Update plugins/azure/virtualmachines/vmSecurityType.js --- plugins/azure/virtualmachines/vmSecurityType.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmSecurityType.js b/plugins/azure/virtualmachines/vmSecurityType.js index 7433a49e94..8a952d7f51 100644 --- a/plugins/azure/virtualmachines/vmSecurityType.js +++ b/plugins/azure/virtualmachines/vmSecurityType.js @@ -5,7 +5,7 @@ module.exports = { title: 'VM Security Type', category: 'Virtual Machines', domain: 'Compute', - description: 'Ensures that Trusted Launch is selected for Azure virtual machines.', + description: 'Ensures that Trusted launch is selected for Azure virtual machines.', more_info: 'Trusted launch protects against advanced and persistent attack techniques. Trusted launch is composed of several, coordinated infrastructure technologies that can be enabled independently. Each technology provides another layer of defense against sophisticated threats.', recommended_action: 'Select Trusted launch as security type for Azure virtual machines.', link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-portal?tabs=portal%2Cportal3%2Cportal2', From f61a25bb6d93e2004c958b2e8de43b7261c6bb1d Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:39:02 +0500 Subject: [PATCH 296/498] Apply suggestions from code review --- plugins/azure/virtualmachines/vmVTPMEnabled.js | 8 ++++---- plugins/azure/virtualmachines/vmVTPMEnabled.spec.js | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/plugins/azure/virtualmachines/vmVTPMEnabled.js b/plugins/azure/virtualmachines/vmVTPMEnabled.js index 6daeaf9bcb..a069355c9d 100644 --- a/plugins/azure/virtualmachines/vmVTPMEnabled.js +++ b/plugins/azure/virtualmachines/vmVTPMEnabled.js @@ -5,9 +5,9 @@ module.exports = { title: 'VM vTPM Enabled', category: 'Virtual Machines', domain: 'Compute', - description: 'Ensure Virtual Trusted Platform Module (vTPM) is enabled for Azure virtual machines (VM).', + description: 'Ensure that Virtual Trusted Platform Module (vTPM) is enabled for Azure virtual machines.', more_info: 'vTPM is TPM2.0 compliant and enhances security by validating VM boot integrity and providing a secure storage mechanism for keys and secrets. The vTPM enables attestation by measuring the entire boot chain of your VM (UEFI, OS, system, and drivers).', - recommended_action: 'Enable vTPM for Azure virtual machines.', + recommended_action: 'Modify virtual machine and enable vTPM.', link: 'https://learn.microsoft.com/en-us/azure/confidential-computing/virtual-tpms-in-azure-confidential-vm', apis: ['virtualMachines:listAll'], @@ -34,9 +34,9 @@ module.exports = { virtualMachines.data.forEach(virtualMachine => { if (virtualMachine.securityProfile && virtualMachine.securityProfile.uefiSettings && virtualMachine.securityProfile.uefiSettings.vTpmEnabled) { - helpers.addResult(results, 0, 'vTPM is enabled for Azure Virtual Machine', location, virtualMachine.id); + helpers.addResult(results, 0, 'vTPM is enabled for virtual machine', location, virtualMachine.id); } else { - helpers.addResult(results, 2, 'vTPM is not enabled for Azure Virtual Machine', location, virtualMachine.id); + helpers.addResult(results, 2, 'vTPM is not enabled for virtual machine', location, virtualMachine.id); } }); diff --git a/plugins/azure/virtualmachines/vmVTPMEnabled.spec.js b/plugins/azure/virtualmachines/vmVTPMEnabled.spec.js index 2970817cb6..0e04cd5988 100644 --- a/plugins/azure/virtualmachines/vmVTPMEnabled.spec.js +++ b/plugins/azure/virtualmachines/vmVTPMEnabled.spec.js @@ -67,7 +67,7 @@ describe('selectVTPM', function() { selectVTPM.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('vTPM is enabled for Azure Virtual Machine'); + expect(results[0].message).to.include('vTPM is enabled for virtual machine'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -78,7 +78,7 @@ describe('selectVTPM', function() { selectVTPM.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('vTPM is not enabled for Azure Virtual Machine'); + expect(results[0].message).to.include('vTPM is not enabled for virtual machine'); expect(results[0].region).to.equal('eastus'); done(); }); From 99125a146b9cba8ccd044b2f6b7fe19cca826dae Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:40:27 +0500 Subject: [PATCH 297/498] Update exports.js --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index fb34f9b6df..4f3732dcbf 100644 --- a/exports.js +++ b/exports.js @@ -991,7 +991,7 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), From 313fcb37407a1874490f72da0e7a7cc296880507 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:41:45 +0500 Subject: [PATCH 298/498] Update plugins/azure/sqldatabases/dbEnableSecureEnclaves.js --- plugins/azure/sqldatabases/dbEnableSecureEnclaves.js | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js index b89a77dc71..860f995cf3 100644 --- a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js +++ b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js @@ -44,7 +44,6 @@ module.exports = { 'No databases found for SQL server', location, server.id); } else { databases.data.forEach(database=> { - if (!database.preferredEnclaveType) { helpers.addResult(results, 2, 'Secure enclaves encryption is disabled for SQL database', location, database.id); } else { From bbfab0fd84a2b90251007d34c521863f10f00b5c Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:41:58 +0500 Subject: [PATCH 299/498] Update plugins/azure/sqldatabases/dbEnableSecureEnclaves.js --- plugins/azure/sqldatabases/dbEnableSecureEnclaves.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js index 860f995cf3..1df8ef91a1 100644 --- a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js +++ b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js @@ -43,7 +43,7 @@ module.exports = { helpers.addResult(results, 0, 'No databases found for SQL server', location, server.id); } else { - databases.data.forEach(database=> { + databases.data.forEach(database => { if (!database.preferredEnclaveType) { helpers.addResult(results, 2, 'Secure enclaves encryption is disabled for SQL database', location, database.id); } else { From fd5f0d1b5d49c97315cb0c246228a0e928a3c84d Mon Sep 17 00:00:00 2001 From: Abdullah Aslam Date: Wed, 6 Dec 2023 13:45:52 +0500 Subject: [PATCH 300/498] updated --- exports.js | 2 +- ...gsEnabled.js => recoveryVaultLoggingEnabled.js} | 2 +- ...spec.js => recoveryVaultLoggingEnabled.spec.js} | 14 +++++++------- 3 files changed, 9 insertions(+), 9 deletions(-) rename plugins/azure/recoveryService/{recoveryVaultDiagnosticLogsEnabled.js => recoveryVaultLoggingEnabled.js} (97%) rename plugins/azure/recoveryService/{recoveryVaultDiagnosticLogsEnabled.spec.js => recoveryVaultLoggingEnabled.spec.js} (89%) diff --git a/exports.js b/exports.js index 053c0b6ef9..12c9d8c167 100644 --- a/exports.js +++ b/exports.js @@ -983,7 +983,7 @@ module.exports = { 'wafPolicyHasTags' : require(__dirname + '/plugins/azure/waf/wafPolicyHasTags.js'), 'recoveryVaultByokEncrypted' : require(__dirname + '/plugins/azure/recoveryService/recoveryVaultByokEncrypted.js'), - 'recoveryVaultDiagnosticLogsEnabled': require(__dirname + '/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.js'), + 'recoveryVaultLoggingEnabled': require(__dirname + '/plugins/azure/recoveryService/recoveryVaultLoggingEnabled.js'), 'domainPublicAccessEnabled' : require(__dirname + '/plugins/azure/eventGrid/domainPublicAccess.js'), diff --git a/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.js b/plugins/azure/recoveryService/recoveryVaultLoggingEnabled.js similarity index 97% rename from plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.js rename to plugins/azure/recoveryService/recoveryVaultLoggingEnabled.js index dda88faac0..f7683a6166 100644 --- a/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.js +++ b/plugins/azure/recoveryService/recoveryVaultLoggingEnabled.js @@ -2,7 +2,7 @@ const async = require('async'); const helpers = require('../../../helpers/azure'); module.exports = { - title: 'Recovery Services Vault Diagnostic Logs Enabled', + title: 'Recovery Services Vault Logging Enabled', category: 'Recovery Service Vault', domain: 'Backup', description: 'Ensure that Azure Recovery Services Vaults have diagnostic logs enabled.', diff --git a/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.spec.js b/plugins/azure/recoveryService/recoveryVaultLoggingEnabled.spec.js similarity index 89% rename from plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.spec.js rename to plugins/azure/recoveryService/recoveryVaultLoggingEnabled.spec.js index 62a99ece31..3256b3fb04 100644 --- a/plugins/azure/recoveryService/recoveryVaultDiagnosticLogsEnabled.spec.js +++ b/plugins/azure/recoveryService/recoveryVaultLoggingEnabled.spec.js @@ -1,5 +1,5 @@ var expect = require('chai').expect; -var recoveryVaultDiagnosticLogsEnabled = require('./recoveryVaultDiagnosticLogsEnabled'); +var recoveryVaultLoggingEnabled = require('./recoveryVaultLoggingEnabled'); const listServiceVaults = [ { @@ -69,11 +69,11 @@ const createCache = (listServiceVault, ds) => { }; }; -describe('recoveryVaultDiagnosticLogsEnabled', function() { +describe('recoveryVaultLoggingEnabled', function() { describe('run', function() { it('should give passing result if no Recovery Service vault found', function(done) { const cache = createCache([], null); - recoveryVaultDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + recoveryVaultLoggingEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('No Recovery Service Vaults found'); @@ -84,7 +84,7 @@ describe('recoveryVaultDiagnosticLogsEnabled', function() { it('should give unknown result if unable to query for list Recovery Service vault', function(done) { const cache = createCache(null, null); - recoveryVaultDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + recoveryVaultLoggingEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].message).to.include('Unable to list Recovery Service Vaults:'); @@ -95,7 +95,7 @@ describe('recoveryVaultDiagnosticLogsEnabled', function() { it('should give unknown result if unable to query for diagnostic settings', function(done) { const cache = createCache([listServiceVaults[0]], null); - recoveryVaultDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + recoveryVaultLoggingEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].message).to.include('Unable to query for Recovery Service Vault diagnostic settings: '); @@ -106,7 +106,7 @@ describe('recoveryVaultDiagnosticLogsEnabled', function() { it('should give passing result if diagnostic logs enabled', function(done) { const cache = createCache([listServiceVaults[0]], [diagnosticSettings[0]]); - recoveryVaultDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + recoveryVaultLoggingEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('Recovery Service Vault has diagnostic logs enabled'); @@ -117,7 +117,7 @@ describe('recoveryVaultDiagnosticLogsEnabled', function() { it('should give failing result if diagnostic logs not enabled', function(done) { const cache = createCache([listServiceVaults[0]], [diagnosticSettings[1]]); - recoveryVaultDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + recoveryVaultLoggingEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); expect(results[0].message).to.include('Recovery Service Vault does not have diagnostic logs enabled'); From da7925ab12acdceec39c922c5c78dcbebee467f1 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:50:07 +0500 Subject: [PATCH 301/498] Update exports.js --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index dffd78deea..7b5d65503f 100644 --- a/exports.js +++ b/exports.js @@ -990,7 +990,7 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), From cd78ef33f9b367b71741d35340ec9faa4c0fc1e7 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:57:31 +0500 Subject: [PATCH 302/498] Apply suggestions from code review --- plugins/azure/sqldatabases/dbTDEEnabled.js | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/plugins/azure/sqldatabases/dbTDEEnabled.js b/plugins/azure/sqldatabases/dbTDEEnabled.js index 7ed1b10b80..6359a5b1f0 100644 --- a/plugins/azure/sqldatabases/dbTDEEnabled.js +++ b/plugins/azure/sqldatabases/dbTDEEnabled.js @@ -5,11 +5,11 @@ module.exports = { title: 'Transparent Data Encryption Enabled', category: 'SQL Databases', domain: 'Databases', - description: 'Ensure Transparent Data Encryption (TDE) is enabled on SQL databases.', - more_info: 'Transparent data encryption (TDE) helps protect Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.', + description: 'Ensure that Transparent Data Encryption (TDE) is enabled for SQL databases.', + more_info: 'Transparent data encryption (TDE) helps protect Azure SQL Database, Managed Instance, and Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.', recommended_action: 'Enable Transparent Data Encryption (TDE) for SQL databases.', link: 'https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15', - apis: ['servers:listSql','databases:listByServer','transparentDataEncryption:list'], + apis: ['servers:listSql', 'databases:listByServer', 'transparentDataEncryption:list'], run: function(cache, settings, callback) { var results = []; @@ -31,7 +31,7 @@ module.exports = { return rcb(); } - servers.data.forEach(server=> { + servers.data.forEach(server => { var databases = helpers.addSource(cache, source, ['databases', 'listByServer', location, server.id]); @@ -43,7 +43,7 @@ module.exports = { helpers.addResult(results, 0, 'No databases found for SQL server', location, server.id); } else { - databases.data.forEach(database=> { + databases.data.forEach(database => { var transparentDataEncryption = helpers.addSource(cache, source, ['transparentDataEncryption', 'list', location, database.id]); @@ -51,8 +51,8 @@ module.exports = { helpers.addResult(results, 3, 'Unable to query transparent data encryption for SQL Database: ' + helpers.addError(transparentDataEncryption), location, database.id); return; } - - if (transparentDataEncryption.data[0].state.toLowerCase()=='enabled') { + var encryption = transparentDataEncryption.data[0]; + if (encryption.state && encryption.state.toLowerCase() == 'enabled') { helpers.addResult(results, 0, 'Transparent data encryption is enabled for SQL Database', location, database.id); } else { helpers.addResult(results, 2, 'Transparent data encryption is not enabled for SQL Database', location, database.id); From 563c514df293010094ebcaa5624d63f5423a0ea9 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:58:39 +0500 Subject: [PATCH 303/498] Update plugins/azure/sqldatabases/dbTDEEnabled.js --- plugins/azure/sqldatabases/dbTDEEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbTDEEnabled.js b/plugins/azure/sqldatabases/dbTDEEnabled.js index 6359a5b1f0..55b0289e39 100644 --- a/plugins/azure/sqldatabases/dbTDEEnabled.js +++ b/plugins/azure/sqldatabases/dbTDEEnabled.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Databases', description: 'Ensure that Transparent Data Encryption (TDE) is enabled for SQL databases.', more_info: 'Transparent data encryption (TDE) helps protect Azure SQL Database, Managed Instance, and Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.', - recommended_action: 'Enable Transparent Data Encryption (TDE) for SQL databases.', + recommended_action: 'Modify SQL database and enable Transparent Data Encryption (TDE).', link: 'https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15', apis: ['servers:listSql', 'databases:listByServer', 'transparentDataEncryption:list'], From c7e8be623fae13ba468754b54ed0694932288037 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:03:22 +0500 Subject: [PATCH 304/498] Update dbLedgerDigestStorageEnabled.js --- plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js index ced2b389be..e10f8bddde 100644 --- a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js @@ -2,7 +2,7 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Ledger Digest Storage Enabled', + title: 'Ledger Automatic Digest Storage', category: 'SQL Databases', domain: 'Databases', description: 'Ensure that ledger automatic digest storage is enabled.', From 1ea6f404bf416791eaf9b7d019cf2c641303b327 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:33:08 +0500 Subject: [PATCH 305/498] Update plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js Co-authored-by: alphadev4 <113519745+alphadev4@users.noreply.github.com> --- plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js index 2eba2fc87d..6078243bf7 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js @@ -45,7 +45,7 @@ module.exports = { helpers.addResult(results, 0, 'No databases found for SQL server', location, server.id); } else { - databases.data.forEach(database=> { + databases.data.forEach(database => { var syncGroups = helpers.addSource(cache, source, ['syncGroups', 'list', location, database.id]); From b44d5779779c40a8ec2ba1ed9eded5b80e2237c2 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:33:22 +0500 Subject: [PATCH 306/498] Update plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js Co-authored-by: alphadev4 <113519745+alphadev4@users.noreply.github.com> --- plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js index 6078243bf7..533cb3305e 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js @@ -6,7 +6,7 @@ module.exports = { category: 'SQL Databases', domain: 'Databases', description: 'Ensures SQL Database sync groups use private link when SQL DB sync with others databases.', - more_info: 'Private Link is the way to create Sync groups using secure connection with databases sitting behind a firewall. SQL Data Sync Private Link is Microsoft-managed endpoint and internally creates a subnet within the existing virtual network, so there is no need to create another virtual network or subnet.', + more_info: 'Private link feature allows you to choose a service managed private endpoint to establish a secure connection between the sync service and your member/hub databases during the data synchronization process. A service managed private endpoint is a private IP address within a specific virtual network and subnet.', recommended_action: 'Configure SQL Database sync groups to use private link and mandate manual approval for private endpoint connections.', link: 'https://learn.microsoft.com/en-us/azure/private-link/private-link-overview', apis: ['servers:listSql','databases:listByServer','syncGroups:list'], From 2af218bf04e6167e760e7267aa08f8e460f0aa12 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:33:28 +0500 Subject: [PATCH 307/498] Update plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js Co-authored-by: alphadev4 <113519745+alphadev4@users.noreply.github.com> --- plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js index 533cb3305e..9bd1ecabde 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js @@ -55,7 +55,7 @@ module.exports = { } if (!syncGroups.data.length) { helpers.addResult(results, 0, - 'No Database sync group found for SQL database', location, database.id); + 'No sync groups found for SQL database', location, database.id); } syncGroups.data.forEach(syncGroup=> { From aad321548d7905b2a0fa0ca5a30d69ac79542297 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:33:39 +0500 Subject: [PATCH 308/498] Update plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js Co-authored-by: alphadev4 <113519745+alphadev4@users.noreply.github.com> --- plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js index 9bd1ecabde..6cc405aa4a 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js @@ -9,7 +9,7 @@ module.exports = { more_info: 'Private link feature allows you to choose a service managed private endpoint to establish a secure connection between the sync service and your member/hub databases during the data synchronization process. A service managed private endpoint is a private IP address within a specific virtual network and subnet.', recommended_action: 'Configure SQL Database sync groups to use private link and mandate manual approval for private endpoint connections.', link: 'https://learn.microsoft.com/en-us/azure/private-link/private-link-overview', - apis: ['servers:listSql','databases:listByServer','syncGroups:list'], + apis: ['servers:listSql', 'databases:listByServer', 'syncGroups:list'], run: function(cache, settings, callback) { var results = []; From 303db70e00263bf5ddf00673cf29dca83d79f5cb Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:33:45 +0500 Subject: [PATCH 309/498] Update plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js Co-authored-by: alphadev4 <113519745+alphadev4@users.noreply.github.com> --- plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js index 6cc405aa4a..bad6d17882 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js @@ -8,7 +8,7 @@ module.exports = { description: 'Ensures SQL Database sync groups use private link when SQL DB sync with others databases.', more_info: 'Private link feature allows you to choose a service managed private endpoint to establish a secure connection between the sync service and your member/hub databases during the data synchronization process. A service managed private endpoint is a private IP address within a specific virtual network and subnet.', recommended_action: 'Configure SQL Database sync groups to use private link and mandate manual approval for private endpoint connections.', - link: 'https://learn.microsoft.com/en-us/azure/private-link/private-link-overview', + link: 'https://learn.microsoft.com/en-us/azure/azure-sql/database/sql-data-sync-data-sql-server-sql-database?view=azuresql', apis: ['servers:listSql', 'databases:listByServer', 'syncGroups:list'], run: function(cache, settings, callback) { From 29f44d8aeee1787c4f652ec4c0156aa828f688cf Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:33:51 +0500 Subject: [PATCH 310/498] Update plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js Co-authored-by: alphadev4 <113519745+alphadev4@users.noreply.github.com> --- plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js index bad6d17882..6f6d76a261 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js @@ -5,7 +5,7 @@ module.exports = { title: 'Database Private Link Enabled', category: 'SQL Databases', domain: 'Databases', - description: 'Ensures SQL Database sync groups use private link when SQL DB sync with others databases.', + description: 'Ensures SQL Database sync groups are configured to use private link.', more_info: 'Private link feature allows you to choose a service managed private endpoint to establish a secure connection between the sync service and your member/hub databases during the data synchronization process. A service managed private endpoint is a private IP address within a specific virtual network and subnet.', recommended_action: 'Configure SQL Database sync groups to use private link and mandate manual approval for private endpoint connections.', link: 'https://learn.microsoft.com/en-us/azure/azure-sql/database/sql-data-sync-data-sql-server-sql-database?view=azuresql', From c470b50b3db88461978bb53f3ddaca9f34000b49 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:33:58 +0500 Subject: [PATCH 311/498] Update exports.js Co-authored-by: alphadev4 <113519745+alphadev4@users.noreply.github.com> --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index a0ac0fda96..ffbc43964f 100644 --- a/exports.js +++ b/exports.js @@ -991,7 +991,7 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), From f22cd511f20d2255a57a5b98435845bda5ea3bd9 Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:53:21 +0500 Subject: [PATCH 312/498] Update plugins/azure/mediaServices/amsContentKeyPolicy.js --- plugins/azure/mediaServices/amsContentKeyPolicy.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/mediaServices/amsContentKeyPolicy.js b/plugins/azure/mediaServices/amsContentKeyPolicy.js index 6cd000942f..3f802d6ff3 100644 --- a/plugins/azure/mediaServices/amsContentKeyPolicy.js +++ b/plugins/azure/mediaServices/amsContentKeyPolicy.js @@ -43,7 +43,7 @@ module.exports = { location, mediaService.id); continue; } - if (listContentKeyPolicies.data.length > 0) { + if (listContentKeyPolicies.data.length) { helpers.addResult(results, 0, 'Media Service account has content key policy configured', location, mediaService.id); } else { helpers.addResult(results, 2, 'Media Service account does not have content key policy configured', location, mediaService.id); From 025fc0e89cc5e7be24fad153eca5c83669de91a7 Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:57:47 +0500 Subject: [PATCH 313/498] Update api.js --- helpers/azure/api.js | 5 ----- 1 file changed, 5 deletions(-) diff --git a/helpers/azure/api.js b/helpers/azure/api.js index cce90bfa5a..012e6ca746 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -478,11 +478,6 @@ var calls = { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01' } }, - mediaServices:{ - listAll: { - url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Media/mediaservices?api-version=2023-01-01' - } - }, // For CIEM groups: { list: { From 46fd970a843617b31005153083f6eca8430b3b9f Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Wed, 6 Dec 2023 15:17:21 +0500 Subject: [PATCH 314/498] Fixed location.js --- helpers/azure/locations.js | 1 - 1 file changed, 1 deletion(-) diff --git a/helpers/azure/locations.js b/helpers/azure/locations.js index c8815168ce..226bd2cd8f 100644 --- a/helpers/azure/locations.js +++ b/helpers/azure/locations.js @@ -120,7 +120,6 @@ module.exports = { eventGrid: locations, eventHub: locations, mediaServices: locations, - mediaServices: locations, serviceBus: locations, classicFrontDoors: ['global'], afdWafPolicies: ['global'] From 80389f4dcb7ae30f791ae8d5f35d7e0ab52f9b79 Mon Sep 17 00:00:00 2001 From: Muzzammil Date: Wed, 6 Dec 2023 15:30:29 +0500 Subject: [PATCH 315/498] updated with recommended changes --- .../azure/sqldatabases/dbSyncGroupPrivateLink.js | 16 +++++++++------- .../sqldatabases/dbSyncGroupPrivateLink.spec.js | 4 ++-- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js index 6f6d76a261..6a4ac2ca9d 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js @@ -56,15 +56,17 @@ module.exports = { if (!syncGroups.data.length) { helpers.addResult(results, 0, 'No sync groups found for SQL database', location, database.id); - } - - syncGroups.data.forEach(syncGroup=> { - if (syncGroup.usePrivateLinkConnection) { - helpers.addResult(results, 0, 'Database sync group uses private link to sync with other databases', location, syncGroup.id); + } else { + var missingPrivateConfigGrps = syncGroups.data.filter((e) => !e.usePrivateLinkConnection).map((e)=>e.name); + + if (missingPrivateConfigGrps.length) { + helpers.addResult(results, 2, `Database is not configured to use private link in following sync groups: ${missingPrivateConfigGrps.join(', ')} `, location, database.id); + } else { - helpers.addResult(results, 2, 'Database sync group does not uses private link to sync with other databases', location, syncGroup.id); + helpers.addResult(results, 0, 'Database sync groups are configured to use private link', location, database.id); } - }); + } + }); } } diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js index b10bb785b3..7ed4ef6ed3 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js @@ -97,7 +97,7 @@ describe('sqlDatabaseSyncGroups', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Database sync group uses private link to sync with other databases'); + expect(results[0].message).to.include('Database sync groups are configured to use private link'); expect(results[0].region).to.equal('eastus'); done(); }; @@ -115,7 +115,7 @@ describe('sqlDatabaseSyncGroups', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Database sync group does not uses private link to sync with other databases'); + expect(results[0].message).to.include('Database is not configured to use private link in following sync groups:'); expect(results[0].region).to.equal('eastus'); done(); }; From f93393fc96f5a4306a137acf87941da83bbf53cf Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 6 Dec 2023 16:03:26 +0500 Subject: [PATCH 316/498] Fixed/Security-Logging --- .../agSecurityLoggingEnabled.js | 18 ++++++----- .../agSecurityLoggingEnabled.spec.js | 28 ++++++++++++++++ .../frontdoor/afdSecurityLoggingEnabled.js | 16 +++++----- .../afdSecurityLoggingEnabled.spec.js | 32 ++++++++++++++++++- 4 files changed, 77 insertions(+), 17 deletions(-) diff --git a/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js b/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js index 2d951c5621..7bcf17138c 100644 --- a/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js +++ b/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js @@ -40,15 +40,17 @@ module.exports = { if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { helpers.addResult(results, 3, 'Unable to query Application Gateway diagnostics settings: ' + helpers.addError(diagnosticSettings), location, appGateway.id); } else { - var logs = diagnosticSettings.data[0] && diagnosticSettings.data[0].logs ? diagnosticSettings.data[0].logs : []; - - const allLogsEnabled = logs.some(log => log.categoryGroup === 'allLogs' && log.enabled); - const requiredLogs = ['ApplicationGatewayAccessLog', 'ApplicationGatewayFirewallLog']; - const missingLogs = requiredLogs.filter(requiredCategory => - !logs.find(log => (log.category === requiredCategory && log.enabled)) - ); + //First consider that all the logs are missing then remove the ones that are present + var missingLogs = ['ApplicationGatewayAccessLog', 'ApplicationGatewayFirewallLog']; - if (!allLogsEnabled && missingLogs.length) { + diagnosticSettings.data.forEach(settings => { + const logs = settings.logs; + missingLogs = missingLogs.filter(requiredCategory => + !logs.some(log => (log.category === requiredCategory && log.enabled) || log.categoryGroup === 'allLogs' && log.enabled) + ); + }); + + if (missingLogs.length) { helpers.addResult(results, 2, `Application Gateway does not have security logging enabled. Missing Logs ${missingLogs}`, location, appGateway.id); } else { helpers.addResult(results, 0, 'Application Gateway has security logging enabled', location, appGateway.id); diff --git a/plugins/azure/applicationGateway/agSecurityLoggingEnabled.spec.js b/plugins/azure/applicationGateway/agSecurityLoggingEnabled.spec.js index d800764fdb..0e7f3c13c0 100644 --- a/plugins/azure/applicationGateway/agSecurityLoggingEnabled.spec.js +++ b/plugins/azure/applicationGateway/agSecurityLoggingEnabled.spec.js @@ -64,6 +64,23 @@ const diagnosticSettings = [ ], "logAnalyticsDestinationType": null }, + { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/microsoft.network/applicationgateways/meerab-test/providers/microsoft.insights/diagnosticSettings/app-ds", + "type": "Microsoft.Insights/diagnosticSettings", + "name": "app-ds", + "logs": [ + { + "category": "", + "categoryGroup": "allLogs", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + ], + "logAnalyticsDestinationType": null + }, ] const createCache = (applicationGateway, diagnostics) => { let diagnostic = {}; @@ -203,6 +220,17 @@ describe('agSecurityLoggingEnabled', function() { }); }); + it('should give pass result if Application Gateway have allLogs Enabled', function(done) { + const cache = createCache([appGateway[0]],[diagnosticSettings[3]]); + agSecurityLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Application Gateway has security logging enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); }); diff --git a/plugins/azure/frontdoor/afdSecurityLoggingEnabled.js b/plugins/azure/frontdoor/afdSecurityLoggingEnabled.js index 5ecb911993..c39680a0bf 100644 --- a/plugins/azure/frontdoor/afdSecurityLoggingEnabled.js +++ b/plugins/azure/frontdoor/afdSecurityLoggingEnabled.js @@ -43,15 +43,15 @@ module.exports = { if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { helpers.addResult(results, 3, 'Unable to query Front Door diagnostics settings: ' + helpers.addError(diagnosticSettings), location, profile.id); } else { - var logs = diagnosticSettings.data[0] && diagnosticSettings.data[0].logs ? diagnosticSettings.data[0].logs : []; + var missingLogs = ['FrontDoorAccessLog', 'FrontDoorWebApplicationFirewallLog']; + diagnosticSettings.data.forEach(settings => { + const logs = settings.logs; + missingLogs = missingLogs.filter(requiredCategory => + !logs.some(log => (log.category === requiredCategory && log.enabled) || log.categoryGroup === 'allLogs' && log.enabled) + ); + }); - const allLogsEnabled = logs.some(log => log.categoryGroup === 'allLogs' && log.enabled); - const requiredLogs = ['FrontDoorAccessLog', 'FrontDoorWebApplicationFirewallLog']; - const missingLogs = requiredLogs.filter(requiredCategory => - !logs.find(log => (log.category === requiredCategory && log.enabled)) - ); - - if (!allLogsEnabled && missingLogs.length) { + if (missingLogs.length) { helpers.addResult(results, 2, `Front Door profile does not have security logging enabled. Missing Logs ${missingLogs}`, location, profile.id); } else { helpers.addResult(results, 0, 'Front Door profile has security logging enabled', location, profile.id); diff --git a/plugins/azure/frontdoor/afdSecurityLoggingEnabled.spec.js b/plugins/azure/frontdoor/afdSecurityLoggingEnabled.spec.js index d518b14fdc..844ddc5366 100644 --- a/plugins/azure/frontdoor/afdSecurityLoggingEnabled.spec.js +++ b/plugins/azure/frontdoor/afdSecurityLoggingEnabled.spec.js @@ -81,7 +81,25 @@ const diagnosticSettings = [ ], "logAnalyticsDestinationType": null }, - {} + {}, + { + id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/profiles/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'testwaflogs', + location: 'global', + logs: [ + { + "category": "", + "categoryGroup": "allLogs", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logAnalyticsDestinationType": null + }, ] const createCache = (profiles, diagnostics) => { @@ -222,5 +240,17 @@ describe('afdSecurityLoggingEnabled', function () { done(); }); }); + + + it('should give pass result if Application Gateway have allLogs Enabled', function(done) { + const cache = createCache([profiles[1]], [diagnosticSettings[3]]); + afdSecurityLoggingEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Front Door profile has security logging enabled'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); }); }); \ No newline at end of file From dd357764f45808b4f4830b84557a075f4068b984 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 6 Dec 2023 16:14:09 +0500 Subject: [PATCH 317/498] Apply suggestions from code review --- plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js | 4 ++-- plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js index 6a4ac2ca9d..5f93cebcee 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js @@ -60,10 +60,10 @@ module.exports = { var missingPrivateConfigGrps = syncGroups.data.filter((e) => !e.usePrivateLinkConnection).map((e)=>e.name); if (missingPrivateConfigGrps.length) { - helpers.addResult(results, 2, `Database is not configured to use private link in following sync groups: ${missingPrivateConfigGrps.join(', ')} `, location, database.id); + helpers.addResult(results, 2, `SQL Database following sync groups are not configured to use private link: ${missingPrivateConfigGrps.join(', ')} `, location, database.id); } else { - helpers.addResult(results, 0, 'Database sync groups are configured to use private link', location, database.id); + helpers.addResult(results, 0, 'SQL Database sync groups are configured to use private link', location, database.id); } } diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js index 7ed4ef6ed3..bc4ef043a5 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js @@ -97,7 +97,7 @@ describe('sqlDatabaseSyncGroups', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Database sync groups are configured to use private link'); + expect(results[0].message).to.include('SQL Database sync groups are configured to use private link'); expect(results[0].region).to.equal('eastus'); done(); }; @@ -115,7 +115,7 @@ describe('sqlDatabaseSyncGroups', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Database is not configured to use private link in following sync groups:'); + expect(results[0].message).to.include('SQL Database following sync groups are not configured to use private link:'); expect(results[0].region).to.equal('eastus'); done(); }; From cdda01180e8f778b42e31942361309fe79456c8c Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Wed, 6 Dec 2023 16:17:21 +0500 Subject: [PATCH 318/498] Update exports.js --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index a4683d9eb5..05aea609fe 100644 --- a/exports.js +++ b/exports.js @@ -883,7 +883,7 @@ module.exports = { 'sqlServerRecurringScans' : require(__dirname + '/plugins/azure/sqlserver/sqlServerRecurringScans.js'), 'sqlServerSendScanReports' : require(__dirname + '/plugins/azure/sqlserver/sqlServerSendScanReports.js'), 'sqlServerHasTags' : require(__dirname + '/plugins/azure/sqlserver/sqlServerHasTags.js'), - 'auditOperationsEnabled':require(__dirname + '/plugins/azure/sqlserver/auditOperationsEnabled.js'), + 'auditOperationsEnabled' : require(__dirname + '/plugins/azure/sqlserver/auditOperationsEnabled.js'), 'javaVersion' : require(__dirname + '/plugins/azure/appservice/javaVersion.js'), 'phpVersion' : require(__dirname + '/plugins/azure/appservice/phpVersion.js'), From 8bd3289f3fe336856825b3287781e1c1c032875d Mon Sep 17 00:00:00 2001 From: Abdullah Aslam Date: Wed, 6 Dec 2023 16:24:47 +0500 Subject: [PATCH 319/498] pr channges --- exports.js | 2 +- ...entityEnabled.js => amsStorageAccountIdentity.js} | 0 ...led.spec.js => amsStorageAccountIdentity.spec.js} | 12 ++++++------ 3 files changed, 7 insertions(+), 7 deletions(-) rename plugins/azure/mediaServices/{amsStorageAccountIdentityEnabled.js => amsStorageAccountIdentity.js} (100%) rename plugins/azure/mediaServices/{amsStorageAccountIdentityEnabled.spec.js => amsStorageAccountIdentity.spec.js} (87%) diff --git a/exports.js b/exports.js index a7a309ac42..163f3b4398 100644 --- a/exports.js +++ b/exports.js @@ -991,7 +991,7 @@ module.exports = { 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), - 'amsStorageAccountIdentityEnabled': require(__dirname + '/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js') + 'amsStorageAccountIdentity' : require(__dirname + '/plugins/azure/mediaServices/amsStorageAccountIdentity.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js b/plugins/azure/mediaServices/amsStorageAccountIdentity.js similarity index 100% rename from plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.js rename to plugins/azure/mediaServices/amsStorageAccountIdentity.js diff --git a/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.spec.js b/plugins/azure/mediaServices/amsStorageAccountIdentity.spec.js similarity index 87% rename from plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.spec.js rename to plugins/azure/mediaServices/amsStorageAccountIdentity.spec.js index 4d79f162c9..419ab13068 100644 --- a/plugins/azure/mediaServices/amsStorageAccountIdentityEnabled.spec.js +++ b/plugins/azure/mediaServices/amsStorageAccountIdentity.spec.js @@ -1,5 +1,5 @@ var expect = require('chai').expect; -var amsStorageAccountIdentityEnabled = require('./amsStorageAccountIdentityEnabled'); +var amsStorageAccountIdentity = require('./amsStorageAccountIdentity'); const mediaServices = [ { @@ -38,11 +38,11 @@ const createCache = (ams, ds) => { }; }; -describe('amsStorageAccountIdentityEnabled', function() { +describe('amsStorageAccountIdentity', function() { describe('run', function() { it('should give passing result if no media services found', function(done) { const cache = createCache([]); - amsStorageAccountIdentityEnabled.run(cache, {}, (err, results) => { + amsStorageAccountIdentity.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('No existing Media Services found'); @@ -53,7 +53,7 @@ describe('amsStorageAccountIdentityEnabled', function() { it('should give unknown result if unable to query for media services', function(done) { const cache = createCache(null); - amsStorageAccountIdentityEnabled.run(cache, {}, (err, results) => { + amsStorageAccountIdentity.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].message).to.include('Unable to query for Media Services:'); @@ -64,7 +64,7 @@ describe('amsStorageAccountIdentityEnabled', function() { it('should give passing result if storage account managed identity enabled for authentication', function(done) { const cache = createCache([mediaServices[1]]); - amsStorageAccountIdentityEnabled.run(cache, {}, (err, results) => { + amsStorageAccountIdentity.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('Media Service account has managed identity enabled for storage account authentication'); @@ -75,7 +75,7 @@ describe('amsStorageAccountIdentityEnabled', function() { it('should give failing result if system authentication enabled', function(done) { const cache = createCache([mediaServices[0]]); - amsStorageAccountIdentityEnabled.run(cache, {}, (err, results) => { + amsStorageAccountIdentity.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); expect(results[0].message).to.include('Media Service account has managed identity disabled for storage account authentication'); From ff60c5403e647f9a7132dd88be780e51cccbc5d8 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 6 Dec 2023 16:29:10 +0500 Subject: [PATCH 320/498] Apply suggestions from code review --- plugins/azure/sqldatabases/dbDataMaskingEnabled.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js index 217cd28030..00d1dd5c8e 100644 --- a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js +++ b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js @@ -47,10 +47,10 @@ module.exports = { databases.data.forEach(database => { var dataMaskingPolicies = helpers.addSource(cache, source, ['dataMaskingPolicies', 'get', location, database.id]); - if (!dataMaskingPolicies || dataMaskingPolicies.err || !dataMaskingPolicies.data || !dataMaskingPolicies.data.dataMaskingState) { + if (!dataMaskingPolicies || dataMaskingPolicies.err || !dataMaskingPolicies.data || !dataMaskingPolicies.data) { helpers.addResult(results, 3, 'Unable to query dynamic data masking policies: ' + helpers.addError(dataMaskingPolicies), location, database.id); } else { - if (dataMaskingPolicies.data.dataMaskingState.toLowerCase()=='enabled') { + if (dataMaskingPolicies.data.dataMaskingState && dataMaskingPolicies.data.dataMaskingState.toLowerCase()=='enabled') { helpers.addResult(results, 0, 'Dynamic data masking is enabled for SQL database', location, database.id); } else { helpers.addResult(results, 2, 'Dynamic data masking is not enabled for SQL database', location, database.id); From 8d10dc75e380c8667f3f58660aa84cbd587cd38d Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 6 Dec 2023 16:30:50 +0500 Subject: [PATCH 321/498] Update plugins/azure/sqldatabases/dbDataMaskingEnabled.js --- plugins/azure/sqldatabases/dbDataMaskingEnabled.js | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js index 00d1dd5c8e..3c1c258dcf 100644 --- a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js +++ b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js @@ -47,6 +47,7 @@ module.exports = { databases.data.forEach(database => { var dataMaskingPolicies = helpers.addSource(cache, source, ['dataMaskingPolicies', 'get', location, database.id]); + if (!dataMaskingPolicies || dataMaskingPolicies.err || !dataMaskingPolicies.data || !dataMaskingPolicies.data) { helpers.addResult(results, 3, 'Unable to query dynamic data masking policies: ' + helpers.addError(dataMaskingPolicies), location, database.id); } else { From c1c94797a1ca5e13ba338b7790b703b9f58e59b2 Mon Sep 17 00:00:00 2001 From: Abdullah Aslam Date: Wed, 6 Dec 2023 16:37:37 +0500 Subject: [PATCH 322/498] duplicate key --- helpers/azure/api.js | 5 ----- 1 file changed, 5 deletions(-) diff --git a/helpers/azure/api.js b/helpers/azure/api.js index d48d1e7f75..bea4057056 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -479,11 +479,6 @@ var calls = { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01' } }, - mediaServices:{ - listAll: { - url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Media/mediaservices?api-version=2023-01-01' - } - }, // For CIEM groups: { list: { From e811081da3aacc618686225393b87f3dc1d25f60 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Wed, 6 Dec 2023 16:44:09 +0500 Subject: [PATCH 323/498] Update dbDataMaskingEnabled.js --- plugins/azure/sqldatabases/dbDataMaskingEnabled.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js index 3c1c258dcf..cbd8795886 100644 --- a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js +++ b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js @@ -2,10 +2,10 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Dynamic Data Masking Enabled', + title: 'SQL Databases Data Masking Enabled', category: 'SQL Databases', domain: 'Databases', - description: 'Ensures dynamic data masking is enabled for all SQL databases.', + description: 'Ensures dynamic data masking is enabeld for all SQL databases.', more_info: 'Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to specify how much sensitive data to reveal with minimal effect on the application layer. DDM can be configured on designated database fields to hide sensitive data in the result sets of queries.', recommended_action: 'Enable dynamic data masking for SQL databases.', link: 'https://docs.microsoft.com/en-us/azure/sql-database/sql-database-dynamic-data-masking-get-started-portal', From 9dd4560671cc0078f2ca2cc222ace643a5901b32 Mon Sep 17 00:00:00 2001 From: muzzamil <140418718+muzzamilinovaqo@users.noreply.github.com> Date: Wed, 6 Dec 2023 16:45:21 +0500 Subject: [PATCH 324/498] Update dbDataMaskingEnabled.js --- plugins/azure/sqldatabases/dbDataMaskingEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js index cbd8795886..d8e1ec85f3 100644 --- a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js +++ b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js @@ -5,7 +5,7 @@ module.exports = { title: 'SQL Databases Data Masking Enabled', category: 'SQL Databases', domain: 'Databases', - description: 'Ensures dynamic data masking is enabeld for all SQL databases.', + description: 'Ensures dynamic data masking is enabled for all SQL databases.', more_info: 'Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to specify how much sensitive data to reveal with minimal effect on the application layer. DDM can be configured on designated database fields to hide sensitive data in the result sets of queries.', recommended_action: 'Enable dynamic data masking for SQL databases.', link: 'https://docs.microsoft.com/en-us/azure/sql-database/sql-database-dynamic-data-masking-get-started-portal', From 5b1df71aab12d1a3aa233e2292c80b2b26d39e86 Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Wed, 6 Dec 2023 16:59:17 +0500 Subject: [PATCH 325/498] Update plugins/azure/sqldatabases/dbDataMaskingEnabled.js --- plugins/azure/sqldatabases/dbDataMaskingEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js index d8e1ec85f3..27ce1355f3 100644 --- a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js +++ b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js @@ -51,7 +51,7 @@ module.exports = { if (!dataMaskingPolicies || dataMaskingPolicies.err || !dataMaskingPolicies.data || !dataMaskingPolicies.data) { helpers.addResult(results, 3, 'Unable to query dynamic data masking policies: ' + helpers.addError(dataMaskingPolicies), location, database.id); } else { - if (dataMaskingPolicies.data.dataMaskingState && dataMaskingPolicies.data.dataMaskingState.toLowerCase()=='enabled') { + if (dataMaskingPolicies.data.dataMaskingState && dataMaskingPolicies.data.dataMaskingState.toLowerCase() == 'enabled') { helpers.addResult(results, 0, 'Dynamic data masking is enabled for SQL database', location, database.id); } else { helpers.addResult(results, 2, 'Dynamic data masking is not enabled for SQL database', location, database.id); From c88fada11d3e54c13eafb0e2c95faa1837b4013c Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Wed, 6 Dec 2023 17:20:54 +0500 Subject: [PATCH 326/498] Apply suggestions from code review --- plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js index 5f93cebcee..e4074bd670 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js @@ -57,13 +57,13 @@ module.exports = { helpers.addResult(results, 0, 'No sync groups found for SQL database', location, database.id); } else { - var missingPrivateConfigGrps = syncGroups.data.filter((e) => !e.usePrivateLinkConnection).map((e)=>e.name); + var missingPrivateConfigGrps = syncGroups.data.filter((e) => !e.usePrivateLinkConnection).map((e) => e.name); if (missingPrivateConfigGrps.length) { - helpers.addResult(results, 2, `SQL Database following sync groups are not configured to use private link: ${missingPrivateConfigGrps.join(', ')} `, location, database.id); + helpers.addResult(results, 2, `Following SQL Database sync groups are not configured to use private link: ${missingPrivateConfigGrps.join(', ')} `, location, database.id); } else { - helpers.addResult(results, 0, 'SQL Database sync groups are configured to use private link', location, database.id); + helpers.addResult(results, 0, 'All SQL Database sync groups are configured to use private link', location, database.id); } } From 755858dcf1ac94ff107ec5baf7796dd36de1a7f6 Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Wed, 6 Dec 2023 17:23:03 +0500 Subject: [PATCH 327/498] Update plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js --- plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js index e10f8bddde..f303535b7f 100644 --- a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js @@ -49,7 +49,7 @@ module.exports = { if (!ledgerDigestUploads || ledgerDigestUploads.err || !ledgerDigestUploads.data) { helpers.addResult(results, 3, 'Unable to query for Ledger Digest Uploads for SQL database: ' + helpers.addError(ledgerDigestUploads), location, database.id); } else { - if (ledgerDigestUploads.data.length && ledgerDigestUploads.data[0].state.toLowerCase() == 'enabled') { + if (ledgerDigestUploads.data.length && ledgerDigestUploads.data[0].state && ledgerDigestUploads.data[0].state.toLowerCase() == 'enabled') { helpers.addResult(results, 0, 'Ledger automatic digest storage is enabled for SQL database', location, database.id); } else { helpers.addResult(results, 2, 'Ledger automatic digest storage is not enabled for SQL database', location, database.id); From 7e6a1f6f7ece091aa0a4c91b554b192575f738af Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Wed, 6 Dec 2023 17:31:50 +0500 Subject: [PATCH 328/498] Update dbSyncGroupPrivateLink.spec.js --- plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js index bc4ef043a5..6d7b15d8dc 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js @@ -97,7 +97,7 @@ describe('sqlDatabaseSyncGroups', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('SQL Database sync groups are configured to use private link'); + expect(results[0].message).to.include('All SQL Database sync groups are configured to use private link'); expect(results[0].region).to.equal('eastus'); done(); }; @@ -115,7 +115,7 @@ describe('sqlDatabaseSyncGroups', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('SQL Database following sync groups are not configured to use private link:'); + expect(results[0].message).to.include('Following SQL Database sync groups are not configured to use private link:'); expect(results[0].region).to.equal('eastus'); done(); }; From 229e95fed3d032e592a328c89a064cb6721b622f Mon Sep 17 00:00:00 2001 From: fatima99s Date: Thu, 7 Dec 2023 18:32:29 +0500 Subject: [PATCH 329/498] change category network watcher --- exports.js | 4 ++-- plugins/aws/glue/glueCloudwatchLogsEncrypted.js | 2 +- .../nsgFlowLogsRetentionPeriod.js | 2 +- .../nsgFlowLogsRetentionPeriod.spec.js | 0 .../networkWatcherEnabled.js | 2 +- .../networkWatcherEnabled.spec.js | 0 6 files changed, 5 insertions(+), 5 deletions(-) rename plugins/azure/{networkwatchers => networksecuritygroups}/nsgFlowLogsRetentionPeriod.js (98%) rename plugins/azure/{networkwatchers => networksecuritygroups}/nsgFlowLogsRetentionPeriod.spec.js (100%) rename plugins/azure/{networksecuritygroups => networkwatchers}/networkWatcherEnabled.js (98%) rename plugins/azure/{networksecuritygroups => networkwatchers}/networkWatcherEnabled.spec.js (100%) diff --git a/exports.js b/exports.js index fe8c0f16b2..0b9faca21d 100644 --- a/exports.js +++ b/exports.js @@ -835,7 +835,7 @@ module.exports = { 'flexibleServerDiagnosticLogs' : require(__dirname + '/plugins/azure/postgresqlserver/flexibleServerDiagnosticLogs.js'), 'openOracleAutoDataWarehouse' : require(__dirname + '/plugins/azure/networksecuritygroups/openOracleAutoDataWarehouse.js'), - 'networkWatcherEnabled' : require(__dirname + '/plugins/azure/networksecuritygroups/networkWatcherEnabled.js'), + 'nsgFlowLogsRetentionPeriod' : require(__dirname + '/plugins/azure/networksecuritygroups/nsgFlowLogsRetentionPeriod.js'), 'excessiveSecurityGroups' : require(__dirname + '/plugins/azure/networksecuritygroups/excessiveSecurityGroups.js'), 'defaultSecurityGroup' : require(__dirname + '/plugins/azure/networksecuritygroups/defaultSecurityGroup.js'), 'openAllPorts' : require(__dirname + '/plugins/azure/networksecuritygroups/openAllPorts.js'), @@ -877,7 +877,7 @@ module.exports = { 'openHTTPS' : require(__dirname + '/plugins/azure/networksecuritygroups/openHTTPS.js'), 'nsgLogAnalyticsEnabled' : require(__dirname + '/plugins/azure/networksecuritygroups/nsgLogAnalyticsEnabled.js'), - 'nsgFlowLogsRetentionPeriod' : require(__dirname + '/plugins/azure/networkwatchers/nsgFlowLogsRetentionPeriod.js'), + 'networkWatcherEnabled' : require(__dirname + '/plugins/azure/networkwatchers/networkWatcherEnabled.js'), 'resourceUsageLimit' : require(__dirname + '/plugins/azure/resources/resourceUsageLimit.js'), 'managementLockEnabled' : require(__dirname + '/plugins/azure/resources/managementLockEnabled.js'), diff --git a/plugins/aws/glue/glueCloudwatchLogsEncrypted.js b/plugins/aws/glue/glueCloudwatchLogsEncrypted.js index d6a9f26bcc..8b3fabe859 100644 --- a/plugins/aws/glue/glueCloudwatchLogsEncrypted.js +++ b/plugins/aws/glue/glueCloudwatchLogsEncrypted.js @@ -3,7 +3,7 @@ var helpers = require('../../../helpers/aws'); module.exports = { title: 'AWS Glue CloudWatch Encrypted Logs', - category: 'AWS Glue', + category: 'Glue', domain: 'Content Delivery', description: 'Ensures that encryption at-rest is enabled when writing AWS Glue logs to Amazon CloudWatch.', more_info: 'AWS Glue should have encryption at-rest enabled for AWS Glue logs to ensure security of AWS Glue logs.', diff --git a/plugins/azure/networkwatchers/nsgFlowLogsRetentionPeriod.js b/plugins/azure/networksecuritygroups/nsgFlowLogsRetentionPeriod.js similarity index 98% rename from plugins/azure/networkwatchers/nsgFlowLogsRetentionPeriod.js rename to plugins/azure/networksecuritygroups/nsgFlowLogsRetentionPeriod.js index c93edd46ae..28f45d8f6d 100644 --- a/plugins/azure/networkwatchers/nsgFlowLogsRetentionPeriod.js +++ b/plugins/azure/networksecuritygroups/nsgFlowLogsRetentionPeriod.js @@ -3,7 +3,7 @@ const helpers = require('../../../helpers/azure/'); module.exports = { title: 'NSG Flow Logs Retention Period', - category: 'Network Watcher', + category: 'Network Security Groups', domain: 'Management and Governance', description: 'Ensures that Azure Network Security Groups (NSGs) have a sufficient flow log retention period', more_info: 'A flow log data retention period of 90 days or more, allows you to collect the necessary amount of logging data required to check for anomalies and provide details about any potential security breach.', diff --git a/plugins/azure/networkwatchers/nsgFlowLogsRetentionPeriod.spec.js b/plugins/azure/networksecuritygroups/nsgFlowLogsRetentionPeriod.spec.js similarity index 100% rename from plugins/azure/networkwatchers/nsgFlowLogsRetentionPeriod.spec.js rename to plugins/azure/networksecuritygroups/nsgFlowLogsRetentionPeriod.spec.js diff --git a/plugins/azure/networksecuritygroups/networkWatcherEnabled.js b/plugins/azure/networkwatchers/networkWatcherEnabled.js similarity index 98% rename from plugins/azure/networksecuritygroups/networkWatcherEnabled.js rename to plugins/azure/networkwatchers/networkWatcherEnabled.js index 2b51dee960..e9697be8d8 100644 --- a/plugins/azure/networksecuritygroups/networkWatcherEnabled.js +++ b/plugins/azure/networkwatchers/networkWatcherEnabled.js @@ -3,7 +3,7 @@ const helpers = require('../../../helpers/azure/'); module.exports = { title: 'Network Watcher Enabled', - category: 'Network Security Groups', + category: 'Network Watcher', domain: 'Network Access Control', description: 'Ensures Network Watcher is enabled in all locations', more_info: 'Network Watcher helps locate, diagnose, and gain insights into Azure networks. Enabling Network Watcher in all locations ensures that no resources are being used in locations that are not authorized.', diff --git a/plugins/azure/networksecuritygroups/networkWatcherEnabled.spec.js b/plugins/azure/networkwatchers/networkWatcherEnabled.spec.js similarity index 100% rename from plugins/azure/networksecuritygroups/networkWatcherEnabled.spec.js rename to plugins/azure/networkwatchers/networkWatcherEnabled.spec.js From 8b4242322a6f09bcc56c3767dd5e1c26ecabed89 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Mon, 11 Dec 2023 15:18:16 +0500 Subject: [PATCH 330/498] lint issue --- helpers/azure/api.js | 5 ----- 1 file changed, 5 deletions(-) diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 02fbc8e51c..7289d5f903 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -459,11 +459,6 @@ var calls = { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.EventHub/namespaces?api-version=2022-10-01-preview' } }, - mediaServices:{ - listAll: { - url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Media/mediaservices?api-version=2023-01-01' - } - }, serviceBus: { listNamespacesBySubscription: { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.ServiceBus/namespaces?api-version=2022-10-01-preview' From 8af0f3d0821204f0f471778b4be946e839ccc341 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sun, 17 Dec 2023 16:32:26 +0500 Subject: [PATCH 331/498] vmss ad authentication --- exports.js | 1 + .../scaleSetAdAuthenticationEnabled.js | 60 +++++++++ .../scaleSetAdAuthenticationEnabled.spec.js | 127 ++++++++++++++++++ 3 files changed, 188 insertions(+) create mode 100644 plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.js create mode 100644 plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.spec.js diff --git a/exports.js b/exports.js index 0fab601115..09716ba034 100644 --- a/exports.js +++ b/exports.js @@ -756,6 +756,7 @@ module.exports = { 'vmVTPMEnabled' : require(__dirname + '/plugins/azure/virtualmachines/vmVTPMEnabled.js'), 'vmSecureBootEnabled' : require(__dirname + '/plugins/azure/virtualmachines/vmSecureBootEnabled.js'), 'vmDiskDeleteConfig' : require(__dirname + '/plugins/azure/virtualmachines/vmDiskDeleteConfig.js'), + 'scaleSetAdAuthenticationEnabled': require(__dirname + '/plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.js'), 'bastionHostExists' : require(__dirname + '/plugins/azure/bastion/bastionHostExists.js'), diff --git a/plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.js b/plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.js new file mode 100644 index 0000000000..19f69dba85 --- /dev/null +++ b/plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.js @@ -0,0 +1,60 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { +title: 'Scale Sets Active Directory Authentication Enabled', + category: 'Virtual Machines', + domain: 'Compute', + description: 'Ensures that Azure Active Directory (AD) authentication is enabled for virtual machine scale sets.', + more_info: 'Organizations can now improve the security of virtual machine Scale Sets in Azure by integrating with Azure Active Directory (AD) authentication. Enabling Azure Active Directory (AD) authentication for Azure virtual machine scale set ensures access to VMs from one central point and simplifies access permission management.', + recommended_action: 'Enable Azure Active Directory authentication for Azure virtual machines scale sets.', + link: 'https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-linux', + apis: ['virtualMachineScaleSets:listAll'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.virtualMachineScaleSets, (location, rcb) => { + const virtualMachineScaleSets = helpers.addSource(cache, source, + ['virtualMachineScaleSets', 'listAll', location]); + + if (!virtualMachineScaleSets) return rcb(); + + if (virtualMachineScaleSets.err || !virtualMachineScaleSets.data) { + helpers.addResult(results, 3, + 'Unable to query for Virtual Machine Scale Sets: ' + helpers.addError(virtualMachineScaleSets), location); + return rcb(); + } + + if (!virtualMachineScaleSets.data.length) { + helpers.addResult(results, 0, 'No existing Virtual Machine Scale Sets found', location); + return rcb(); + } + + for (let virtualMachineScaleSet of virtualMachineScaleSets.data) { + const scaleSetExtensions = virtualMachineScaleSet.virtualMachineProfile && virtualMachineScaleSet.virtualMachineProfile.extensionProfile && + virtualMachineScaleSet.virtualMachineProfile.extensionProfile.extensions + ? virtualMachineScaleSet.virtualMachineProfile.extensionProfile.extensions + : []; + const adAuthentication = scaleSetExtensions.length + ? scaleSetExtensions.some((extension) => (extension.properties.type === 'AADLoginForWindows' || + extension.properties.type === 'AADLoginForLinux' || extension.properties.type === 'AADSSHLoginForLinux' + )) + : false; + + if (adAuthentication) { + helpers.addResult(results, 0, + 'Virtual Machine Scale Set has active directory authentication enabled', location, virtualMachineScaleSet.id); + } else { + helpers.addResult(results, 2, + 'Virtual Machine Scale Set has active directory authentication disabled', location, virtualMachineScaleSet.id); + } + } + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.spec.js b/plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.spec.js new file mode 100644 index 0000000000..3b4b84da15 --- /dev/null +++ b/plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.spec.js @@ -0,0 +1,127 @@ +var expect = require('chai').expect; +var scaleSetAdAuthenticationEnabled = require('./scaleSetAdAuthenticationEnabled'); + +const virtualMachineScaleSets = [ + { + 'name': 'test-vmss', + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/virtualMachineScaleSets/test-vmss', + 'type': 'Microsoft.Compute/virtualMachineScaleSets', + 'virtualMachineProfile': { + 'extensionProfile': { + 'extensions': [ + { + 'name': 'AADSSHLoginForLinux', + 'properties': { + 'autoUpgradeMinorVersion': false, + 'publisher': 'Microsoft.ManagedServices', + 'type': 'AADSSHLoginForLinux', + 'typeHandlerVersion': '1.0', + } + } + ] + } + } + }, + { + 'name': 'test-vmss', + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/virtualMachineScaleSets/test-vmss', + 'type': 'Microsoft.Compute/virtualMachineScaleSets', + 'virtualMachineProfile': { + 'extensionProfile': { + 'extensions': [ + { + 'name': 'AADLoginForWindows', + 'properties': { + 'autoUpgradeMinorVersion': false, + 'publisher': 'Microsoft.ManagedServices', + 'type': 'AADLoginForWindows', + 'typeHandlerVersion': '1.0', + } + } + ] + } + } + }, + { + 'name': 'test-vmss', + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/virtualMachineScaleSets/test-vmss', + 'type': 'Microsoft.Compute/virtualMachineScaleSets', + 'virtualMachineProfile': { + 'extensionProfile': { + 'extensions': [] + } + } + } +]; + +const createCache = (virtualMachineScaleSets) => { + let machine = {}; + if (virtualMachineScaleSets) { + machine['data'] = virtualMachineScaleSets; + } + return { + virtualMachineScaleSets: { + listAll: { + 'eastus': machine + } + } + }; +}; + +describe('scaleSetAdAuthenticationEnabled', function() { + describe('run', function() { + it('should give passing result if no virtual machine scale sets', function(done) { + const cache = createCache([]); + scaleSetAdAuthenticationEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Virtual Machine Scale Sets found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for virtual machine scale sets', function(done) { + const cache = createCache(); + scaleSetAdAuthenticationEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Virtual Machine Scale Sets'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if Virtual Machine Scale Set has AD authentication enabled', function(done) { + const cache = createCache([virtualMachineScaleSets[0]]); + scaleSetAdAuthenticationEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Virtual Machine Scale Set has active directory authentication enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + it('should give passing result if Virtual Machine Scale Set has AD authentication enabled', function(done) { + const cache = createCache([virtualMachineScaleSets[1]]); + scaleSetAdAuthenticationEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Virtual Machine Scale Set has active directory authentication enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if Virtual Machine Scale Set has AD authentication disabled', function(done) { + const cache = createCache([virtualMachineScaleSets[2]]); + scaleSetAdAuthenticationEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Virtual Machine Scale Set has active directory authentication disabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From 10234f99ccc5a33825bcdebf498748469619292a Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sun, 17 Dec 2023 16:36:40 +0500 Subject: [PATCH 332/498] lint issue --- .../azure/virtualmachines/scaleSetAdAuthenticationEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.js b/plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.js index 19f69dba85..29b7c85a19 100644 --- a/plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.js +++ b/plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.js @@ -2,7 +2,7 @@ const async = require('async'); const helpers = require('../../../helpers/azure'); module.exports = { -title: 'Scale Sets Active Directory Authentication Enabled', + title: 'Scale Sets Active Directory Authentication Enabled', category: 'Virtual Machines', domain: 'Compute', description: 'Ensures that Azure Active Directory (AD) authentication is enabled for virtual machine scale sets.', From dae31094a717c73db9dfe1e3bd3488426d3189f6 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Mon, 18 Dec 2023 14:46:22 +0500 Subject: [PATCH 333/498] trusted launch enabled --- exports.js | 1 + helpers/azure/api.js | 2 +- .../vmssTrustedLaunchEnabled.js | 53 ++++++++++ .../vmssTrustedLaunchEnabled.spec.js | 97 +++++++++++++++++++ 4 files changed, 152 insertions(+), 1 deletion(-) create mode 100644 plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.js create mode 100644 plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.spec.js diff --git a/exports.js b/exports.js index 0fab601115..9397cd2ad6 100644 --- a/exports.js +++ b/exports.js @@ -756,6 +756,7 @@ module.exports = { 'vmVTPMEnabled' : require(__dirname + '/plugins/azure/virtualmachines/vmVTPMEnabled.js'), 'vmSecureBootEnabled' : require(__dirname + '/plugins/azure/virtualmachines/vmSecureBootEnabled.js'), 'vmDiskDeleteConfig' : require(__dirname + '/plugins/azure/virtualmachines/vmDiskDeleteConfig.js'), + 'vmssTrustedLaunchEnabled' : require(__dirname + '/plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.js'), 'bastionHostExists' : require(__dirname + '/plugins/azure/bastion/bastionHostExists.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index d2a855693d..e47a5be278 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -383,7 +383,7 @@ var calls = { }, virtualMachineScaleSets: { listAll: { - url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachineScaleSets?api-version=2019-12-01' + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachineScaleSets?api-version=2023-07-01' } }, bastionHosts: { diff --git a/plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.js b/plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.js new file mode 100644 index 0000000000..c276495e45 --- /dev/null +++ b/plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.js @@ -0,0 +1,53 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Scale Sets Trusted Launch Enabled', + category: 'Virtual Machines', + domain: 'Compute', + description: 'Ensures that Trusted launch security option is enabled for virtual machine scale sets.', + more_info: 'Trusted launch protects against advanced and persistent attack techniques. Trusted launch is composed of several, coordinated infrastructure technologies that can be enabled independently. Each technology provides another layer of defense against sophisticated threats.', + recommended_action: 'Modify VMSS configurations and enable trusted launch.', + link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch', + apis: ['virtualMachineScaleSets:listAll'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.virtualMachineScaleSets, (location, rcb) => { + const virtualMachineScaleSets = helpers.addSource(cache, source, + ['virtualMachineScaleSets', 'listAll', location]); + + if (!virtualMachineScaleSets) return rcb(); + + if (virtualMachineScaleSets.err || !virtualMachineScaleSets.data) { + helpers.addResult(results, 3, + 'Unable to query for Virtual Machine Scale Sets: ' + helpers.addError(virtualMachineScaleSets), location); + return rcb(); + } + + if (!virtualMachineScaleSets.data.length) { + helpers.addResult(results, 0, 'No existing Virtual Machine Scale Sets found', location); + return rcb(); + } + + for (let virtualMachineScaleSet of virtualMachineScaleSets.data) { + + if (virtualMachineScaleSet.virtualMachineProfile && virtualMachineScaleSet.virtualMachineProfile.securityProfile && + virtualMachineScaleSet.virtualMachineProfile.securityProfile.securityType && + virtualMachineScaleSet.virtualMachineProfile.securityProfile.securityType.toLowerCase() == 'trustedlaunch') { + helpers.addResult(results, 0, + 'Virtual Machine Scale Set has trusted launch enabled', location, virtualMachineScaleSet.id); + } else { + helpers.addResult(results, 2, + 'Virtual Machine Scale Set has trusted launch disabled', location, virtualMachineScaleSet.id); + } + } + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.spec.js b/plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.spec.js new file mode 100644 index 0000000000..1b7df861c1 --- /dev/null +++ b/plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.spec.js @@ -0,0 +1,97 @@ +var expect = require('chai').expect; +var vmssTrustedLaunchEnabled = require('./vmssTrustedLaunchEnabled'); + +const virtualMachineScaleSets = [ + { + 'name': 'test-vmss', + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/virtualMachineScaleSets/test-vmss', + 'type': 'Microsoft.Compute/virtualMachineScaleSets', + 'virtualMachineProfile': { + "securityProfile": { + "uefiSettings": { + "secureBootEnabled": true, + "vTpmEnabled": true + }, + "encryptionAtHost": true, + "securityType": "TrustedLaunch" + }, + } + }, + { + 'name': 'test-vmss', + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/virtualMachineScaleSets/test-vmss', + 'type': 'Microsoft.Compute/virtualMachineScaleSets', + 'virtualMachineProfile': { + "securityProfile": { + "uefiSettings": { + "secureBootEnabled": true, + "vTpmEnabled": true + }, + "encryptionAtHost": true, + "securityType": "Standard" + }, + } + } +]; + +const createCache = (virtualMachineScaleSets) => { + let machine = {}; + if (virtualMachineScaleSets) { + machine['data'] = virtualMachineScaleSets; + } + return { + virtualMachineScaleSets: { + listAll: { + 'eastus': machine + } + } + }; +}; + +describe('vmssTrustedLaunchEnabled', function() { + describe('run', function() { + it('should give passing result if no virtual machine scale sets', function(done) { + const cache = createCache([]); + vmssTrustedLaunchEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Virtual Machine Scale Sets found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for virtual machine scale sets', function(done) { + const cache = createCache(); + vmssTrustedLaunchEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Virtual Machine Scale Sets'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if Virtual Machine Scale Set has trusted launch enabled', function(done) { + const cache = createCache([virtualMachineScaleSets[0]]); + vmssTrustedLaunchEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Virtual Machine Scale Set has trusted launch enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if Virtual Machine Scale Set has trusted launch disabled', function(done) { + const cache = createCache([virtualMachineScaleSets[1]]); + vmssTrustedLaunchEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Virtual Machine Scale Set has trusted launch disabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); From d2421e1236f2a2a9167032940f13881187c8bdcb Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Mon, 18 Dec 2023 18:11:58 +0500 Subject: [PATCH 334/498] vtpm enabled --- exports.js | 4 +- helpers/azure/api.js | 2 +- .../scalesetVTPMEnabled.js | 53 ++++++++++ .../scalesetVTPMEnabled.spec.js | 97 +++++++++++++++++++ 4 files changed, 154 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js create mode 100644 plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.spec.js diff --git a/exports.js b/exports.js index 0fab601115..f7c689ccce 100644 --- a/exports.js +++ b/exports.js @@ -1038,7 +1038,9 @@ module.exports = { 'amsDiagnosticLogsEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js'), 'amsPublicAccessDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsPublicAccessDisabled.js'), 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), - 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js') + 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), + + 'scalesetVTPMEnabled' : require(__dirname + '/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index d2a855693d..e47a5be278 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -383,7 +383,7 @@ var calls = { }, virtualMachineScaleSets: { listAll: { - url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachineScaleSets?api-version=2019-12-01' + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachineScaleSets?api-version=2023-07-01' } }, bastionHosts: { diff --git a/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js b/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js new file mode 100644 index 0000000000..54b460af70 --- /dev/null +++ b/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js @@ -0,0 +1,53 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Scale Sets vTPM Enabled', + category: 'Virtual Machines', + domain: 'Compute', + description: 'Ensure that Virtual Trusted Platform Module (vTPM) is enabled for virtual machine scale sets.', + more_info: 'vTPM is TPM2.0 compliant and enhances security by validating VM boot integrity and providing a secure storage mechanism for keys and secrets. The vTPM enables attestation by measuring the entire boot chain of your VM (UEFI, OS, system, and drivers).', + recommended_action: 'Modify virtual machine scale set configurations and enable vTPM', + link: 'https://learn.microsoft.com/en-us/azure/confidential-computing/virtual-tpms-in-azure-confidential-vm', + apis: ['virtualMachineScaleSets:listAll'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.virtualMachineScaleSets, (location, rcb) => { + const virtualMachineScaleSets = helpers.addSource(cache, source, + ['virtualMachineScaleSets', 'listAll', location]); + + if (!virtualMachineScaleSets) return rcb(); + + if (virtualMachineScaleSets.err || !virtualMachineScaleSets.data) { + helpers.addResult(results, 3, + 'Unable to query for Virtual Machine Scale Sets: ' + helpers.addError(virtualMachineScaleSets), location); + return rcb(); + } + + if (!virtualMachineScaleSets.data.length) { + helpers.addResult(results, 0, 'No existing Virtual Machine Scale Sets found', location); + return rcb(); + } + + for (let virtualMachineScaleSet of virtualMachineScaleSets.data) { + + if (virtualMachineScaleSet.virtualMachineProfile && virtualMachineScaleSet.virtualMachineProfile.securityProfile && + virtualMachineScaleSet.virtualMachineProfile.securityProfile.uefiSettings && + virtualMachineScaleSet.virtualMachineProfile.securityProfile.uefiSettings.vTpmEnabled) { + helpers.addResult(results, 0, + 'Virtual Machine Scale Set has vTPM enabled', location, virtualMachineScaleSet.id); + } else { + helpers.addResult(results, 2, + 'Virtual Machine Scale Set has vTPM disabled', location, virtualMachineScaleSet.id); + } + } + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.spec.js b/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.spec.js new file mode 100644 index 0000000000..186a052b38 --- /dev/null +++ b/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.spec.js @@ -0,0 +1,97 @@ +var expect = require('chai').expect; +var scalesetVTPMEnabled = require('./scalesetVTPMEnabled'); + +const virtualMachineScaleSets = [ + { + 'name': 'test-vmss', + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/virtualMachineScaleSets/test-vmss', + 'type': 'Microsoft.Compute/virtualMachineScaleSets', + 'virtualMachineProfile': { + "securityProfile": { + "uefiSettings": { + "secureBootEnabled": true, + "vTpmEnabled": true + }, + "encryptionAtHost": true, + "securityType": "TrustedLaunch" + }, + } + }, + { + 'name': 'test-vmss', + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/virtualMachineScaleSets/test-vmss', + 'type': 'Microsoft.Compute/virtualMachineScaleSets', + 'virtualMachineProfile': { + "securityProfile": { + "uefiSettings": { + "secureBootEnabled": true, + "vTpmEnabled": false + }, + "encryptionAtHost": true, + "securityType": "Standard" + }, + } + } +]; + +const createCache = (virtualMachineScaleSets) => { + let machine = {}; + if (virtualMachineScaleSets) { + machine['data'] = virtualMachineScaleSets; + } + return { + virtualMachineScaleSets: { + listAll: { + 'eastus': machine + } + } + }; +}; + +describe('scalesetVTPMEnabled', function() { + describe('run', function() { + it('should give passing result if no virtual machine scale sets', function(done) { + const cache = createCache([]); + scalesetVTPMEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Virtual Machine Scale Sets found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for virtual machine scale sets', function(done) { + const cache = createCache(); + scalesetVTPMEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Virtual Machine Scale Sets'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if Virtual Machine Scale Set has vTPM enabled', function(done) { + const cache = createCache([virtualMachineScaleSets[0]]); + scalesetVTPMEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Virtual Machine Scale Set has vTPM enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if Virtual Machine Scale Set has vTPM disabled', function(done) { + const cache = createCache([virtualMachineScaleSets[1]]); + scalesetVTPMEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Virtual Machine Scale Set has vTPM disabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From 8b6e78d35b3910372445a3223933b95da8f7b524 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Mon, 18 Dec 2023 18:22:56 +0500 Subject: [PATCH 335/498] vmss secure boot enabled --- exports.js | 4 +- helpers/azure/api.js | 2 +- .../scalesetSecureBootEnabled.js | 53 ++++++++++ .../scalesetSecureBootEnabled.spec.js | 97 +++++++++++++++++++ 4 files changed, 154 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js create mode 100644 plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.spec.js diff --git a/exports.js b/exports.js index 0fab601115..e33da36f21 100644 --- a/exports.js +++ b/exports.js @@ -1038,7 +1038,9 @@ module.exports = { 'amsDiagnosticLogsEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js'), 'amsPublicAccessDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsPublicAccessDisabled.js'), 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), - 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js') + 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), + + 'scalesetSecureBootEnabled' : require(__dirname + '/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index d2a855693d..e47a5be278 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -383,7 +383,7 @@ var calls = { }, virtualMachineScaleSets: { listAll: { - url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachineScaleSets?api-version=2019-12-01' + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachineScaleSets?api-version=2023-07-01' } }, bastionHosts: { diff --git a/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js b/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js new file mode 100644 index 0000000000..2785aebe29 --- /dev/null +++ b/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js @@ -0,0 +1,53 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Scale Sets Secure Boot Enabled', + category: 'Virtual Machines', + domain: 'Compute', + description: 'Ensures that secure boot is enabled for virtual machine scale sets.', + more_info: 'Secure Boot, which is implemented in platform firmware, protects against the installation of malware-based rootkits and boot kits. Secure Boot works to ensure that only signed operating systems and drivers can boot. It establishes a "root of trust" for the software stack on your VMSS.', + recommended_action: 'Modify virtual machine scale set configurations and enable secure boot', + link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#secure-boot', + apis: ['virtualMachineScaleSets:listAll'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.virtualMachineScaleSets, (location, rcb) => { + const virtualMachineScaleSets = helpers.addSource(cache, source, + ['virtualMachineScaleSets', 'listAll', location]); + + if (!virtualMachineScaleSets) return rcb(); + + if (virtualMachineScaleSets.err || !virtualMachineScaleSets.data) { + helpers.addResult(results, 3, + 'Unable to query for Virtual Machine Scale Sets: ' + helpers.addError(virtualMachineScaleSets), location); + return rcb(); + } + + if (!virtualMachineScaleSets.data.length) { + helpers.addResult(results, 0, 'No existing Virtual Machine Scale Sets found', location); + return rcb(); + } + + for (let virtualMachineScaleSet of virtualMachineScaleSets.data) { + + if (virtualMachineScaleSet.virtualMachineProfile && virtualMachineScaleSet.virtualMachineProfile.securityProfile && + virtualMachineScaleSet.virtualMachineProfile.securityProfile.uefiSettings && + virtualMachineScaleSet.virtualMachineProfile.securityProfile.uefiSettings.secureBootEnabled) { + helpers.addResult(results, 0, + 'Virtual Machine Scale Set has secure boot enabled', location, virtualMachineScaleSet.id); + } else { + helpers.addResult(results, 2, + 'Virtual Machine Scale Set has secure boot disabled', location, virtualMachineScaleSet.id); + } + } + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.spec.js b/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.spec.js new file mode 100644 index 0000000000..419869abde --- /dev/null +++ b/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.spec.js @@ -0,0 +1,97 @@ +var expect = require('chai').expect; +var scaleSetSecureBootEnabled = require('./scalesetSecureBootEnabled'); + +const virtualMachineScaleSets = [ + { + 'name': 'test-vmss', + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/virtualMachineScaleSets/test-vmss', + 'type': 'Microsoft.Compute/virtualMachineScaleSets', + 'virtualMachineProfile': { + "securityProfile": { + "uefiSettings": { + "secureBootEnabled": true, + "vTpmEnabled": true + }, + "encryptionAtHost": true, + "securityType": "TrustedLaunch" + }, + } + }, + { + 'name': 'test-vmss', + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/virtualMachineScaleSets/test-vmss', + 'type': 'Microsoft.Compute/virtualMachineScaleSets', + 'virtualMachineProfile': { + "securityProfile": { + "uefiSettings": { + "secureBootEnabled": false, + "vTpmEnabled": false + }, + "encryptionAtHost": true, + "securityType": "Standard" + }, + } + } +]; + +const createCache = (virtualMachineScaleSets) => { + let machine = {}; + if (virtualMachineScaleSets) { + machine['data'] = virtualMachineScaleSets; + } + return { + virtualMachineScaleSets: { + listAll: { + 'eastus': machine + } + } + }; +}; + +describe('scaleSetSecureBootEnabled', function() { + describe('run', function() { + it('should give passing result if no virtual machine scale sets', function(done) { + const cache = createCache([]); + scaleSetSecureBootEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Virtual Machine Scale Sets found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for virtual machine scale sets', function(done) { + const cache = createCache(); + scaleSetSecureBootEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Virtual Machine Scale Sets'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if Virtual Machine Scale Set has secure boot enabled', function(done) { + const cache = createCache([virtualMachineScaleSets[0]]); + scaleSetSecureBootEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Virtual Machine Scale Set has secure boot enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if Virtual Machine Scale Set has secure boot disabled', function(done) { + const cache = createCache([virtualMachineScaleSets[1]]); + scaleSetSecureBootEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Virtual Machine Scale Set has secure boot disabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From 25076e045f5d056009d0b801a8c741b270b95848 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 22 Dec 2023 15:12:58 +0500 Subject: [PATCH 336/498] Azure/Redis-Cache-Version --- exports.js | 1 + plugins/azure/redisCache/redisVersion.js | 52 +++++++++++ plugins/azure/redisCache/redisVersion.spec.js | 87 +++++++++++++++++++ 3 files changed, 140 insertions(+) create mode 100644 plugins/azure/redisCache/redisVersion.js create mode 100644 plugins/azure/redisCache/redisVersion.spec.js diff --git a/exports.js b/exports.js index fe8c0f16b2..a1f7cb2700 100644 --- a/exports.js +++ b/exports.js @@ -698,6 +698,7 @@ module.exports = { 'sslAccessOnlyEnabled' : require(__dirname + '/plugins/azure/redisCache/sslAccessOnlyEnabled.js'), 'redisCacheHasTags' : require(__dirname + '/plugins/azure/redisCache/redisCacheHasTags.js'), 'redisCachePrivateEndpoint' : require(__dirname + '/plugins/azure/redisCache/redisCachePrivateEndpoint.js'), + 'redisVersion' : require(__dirname + '/plugins/azure/redisCache/redisVersion.js'), 'multipleSubnets' : require(__dirname + '/plugins/azure/virtualnetworks/multipleSubnets.js'), 'ddosStandardProtectionEnabled' : require(__dirname + '/plugins/azure/virtualnetworks/ddosStandardProtectionEnabled.js'), diff --git a/plugins/azure/redisCache/redisVersion.js b/plugins/azure/redisCache/redisVersion.js new file mode 100644 index 0000000000..bf1ac88ffa --- /dev/null +++ b/plugins/azure/redisCache/redisVersion.js @@ -0,0 +1,52 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Redis Version', + category: 'Redis Cache', + domain: 'Databases', + description: 'Ensures that Azure Cache for Redis is using the latest redis version.', + more_info: 'Using the latest Redis Version will add new security features and ensures better performance.', + recommended_action: 'Ensure that Azure cache for Redis is using the latest version', + link: 'https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-overview#redis-versions', + apis: ['redisCaches:listBySubscription'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.redisCaches, function(location, rcb) { + const caches = helpers.addSource(cache, source, + ['redisCaches', 'listBySubscription', location]); + + if (!caches) return rcb(); + + if (caches.err || !caches.data) { + helpers.addResult(results, 3, 'Unable to query Redis Caches: ' + helpers.addError(caches), location); + return rcb(); + } + + if (!caches.data.length) { + helpers.addResult(results, 0, 'No Redis Caches found', location); + return rcb(); + } + + for (let cache of caches.data) { + if(!cache.id || !cache.redisVersion) return; + + let version = parseFloat(cache.redisVersion); + if (version && version >= 6) { + helpers.addResult(results, 0, 'Redis Cache is using the latest redis version', location, cache.id); + } else { + helpers.addResult(results, 2, 'Redis Cache is not using the latest redis version', location, cache.id); + } + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/redisCache/redisVersion.spec.js b/plugins/azure/redisCache/redisVersion.spec.js new file mode 100644 index 0000000000..43cb6591ee --- /dev/null +++ b/plugins/azure/redisCache/redisVersion.spec.js @@ -0,0 +1,87 @@ +var expect = require('chai').expect; +var redisVersion = require('./redisVersion'); + +const redisCaches = [ + { + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Cache/Redis/test-cache', + 'location': 'East US', + 'name': 'test-cache', + 'type': 'Microsoft.Cache/Redis', + 'redisVersion': '6.0', + }, + { + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Cache/Redis/test-cache', + 'location': 'East US', + 'name': 'test-cache', + 'type': 'Microsoft.Cache/Redis', + 'redisVersion': '5.1', + }, + { + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Cache/Redis/test-cache', + 'location': 'East US', + 'name': 'test-cache', + 'type': 'Microsoft.Cache/Redis' + } +]; + +const createCache = (redisCaches) => { + let caches = {}; + if (redisCaches) { + caches['data'] = redisCaches; + } + return { + redisCaches: { + listBySubscription: { + 'eastus': caches + } + }, + }; +}; + +describe('redisVersion', function() { + describe('run', function() { + it('should give passing result if no redis caches', function(done) { + const cache = createCache([]); + redisVersion.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No Redis Caches found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for redis caches', function(done) { + const cache = createCache(null); + redisVersion.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Redis Caches'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if redis cache is using latest redis version', function(done) { + const cache = createCache([redisCaches[0]]); + redisVersion.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Redis Cache is using the latest redis version'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if redis cache is not using latest redis version', function(done) { + const cache = createCache([redisCaches[1]]); + redisVersion.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Redis Cache is not using the latest redis version'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From 0d00fb36331aeff14c39d8e11d9f311970db6c06 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 22 Dec 2023 15:19:38 +0500 Subject: [PATCH 337/498] linting --- plugins/azure/redisCache/redisVersion.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/redisCache/redisVersion.js b/plugins/azure/redisCache/redisVersion.js index bf1ac88ffa..ab45755f27 100644 --- a/plugins/azure/redisCache/redisVersion.js +++ b/plugins/azure/redisCache/redisVersion.js @@ -33,7 +33,7 @@ module.exports = { } for (let cache of caches.data) { - if(!cache.id || !cache.redisVersion) return; + if (!cache.id || !cache.redisVersion) return; let version = parseFloat(cache.redisVersion); if (version && version >= 6) { From 17881fff09f1050a879ed1e98c8386ac976b2d3e Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 22 Dec 2023 16:16:29 +0500 Subject: [PATCH 338/498] Azure/Redis-cache-diagnostic-logs --- exports.js | 3 +- helpers/azure/api.js | 5 + .../redisCache/redisCacheDiagnosticLogs.js | 66 +++++ .../redisCacheDiagnosticLogs.spec.js | 245 ++++++++++++++++++ 4 files changed, 318 insertions(+), 1 deletion(-) create mode 100644 plugins/azure/redisCache/redisCacheDiagnosticLogs.js create mode 100644 plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js diff --git a/exports.js b/exports.js index fe8c0f16b2..4c8b59edb9 100644 --- a/exports.js +++ b/exports.js @@ -698,7 +698,8 @@ module.exports = { 'sslAccessOnlyEnabled' : require(__dirname + '/plugins/azure/redisCache/sslAccessOnlyEnabled.js'), 'redisCacheHasTags' : require(__dirname + '/plugins/azure/redisCache/redisCacheHasTags.js'), 'redisCachePrivateEndpoint' : require(__dirname + '/plugins/azure/redisCache/redisCachePrivateEndpoint.js'), - + 'redisCacheDiagnosticLogs' : require(__dirname + '/plugins/azure/redisCache/redisCacheDiagnosticLogs.js'), + 'multipleSubnets' : require(__dirname + '/plugins/azure/virtualnetworks/multipleSubnets.js'), 'ddosStandardProtectionEnabled' : require(__dirname + '/plugins/azure/virtualnetworks/ddosStandardProtectionEnabled.js'), 'noNetworkGatewaysInUse' : require(__dirname + '/plugins/azure/virtualnetworks/noNetworkGatewaysInUse.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index d2a855693d..c424c63677 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -1035,6 +1035,11 @@ var tertiarycalls = { properties: ['id'], url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' }, + listByRedisCache: { + reliesOnPath: 'redisCaches.listBySubscription', + properties: ['id'], + url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' + } }, backupShortTermRetentionPolicies: { listByDatabase: { diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js new file mode 100644 index 0000000000..f3048f0280 --- /dev/null +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js @@ -0,0 +1,66 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Redis Cache Diagnostic Logs Enabled', + category: 'Redis Cache', + domain: 'Databases', + description: '', + more_info: '', + recommended_action: '', + link: '', + apis: ['redisCaches:listBySubscription','diagnosticSettings:listByRedisCache'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.redisCaches, function(location, rcb) { + const caches = helpers.addSource(cache, source, + ['redisCaches', 'listBySubscription', location]); + + if (!caches) return rcb(); + + if (caches.err || !caches.data) { + helpers.addResult(results, 3, 'Unable to query Redis Caches: ' + helpers.addError(caches), location); + return rcb(); + } + + if (!caches.data.length) { + helpers.addResult(results, 0, 'No existing Redis Caches found', location); + return rcb(); + } + + caches.data.forEach(function(redisCache) { + if (!redisCache.id) return; + + const diagnosticSettings = helpers.addSource(cache, source, + ['diagnosticSettings', 'listByRedisCache', location, redisCache.id]); + + if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { + helpers.addResult(results, 3, 'Unable to query Redis Cache diagnostics settings: ' + helpers.addError(diagnosticSettings), location, redisCache.id); + } else { + var redisCacheDiagnosticLogs = false; + diagnosticSettings.data.forEach(setting => { + var logs = setting.logs; + if (logs.some(log => (log.categoryGroup === 'audit' || log.categoryGroup === 'allLogs' || log.category === 'ConnectedClientList') && log.enabled)) { + redisCacheDiagnosticLogs = true; + } + }); + + if (redisCacheDiagnosticLogs) { + helpers.addResult(results, 0, 'Redis Cache has diagnostic logs enabled', location, redisCache.id); + } else { + helpers.addResult(results, 2, 'Redis Cache does not have diagnostic logs enabled', location, redisCache.id); + } + } + }); + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js new file mode 100644 index 0000000000..19847cb83a --- /dev/null +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js @@ -0,0 +1,245 @@ +var expect = require('chai').expect; +var redisCacheDiagnosticLogs = require('./redisCacheDiagnosticLogs.js'); + +const redisCaches = [ + { + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Cache/Redis/test-cache', + 'location': 'East US', + 'name': 'test-cache', + 'type': 'Microsoft.Cache/Redis', + 'minimumTlsVersion': '1.2', + }, + { + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Cache/Redis/test-cache', + 'location': 'East US', + 'name': 'test-cache', + 'type': 'Microsoft.Cache/Redis', + 'minimumTlsVersion': '1.1', + }, +]; + +const diagnosticSettings = [ + { + id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cache/redis/omerredistest/providers/microsoft.insights/diagnosticSettings/test', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'test', + location: null, + kind: null, + tags: null, + identity: null, + storageAccountId: null, + serviceBusRuleId: null, + workspaceId: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/test/providers/microsoft.operationalinsights/workspaces/ctolabsanalytics', + eventHubAuthorizationRuleId: null, + eventHubName: null, + metrics: [ [Object] ], + logs: [ + { + category: null, + categoryGroup: 'audit', + enabled: true, + retentionPolicy: { enabled: false, days: 0 } + }, + ], + logAnalyticsDestinationType: null + }, + { + id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cache/redis/omerredistest/providers/microsoft.insights/diagnosticSettings/test', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'test', + location: null, + kind: null, + tags: null, + identity: null, + storageAccountId: null, + serviceBusRuleId: null, + workspaceId: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/test/providers/microsoft.operationalinsights/workspaces/ctolabsanalytics', + eventHubAuthorizationRuleId: null, + eventHubName: null, + logs: [ + { + category: 'ConnectedClientList', + categoryGroup: null, + enabled: false, + retentionPolicy: { enabled: false, days: 0 } + }, + ], + logAnalyticsDestinationType: null + }, + { + id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cache/redis/omerredistest/providers/microsoft.insights/diagnosticSettings/test', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'test', + location: null, + kind: null, + tags: null, + identity: null, + storageAccountId: null, + serviceBusRuleId: null, + workspaceId: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/test/providers/microsoft.operationalinsights/workspaces/ctolabsanalytics', + eventHubAuthorizationRuleId: null, + eventHubName: null, + logs: [ + { + category: 'ConnectedClientList', + categoryGroup: null, + enabled: true, + retentionPolicy: { enabled: false, days: 0 } + }, + ], + logAnalyticsDestinationType: null + }, + {} +] + +const createCache = (redisCaches, diagnostics) => { + let diagnostic = {}; + if (redisCaches.length) { + diagnostic[redisCaches[0].id] = { + data: diagnostics + }; + } + + + return { + redisCaches: { + listBySubscription: { + 'eastus': { + data: redisCaches + } + } + }, + diagnosticSettings: { + listByRedisCache: { + 'eastus': diagnostic + } + } + }; +}; + +const createErrorCache = (key) => { + if (key == 'redisCache') { + return { + redisCaches: { + listBySubscription: { + 'eastus': {} + } + } + }; + } else if (key === 'nocache'){ + return { + redisCaches: { + listBySubscription: { + 'eastus': { + data:{} + } + } + } + }; + }else if (key === 'diagnostic') { + return { + redisCaches: { + listBySubscription: { + 'eastus': { + data: [redisCaches[0]] + } + } + }, + diagnosticSettings: { + listByRedisCache: { + 'eastus': {} + } + } + }; + } else { + const redisId = (redisCaches && redisCaches.length) ? redisCaches[0].id : null; + const diagnosticSetting = (diagnosticSettings && diagnosticSettings.length) ? diagnosticSettings[0].id : null; + return { + redisCaches: { + listBySubscription: { + 'eastus': { + data: [redisCaches[0]] + } + } + }, + diagnosticSettings: { + listByRedisCache: { + 'eastus': { + data: {} + } + } + } + }; + } +}; + +describe('redisCacheDiagnosticLogs', function () { + describe('run', function () { + + it('should give pass result if No existing Redis Caches found', function (done) { + const cache = createErrorCache('nocache'); + redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Redis Caches found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if Unable to query Redis Caches:', function (done) { + const cache = createErrorCache('redisCache'); + redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Redis Caches:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if Unable to query diagnostics settings', function (done) { + const cache = createErrorCache('settings'); + redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Redis Cache diagnostics settings'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if redis cache has diagnostic logs enabled', function (done) { + const cache = createCache([redisCaches[0]], [diagnosticSettings[2]]); + redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Redis Cache has diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if redis cache has diagnostic logs enabled with audit', function (done) { + const cache = createCache([redisCaches[0]], [diagnosticSettings[0]]); + redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Redis Cache has diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if Redis Cache does not have diagnostic logs enabled', function (done) { + const cache = createCache([redisCaches[1]], [diagnosticSettings[1]]); + redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From 52ade546d49a9a1fb971381a95d675fd6181f618 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 22 Dec 2023 16:40:16 +0500 Subject: [PATCH 339/498] Added description --- plugins/azure/redisCache/redisCacheDiagnosticLogs.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js index f3048f0280..cbb8aa1ce5 100644 --- a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js @@ -5,10 +5,10 @@ module.exports = { title: 'Redis Cache Diagnostic Logs Enabled', category: 'Redis Cache', domain: 'Databases', - description: '', - more_info: '', - recommended_action: '', - link: '', + description: 'Ensures diagnostic logging is enabled for Azure Cache for Redis.', + more_info: 'Enabling diagnostic setting helps you understand who is connecting to your caches and the timestamp of those connections. The log data could be used to identify the scope of a security breach and for security auditing purposes.', + recommended_action: 'Enable diagnostic logging for all Redis Caches.', + link: 'https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-monitor-diagnostic-settings?tabs=basic-standard-premium', apis: ['redisCaches:listBySubscription','diagnosticSettings:listByRedisCache'], run: function(cache, settings, callback) { From 1e6bda706afcc7a4c83cfc9e406b6b98ca02cbbd Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 22 Dec 2023 18:09:58 +0500 Subject: [PATCH 340/498] Azure/Redis-cache-schedule-updates --- exports.js | 1 + helpers/azure/api.js | 9 +- .../redisCache/redisCacheScheduledUpdates.js | 57 ++++++ .../redisCacheScheduledUpdates.spec.js | 178 ++++++++++++++++++ 4 files changed, 244 insertions(+), 1 deletion(-) create mode 100644 plugins/azure/redisCache/redisCacheScheduledUpdates.js create mode 100644 plugins/azure/redisCache/redisCacheScheduledUpdates.spec.js diff --git a/exports.js b/exports.js index 4c8b59edb9..0a56454503 100644 --- a/exports.js +++ b/exports.js @@ -699,6 +699,7 @@ module.exports = { 'redisCacheHasTags' : require(__dirname + '/plugins/azure/redisCache/redisCacheHasTags.js'), 'redisCachePrivateEndpoint' : require(__dirname + '/plugins/azure/redisCache/redisCachePrivateEndpoint.js'), 'redisCacheDiagnosticLogs' : require(__dirname + '/plugins/azure/redisCache/redisCacheDiagnosticLogs.js'), + 'redisCacheScheduledUpdates' : require(__dirname + '/plugins/azure/redisCache/redisCacheScheduledUpdates.js'), 'multipleSubnets' : require(__dirname + '/plugins/azure/virtualnetworks/multipleSubnets.js'), 'ddosStandardProtectionEnabled' : require(__dirname + '/plugins/azure/virtualnetworks/ddosStandardProtectionEnabled.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index c424c63677..3a860ec2a6 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -1090,7 +1090,14 @@ var tertiarycalls = { properties: ['id'], url: 'https://management.azure.com/{id}/devOpsAuditingSettings?api-version=2021-11-01' } - } + }, + patchSchedules: { + listByRedisCache: { + reliesOnPath: 'redisCaches.listBySubscription', + properties: ['id'], + url: 'https://management.azure.com/{id}/patchSchedules?api-version=2023-08-01' + } + }, }; var specialcalls = { diff --git a/plugins/azure/redisCache/redisCacheScheduledUpdates.js b/plugins/azure/redisCache/redisCacheScheduledUpdates.js new file mode 100644 index 0000000000..a7188d4b8e --- /dev/null +++ b/plugins/azure/redisCache/redisCacheScheduledUpdates.js @@ -0,0 +1,57 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Redis Cache Scheduled Updates', + category: 'Redis Cache', + domain: 'Databases', + description: 'Ensures that Azure Cache for Redis has scheduled updates enabled.', + more_info: 'Enabling schedule updates allows you to choose a maintenance window for your cache instance. A maintenance window allows you to control the day(s) and time(s) of a week during which the VM(s) hosting your cache can be updated. Azure Cache for Redis will make a best effort to start and finish updating Redis server software within the specified time window you define.', + recommended_action: 'Enable schedule updates for Redis Cache.', + link: 'https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-administration#update-channel-and-schedule-updates', + apis: ['redisCaches:listBySubscription', 'patchSchedules:listByRedisCache'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.redisCaches, function(location, rcb) { + const caches = helpers.addSource(cache, source, + ['redisCaches', 'listBySubscription', location]); + + if (!caches) return rcb(); + + if (caches.err || !caches.data) { + helpers.addResult(results, 3, 'Unable to query Redis Caches: ' + helpers.addError(caches), location); + return rcb(); + } + + if (!caches.data.length) { + helpers.addResult(results, 0, 'No existing Redis Caches found', location); + return rcb(); + } + + caches.data.forEach(function(redisCache) { + if (!redisCache.id) return; + const patchSchedules = helpers.addSource(cache, source, + ['patchSchedules', 'listByRedisCache', location, redisCache.id]); + + if (!patchSchedules || (patchSchedules && patchSchedules.err)) { + if (patchSchedules.err && patchSchedules.err.includes('There are no patch schedules found for redis cache')) { + helpers.addResult(results, 2, 'Redis Cache does not have scheduled updates enabled', location, redisCache.id); + } else { + helpers.addResult(results, 3, 'Unable to query Redis Cache scheduled updates ' + helpers.addError(patchSchedules), location, redisCache.id); + } + } else { + helpers.addResult(results, 0, 'Redis Cache has scheduled udpates enabled', location, redisCache.id); + } + }); + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/redisCache/redisCacheScheduledUpdates.spec.js b/plugins/azure/redisCache/redisCacheScheduledUpdates.spec.js new file mode 100644 index 0000000000..49387e140b --- /dev/null +++ b/plugins/azure/redisCache/redisCacheScheduledUpdates.spec.js @@ -0,0 +1,178 @@ +var expect = require('chai').expect; +var redisCacheScheduledUpdates = require('./redisCacheScheduledUpdates'); + +const redisCaches = [ + { + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Cache/Redis/test-cache', + 'location': 'East US', + 'name': 'test-cache', + 'type': 'Microsoft.Cache/Redis', + 'redisCacheScheduledUpdates': '1.2', + }, + { + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Cache/Redis/test-cache', + 'location': 'East US', + 'name': 'test-cache', + 'type': 'Microsoft.Cache/Redis', + 'redisCacheScheduledUpdates': '1.1', + } +]; + +const patchSchedules = { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/cloudsploit-dev/providers/Microsoft.Cache/Redis/omerredistest/patchSchedules/default", + "location": "East US", + "name": "omerredistest/default", + "type": "Microsoft.Cache/Redis/PatchSchedules", + "properties": { + "scheduleEntries": [ + { + "dayOfWeek": "Sunday", + "startHourUtc": 0, + "maintenanceWindow": "PT5H" + }, + { + "dayOfWeek": "Monday", + "startHourUtc": 0, + "maintenanceWindow": "PT5H" + }, + { + "dayOfWeek": "Tuesday", + "startHourUtc": 0, + "maintenanceWindow": "PT5H" + }, + { + "dayOfWeek": "Wednesday", + "startHourUtc": 0, + "maintenanceWindow": "PT5H" + }, + { + "dayOfWeek": "Thursday", + "startHourUtc": 0, + "maintenanceWindow": "PT5H" + }, + { + "dayOfWeek": "Friday", + "startHourUtc": 0, + "maintenanceWindow": "PT5H" + }, + { + "dayOfWeek": "Saturday", + "startHourUtc": 0, + "maintenanceWindow": "PT5H" + } + ] + } +}; + +const createCache = (redisCaches, patchSchedules) => { + let redis = {}; + let patch = {}; + + if (redisCaches) { + redis['data'] = redisCaches; + if (redisCaches && redisCaches.length) { + patch[redisCaches[0].id] = { + 'data': patchSchedules + }; + } + } + + return { + redisCaches: { + listBySubscription: { + 'eastus': redis + } + }, + patchSchedules: { + listByRedisCache: { + 'eastus': patch + } + } + }; +}; + +const createErrorCache = (redisCaches, message) => { + let redis = {}; + let patch = {}; + + if (redisCaches) { + redis['data'] = redisCaches; + if (redisCaches && redisCaches.length) { + patch[redisCaches[0].id] = { + 'err': message + }; + } + } + + return { + redisCaches: { + listBySubscription: { + 'eastus': redis + }, + }, + patchSchedules: { + listByRedisCache: { + 'eastus': patch + } + } + }; +}; + +describe('redisCacheScheduledUpdates', function() { + describe('run', function() { + it('should give passing result if no redis caches', function(done) { + const cache = createCache([]); + redisCacheScheduledUpdates.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Redis Caches found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for redis caches', function(done) { + const cache = createCache(null); + redisCacheScheduledUpdates.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Redis Caches'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query redis cache patch schedules', function(done) { + const cache = createErrorCache([redisCaches[1]], 'notFound'); + redisCacheScheduledUpdates.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Redis Cache scheduled updates'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if redis cache does not have scheduled updates enabled', function(done) { + const cache = createErrorCache([redisCaches[1]],'There are no patch schedules found for redis cache'); + redisCacheScheduledUpdates.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Redis Cache does not have scheduled updates enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if redis cache has scheduled updates enabled', function(done) { + const cache = createCache([redisCaches[1]], patchSchedules); + redisCacheScheduledUpdates.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Redis Cache has scheduled udpates enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); From e6ee716b222cc48e6af7c6aa48d3f72a3ff9266c Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sun, 24 Dec 2023 13:19:21 +0500 Subject: [PATCH 341/498] check vmss approved extension --- exports.js | 4 +- .../vmssApprovedExtensions.js | 79 +++++++++++ .../vmssApprovedExtensions.spec.js | 127 ++++++++++++++++++ 3 files changed, 209 insertions(+), 1 deletion(-) create mode 100644 plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js create mode 100644 plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.spec.js diff --git a/exports.js b/exports.js index 0fab601115..a25d225937 100644 --- a/exports.js +++ b/exports.js @@ -1038,7 +1038,9 @@ module.exports = { 'amsDiagnosticLogsEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js'), 'amsPublicAccessDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsPublicAccessDisabled.js'), 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), - 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js') + 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), + + 'vmssApprovedExtensions' : require(__dirname + '/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions') }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js b/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js new file mode 100644 index 0000000000..33b6dd39aa --- /dev/null +++ b/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js @@ -0,0 +1,79 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'VM Approved Extensions', + category: 'Virtual Machines', + domain: 'Compute', + description: 'Ensures that approved virtual machine extensions are installed.', + more_info: 'Extensions are small applications that provide post-deployment configuration and automation on Azure VMs. Extensions installed should be approved by the organization to meet the organizational security requirements.', + recommended_action: 'Uninstall unapproved virtual machine extensions', + link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/overview', + apis: ['virtualMachines:listAll', 'virtualMachineExtensions:list'], + settings: { + vmss_approved_extensions: { + name: 'Approved VM extensions', + description: 'List of comma separated approved extension names', + regex: '^.*$', + default: 'healthRepairExtension' + } + }, + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + const config = { + approvedExtensions: settings.vmss_approved_extensions || this.settings.vmss_approved_extensions.default + }; + + if (!config.approvedExtensions.length) return callback(null, results, source); + + var extensionsList = config.approvedExtensions.split(','); + + async.each(locations.virtualMachineScaleSets, (location, rcb) => { + const virtualMachineScaleSets = helpers.addSource(cache, source, + ['virtualMachineScaleSets', 'listAll', location]); + + if (!virtualMachineScaleSets) return rcb(); + + if (virtualMachineScaleSets.err || !virtualMachineScaleSets.data) { + helpers.addResult(results, 3, + 'Unable to query for Virtual Machine Scale Sets: ' + helpers.addError(virtualMachineScaleSets), location); + return rcb(); + } + + if (!virtualMachineScaleSets.data.length) { + helpers.addResult(results, 0, 'No existing Virtual Machine Scale Sets found', location); + return rcb(); + } + for (let virtualMachineScaleSet of virtualMachineScaleSets.data){ + + const scaleSetExtensions = virtualMachineScaleSet.virtualMachineProfile && virtualMachineScaleSet.virtualMachineProfile.extensionProfile && + virtualMachineScaleSet.virtualMachineProfile.extensionProfile.extensions + ? virtualMachineScaleSet.virtualMachineProfile.extensionProfile.extensions + : []; + + if (!scaleSetExtensions.length) { + helpers.addResult(results, 0, 'No VMSS Extensions found', location); + continue; + } + + scaleSetExtensions.forEach(function(vmssEx) { + let found = extensionsList.some(extension => extension.trim() === vmssEx.name); + + if (found) { + helpers.addResult(results, 0, `${vmssEx.name} extension is approved by the organization`, location, virtualMachineScaleSet.id); + } else { + helpers.addResult(results, 2, `${vmssEx.name} extension is not approved by the organization`, location, virtualMachineScaleSet.id); + } + }); + } + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.spec.js b/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.spec.js new file mode 100644 index 0000000000..a92b6efbbb --- /dev/null +++ b/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.spec.js @@ -0,0 +1,127 @@ +var expect = require('chai').expect; +var vmssApprovedExtensions = require('./vmssApprovedExtensions'); + +const virtualMachineScaleSets = [ + { + 'name': 'test-vmss', + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/virtualMachineScaleSets/test-vmss', + 'type': 'Microsoft.Compute/virtualMachineScaleSets', + 'virtualMachineProfile': { + 'extensionProfile': { + 'extensions': [ + { + 'name': 'healthRepairExtension', + 'properties': { + 'autoUpgradeMinorVersion': false, + 'publisher': 'Microsoft.ManagedServices', + 'type': 'ApplicationHealthLinux', + 'typeHandlerVersion': '1.0', + 'settings': { + 'protocol': 'http', + 'port': 80, + 'requestPath': '/' + } + } + } + ] + } + } + }, + { + 'name': 'test-vmss', + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/virtualMachineScaleSets/test-vmss', + 'type': 'Microsoft.Compute/virtualMachineScaleSets', + 'virtualMachineProfile': { + 'extensionProfile': { + 'extensions': [ + { + 'name': 'errorextension', + } + ] + } + } + }, + { + 'name': 'test-vmss', + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/virtualMachineScaleSets/test-vmss', + 'type': 'Microsoft.Compute/virtualMachineScaleSets', + 'virtualMachineProfile': { + 'extensionProfile': { + 'extensions': [] + } + } + } +]; + +const createCache = (virtualMachineScaleSets) => { + let machine = {}; + if (virtualMachineScaleSets) { + machine['data'] = virtualMachineScaleSets; + } + return { + virtualMachineScaleSets: { + listAll: { + 'eastus': machine + } + } + }; +}; + +describe('vmssApprovedExtensions', function() { + describe('run', function() { + it('should give passing result if no virtual machine scale sets', function(done) { + const cache = createCache([]); + vmssApprovedExtensions.run(cache, { vmss_approved_extensions: 'ext' }, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Virtual Machine Scale Sets found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for virtual machine scale sets', function(done) { + const cache = createCache(); + vmssApprovedExtensions.run(cache, { vmss_approved_extensions: 'ext' }, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Virtual Machine Scale Sets:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if no VMSS Extensions found', function(done) { + const cache = createCache([virtualMachineScaleSets[2]]); + vmssApprovedExtensions.run(cache, { vmss_approved_extensions: 'ext' }, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No VMSS Extensions found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if installed extensions are approved by the organization', function(done) { + const cache = createCache([virtualMachineScaleSets[0]]); + vmssApprovedExtensions.run(cache, { vmss_approved_extensions: 'healthRepairExtension' }, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('extension is approved by the organization'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if installed extensions are not approved by the organization', function(done) { + const cache = createCache([virtualMachineScaleSets[1]]); + vmssApprovedExtensions.run(cache, { vmss_approved_extensions: 'healthRepairExtension' }, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('extension is not approved by the organization'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From 70db4bf1c8f41ba6d6cf30637e19c73f2f0ba738 Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Mon, 25 Dec 2023 05:52:50 +0500 Subject: [PATCH 342/498] Azure - Namespace Public Access Plugin --- exports.js | 2 + .../azure/servicebus/namespacePublicAccess.js | 52 ++++++++ .../servicebus/namespacePublicAccess.spec.js | 118 ++++++++++++++++++ 3 files changed, 172 insertions(+) create mode 100644 plugins/azure/servicebus/namespacePublicAccess.js create mode 100644 plugins/azure/servicebus/namespacePublicAccess.spec.js diff --git a/exports.js b/exports.js index 0fab601115..d1e40ff17a 100644 --- a/exports.js +++ b/exports.js @@ -1034,6 +1034,8 @@ module.exports = { 'namespaceTlsVersion' : require(__dirname + '/plugins/azure/servicebus/namespaceTlsVersion.js'), 'namespaceLocalAuth' : require(__dirname + '/plugins/azure/servicebus/namespaceLocalAuth.js'), 'namespaceLoggingEnabled' : require(__dirname + '/plugins/azure/servicebus/namespaceLoggingEnabled.js'), + 'namespacePublicAccess' : require(__dirname + '/plugins/azure/servicebus/namespacePublicAccess.js'), + 'amsDiagnosticLogsEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js'), 'amsPublicAccessDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsPublicAccessDisabled.js'), diff --git a/plugins/azure/servicebus/namespacePublicAccess.js b/plugins/azure/servicebus/namespacePublicAccess.js new file mode 100644 index 0000000000..e6b9652f8b --- /dev/null +++ b/plugins/azure/servicebus/namespacePublicAccess.js @@ -0,0 +1,52 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Namespace Public Access', + category: 'Service Bus', + domain: 'Application Integration', + description: 'Ensures that Azure Service Bus namespaces are not publicly accessible.', + more_info: 'Using private endpoints for Azure Service Bus namespace improve security by enabling private network access, encrypting communication, and enhancing performance. They seamlessly integrate with virtual networks, ensuring compliance and suitability for hybrid cloud scenarios.', + recommended_action: 'Ensure that Azure Service Bus namespaces are only accessible through private endpoints.', + link: 'https://learn.microsoft.com/en-us/azure/service-bus-messaging/private-link-service', + apis: ['serviceBus:listNamespacesBySubscription'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.serviceBus, function(location, rcb) { + const namespaces = helpers.addSource(cache, source, + ['serviceBus', 'listNamespacesBySubscription', location]); + + if (!namespaces) return rcb(); + + + if (namespaces.err || !namespaces.data) { + helpers.addResult(results, 3, 'Unable to query Service Bus namespaces: ' + helpers.addError(namespaces), location); + return rcb(); + } + + if (!namespaces.data.length) { + helpers.addResult(results, 0, 'No existing Service Bus namespaces found', location); + return rcb(); + } + + for (let namespace of namespaces.data) { + if (namespace.sku && namespace.sku.tier && namespace.sku.tier.toLowerCase() !== 'premium') { + helpers.addResult(results, 0, 'Service Bus Namespace is not a premium namespace', location, namespace.id); + } else if (namespace.publicNetworkAccess && namespace.publicNetworkAccess.toLowerCase() === 'enabled') { + helpers.addResult(results, 2, 'Service bus namespace is publicly accessible', location, namespace.id); + } else { + helpers.addResult(results, 0, 'Service bus namespace is only accessible through private endpoints', location, namespace.id); + } + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/servicebus/namespacePublicAccess.spec.js b/plugins/azure/servicebus/namespacePublicAccess.spec.js new file mode 100644 index 0000000000..4caed1c4e8 --- /dev/null +++ b/plugins/azure/servicebus/namespacePublicAccess.spec.js @@ -0,0 +1,118 @@ +var expect = require('chai').expect; +var namespacePublicAccess = require('./namespacePublicAccess.js'); + +const namespaces = [ + { + sku: { name: 'Premium', tier: 'Premium', capacity: 1 }, + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test', + name: 'test', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: false, + provisioningState: 'Succeeded', + status: 'Active' + }, + { + sku: { name: 'Premium', tier: 'Premium', capacity: 1 }, + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test2', + name: 'test2', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Disabled', + disableLocalAuth: true, + provisioningState: 'Succeeded', + status: 'Active', + encryption: { + keySource: 'Microsoft.KeyVault', + requireInfrastructureEncryption: false + }, + }, + { + sku: { name: 'Basic', tier: 'Basic' }, + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test3', + name: 'test2', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: true, + provisioningState: 'Succeeded', + status: 'Active' + }, +]; + + +const createCache = (namespaces, err) => { + + return { + serviceBus: { + listNamespacesBySubscription: { + 'eastus': { + data: namespaces, + err: err + } + } + } + }; +}; + +describe('namespacePublicAccess', function () { + describe('run', function () { + + it('should give a passing result if no Service Bus namespaces are found', function (done) { + const cache = createCache([], null); + namespacePublicAccess.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Service Bus namespaces found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for Service Bus namespaces', function (done) { + const cache = createCache(null, ['error']); + namespacePublicAccess.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Service Bus namespaces'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + + it('should give passing result if namespace is not using premium tier', function (done) { + const cache = createCache([namespaces[2]], null); + namespacePublicAccess.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Service Bus Namespace is not a premium namespace'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if namespace is not publicly accessible', function (done) { + const cache = createCache([namespaces[1]], null); + namespacePublicAccess.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Service bus namespace is only accessible through private endpoints'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if namespace is publicly accessible', function (done) { + const cache = createCache([namespaces[0]], null); + namespacePublicAccess.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Service bus namespace is publicly accessible'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From d847342ea105c582fc743f76be85a42141522c4c Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Mon, 25 Dec 2023 06:45:29 +0500 Subject: [PATCH 343/498] Azure - Namespace Infrasturcture Encryption Enabled Plugin --- exports.js | 1 + .../servicebus/namespaceInfraEncryption.js | 53 ++++++++ .../namespaceInfraEncryption.spec.js | 122 ++++++++++++++++++ 3 files changed, 176 insertions(+) create mode 100644 plugins/azure/servicebus/namespaceInfraEncryption.js create mode 100644 plugins/azure/servicebus/namespaceInfraEncryption.spec.js diff --git a/exports.js b/exports.js index 0fab601115..047cbabc6d 100644 --- a/exports.js +++ b/exports.js @@ -1034,6 +1034,7 @@ module.exports = { 'namespaceTlsVersion' : require(__dirname + '/plugins/azure/servicebus/namespaceTlsVersion.js'), 'namespaceLocalAuth' : require(__dirname + '/plugins/azure/servicebus/namespaceLocalAuth.js'), 'namespaceLoggingEnabled' : require(__dirname + '/plugins/azure/servicebus/namespaceLoggingEnabled.js'), + 'namespaceInfraEncryption' : require(__dirname + '/plugins/azure/servicebus/namespaceInfraEncryption.js'), 'amsDiagnosticLogsEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js'), 'amsPublicAccessDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsPublicAccessDisabled.js'), diff --git a/plugins/azure/servicebus/namespaceInfraEncryption.js b/plugins/azure/servicebus/namespaceInfraEncryption.js new file mode 100644 index 0000000000..10497c8ed4 --- /dev/null +++ b/plugins/azure/servicebus/namespaceInfraEncryption.js @@ -0,0 +1,53 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Namespace Infrastructure Encryption Enabled', + category: 'Service Bus', + domain: 'Application Integration', + description: 'Ensure that Azure Service Bus namespaces have infrastructure level encryption enabled.', + more_info: 'Enabling infrastructure level encryption for Azure Service Bus namespaces allows their data to be encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys and provides an extra layer of protection and security in case one of the keys is compromised.', + recommended_action: 'Enable infrastructure level encryption for all Azure Service Bus namespaces.', + link: 'https://learn.microsoft.com/en-us/azure/service-bus-messaging/configure-customer-managed-key#enable-infrastructure-double-encryption-of-data', + apis: ['serviceBus:listNamespacesBySubscription'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.serviceBus, function(location, rcb) { + const namespaces = helpers.addSource(cache, source, + ['serviceBus', 'listNamespacesBySubscription', location]); + + if (!namespaces) return rcb(); + + + if (namespaces.err || !namespaces.data) { + helpers.addResult(results, 3, 'Unable to query Service Bus namespaces: ' + helpers.addError(namespaces), location); + return rcb(); + } + + if (!namespaces.data.length) { + helpers.addResult(results, 0, 'No existing Service Bus namespaces found', location); + return rcb(); + } + + for (let namespace of namespaces.data) { + + if (namespace.sku && namespace.sku.tier && namespace.sku.tier.toLowerCase() !== 'premium') { + helpers.addResult(results, 0, 'Service Bus Namespace is not a premium namespace', location, namespace.id); + } else if (namespace.encryption && Object.keys(namespace.encryption).length && namespace.encryption.requireInfrastructureEncryption) { + helpers.addResult(results, 0, 'Service Bus Namespace has infrastructure level encryption enabled', location, namespace.id); + } else { + helpers.addResult(results, 2, 'Service Bus Namespace does not have infrastructure level encryption enabled', location, namespace.id); + } + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/servicebus/namespaceInfraEncryption.spec.js b/plugins/azure/servicebus/namespaceInfraEncryption.spec.js new file mode 100644 index 0000000000..e4ce33ad08 --- /dev/null +++ b/plugins/azure/servicebus/namespaceInfraEncryption.spec.js @@ -0,0 +1,122 @@ +var expect = require('chai').expect; +var namespaceInfraEncryption = require('./namespaceInfraEncryption.js'); + +const namespaces = [ + { + sku: { name: 'Premium', tier: 'Premium', capacity: 1 }, + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test', + name: 'test', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: false, + provisioningState: 'Succeeded', + status: 'Active', + encryption: { + keySource: 'Microsoft.KeyVault', + requireInfrastructureEncryption: false + } + }, + { + sku: { name: 'Premium', tier: 'Premium', capacity: 1 }, + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test2', + name: 'test2', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: true, + provisioningState: 'Succeeded', + status: 'Active', + encryption: { + keySource: 'Microsoft.KeyVault', + requireInfrastructureEncryption: true + } + }, + { + sku: { name: 'Basic', tier: 'Basic' }, + id: '/subscriptions/234/myrg/providers/Microsoft.ServiceBus/namespaces/test3', + name: 'test2', + type: 'Microsoft.ServiceBus/Namespaces', + location: 'East US', + publicNetworkAccess: 'Enabled', + disableLocalAuth: true, + provisioningState: 'Succeeded', + status: 'Active' + }, +]; + + +const createCache = (namespaces, err) => { + + return { + serviceBus: { + listNamespacesBySubscription: { + 'eastus': { + data: namespaces, + err: err + } + } + } + }; +}; + +describe('namespaceInfraEncryption', function () { + describe('run', function () { + + it('should give a passing result if no Service Bus namespaces are found', function (done) { + const cache = createCache([], null); + namespaceInfraEncryption.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Service Bus namespaces found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for Service Bus namespaces', function (done) { + const cache = createCache(null, ['error']); + namespaceInfraEncryption.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Service Bus namespaces'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + + it('should give passing result if namespace is not using premium tier', function (done) { + const cache = createCache([namespaces[2]], null); + namespaceInfraEncryption.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Service Bus Namespace is not a premium namespace'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if namespace has infrastructure level encryption enabled', function (done) { + const cache = createCache([namespaces[1]], null); + namespaceInfraEncryption.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Service Bus Namespace has infrastructure level encryption enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if namespace does not have infrastructure level encryption enabled', function (done) { + const cache = createCache([namespaces[0]], null); + namespaceInfraEncryption.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Service Bus Namespace does not have infrastructure level encryption enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From 3f321056ceb152d32e59e1fcd04fc5ee78aad3b0 Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Tue, 26 Dec 2023 05:32:57 +0500 Subject: [PATCH 344/498] Azure - Defender for Virtual Machines Plugin --- exports.js | 3 +- .../azure/defender/enableDefenderForVMs.js | 52 +++++++++ .../defender/enableDefenderForVMs.spec.js | 104 ++++++++++++++++++ 3 files changed, 158 insertions(+), 1 deletion(-) create mode 100644 plugins/azure/defender/enableDefenderForVMs.js create mode 100644 plugins/azure/defender/enableDefenderForVMs.spec.js diff --git a/exports.js b/exports.js index 0fab601115..f92ab35718 100644 --- a/exports.js +++ b/exports.js @@ -996,7 +996,8 @@ module.exports = { 'enableDefenderForSqlServers' : require(__dirname + '/plugins/azure/defender/enableDefenderForSqlServers.js'), 'enableEndpointIntegration' : require(__dirname + '/plugins/azure/defender/enableEndpointIntegration.js'), 'enableDefenderForDNS' : require(__dirname + '/plugins/azure/defender/enableDefenderForDNS.js'), - 'enableDefenderForKeyVaults' : require(__dirname + '/plugins/azure/defender/enableDefenderForKeyVaults.js'), + 'enableDefenderForKeyVaults' : require(__dirname + '/plugins/azure/defender/enableDefenderForKeyVaults.js'), + 'enableDefenderForVMs' : require(__dirname + '/plugins/azure/defender/enableDefenderForVMs.js'), 'agWafEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agWafEnabled'), 'applicationGatewayHasTags' : require(__dirname + '/plugins/azure/applicationGateway/applicationGatewayHasTags.js'), diff --git a/plugins/azure/defender/enableDefenderForVMs.js b/plugins/azure/defender/enableDefenderForVMs.js new file mode 100644 index 0000000000..b40f4e7faa --- /dev/null +++ b/plugins/azure/defender/enableDefenderForVMs.js @@ -0,0 +1,52 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Enable Defender For Virtual Machines', + category: 'Defender', + domain: 'Management and Governance', + description: 'Ensures that Microsoft Defender is enabled for all virtual machines.', + more_info: 'Turning on Microsoft Defender for Virtual Machines enables threat detection, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.', + recommended_action: 'Enable Microsoft Defender for Servers in Defender plans for the subscription.', + link: 'https://learn.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities', + apis: ['pricings:list'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.pricings, function(location, rcb) { + var pricings = helpers.addSource(cache, source, + ['pricings', 'list', location]); + + if (!pricings) return rcb(); + + if (pricings.err || !pricings.data) { + helpers.addResult(results, 3, + 'Unable to query for Pricing: ' + helpers.addError(pricings), location); + return rcb(); + } + + if (!pricings.data.length) { + helpers.addResult(results, 0, 'No Pricing information found', location); + return rcb(); + } + + let vmPricing = pricings.data.find((pricing) => pricing.name.toLowerCase() === 'virtualmachines'); + if (vmPricing) { + if (vmPricing.pricingTier.toLowerCase() === 'standard') { + helpers.addResult(results, 0, 'Azure Defender is enabled for Virtual Machines', location, vmPricing.id); + } else { + helpers.addResult(results, 2, 'Azure Defender is not enabled for Virtual Machines', vmPricing.id); + } + } else { + helpers.addResult(results, 2, 'Azure Defender is not enabled for Virtual Machines', location); + } + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/defender/enableDefenderForVMs.spec.js b/plugins/azure/defender/enableDefenderForVMs.spec.js new file mode 100644 index 0000000000..f211f951c7 --- /dev/null +++ b/plugins/azure/defender/enableDefenderForVMs.spec.js @@ -0,0 +1,104 @@ +var expect = require('chai').expect; +var auth = require('./enableDefenderForVMs'); + +const createCache = (err, data) => { + return { + pricings: { + list: { + 'global': { + err: err, + data: data + } + } + } + } +}; + +describe('enableDefenderForVMs', function() { + describe('run', function() { + + it('should give unknow result if unable to query pricing information', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Pricing'); + expect(results[0].region).to.equal('global'); + done() + }; + + const cache = createCache( + ['error'], + null + ); + + auth.run(cache, {}, callback); + }); + + it('should give passing result if no pricings found', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No Pricing information found'); + expect(results[0].region).to.equal('global'); + done() + }; + + const cache = createCache( + null, + [] + ); + + auth.run(cache, {}, callback); + }); + + it('should give failing result if Azure Defender for Virtual Machines is not enabled', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Azure Defender is not enabled for Virtual Machines'); + expect(results[0].region).to.equal('global'); + done() + }; + + const cache = createCache( + null, + [ + { + "id": "/subscriptions/e79d9a03-3ab3-4481-bdcd-c5db1d55420a/providers/Microsoft.Security/pricings/default", + "name": "KubernetesService", + "type": "Microsoft.Security/pricings", + "pricingTier": "free", + "location": "global" + } + ] + ); + + auth.run(cache, {}, callback); + }); + + it('should give passing result if Azure Defender for Virtual Machines is enabled', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Azure Defender is enabled for Virtual Machines'); + expect(results[0].region).to.equal('global'); + done() + }; + + const cache = createCache( + null, + [ + { + "id": "/subscriptions/e79d9a03-3ab3-4481-bdcd-c5db1d55420a/providers/Microsoft.Security/pricings/default", + "name": "VirtualMachines", + "type": "Microsoft.Security/pricings", + "pricingTier": "Standard", + "location": "global" + } + ] + ); + + auth.run(cache, {}, callback); + }) + }) +}); \ No newline at end of file From 10e389233588dabd4d46fb4d141986b0b674e297 Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Tue, 26 Dec 2023 06:07:58 +0500 Subject: [PATCH 345/498] created helper function to check microsoft defender --- helpers/azure/functions.js | 17 ++++++++++++++++- .../defender/enableDefenderForContainers.js | 11 +---------- plugins/azure/defender/enableDefenderForDNS.js | 11 +---------- .../defender/enableDefenderForKeyVaults.js | 11 +---------- .../defender/enableDefenderForSqlServers.js | 12 +----------- .../azure/defender/enableDefenderForStorage.js | 11 +---------- plugins/azure/defender/enableDefenderForVMs.js | 11 +---------- 7 files changed, 22 insertions(+), 62 deletions(-) diff --git a/helpers/azure/functions.js b/helpers/azure/functions.js index 0a40c0a0e1..66f9274491 100644 --- a/helpers/azure/functions.js +++ b/helpers/azure/functions.js @@ -356,6 +356,20 @@ function checkServerConfigs(servers, cache, source, location, results, serverTyp }); } +function checkMicrosoftDefender(pricings, serviceName, serviceDisplayName, results, location ) { + + let pricingData = pricings.data.find((pricing) => pricing.name.toLowerCase() === serviceName); + if (pricingData) { + if (pricingData.pricingTier.toLowerCase() === 'standard') { + addResult(results, 0, `Azure Defender is enabled for ${serviceDisplayName}`, location, pricingData.id); + } else { + addResult(results, 2, `Azure Defender is not enabled for ${serviceDisplayName}`, location, pricingData.id); + } + } else { + addResult(results, 2, `Azure Defender is not enabled for ${serviceDisplayName}`, location); + } +} + function processCall(config, method, body, baseUrl, resource, callback) { var fullUrl = baseUrl.replace('{resource}', resource); @@ -702,5 +716,6 @@ module.exports = { remediatePlugin: remediatePlugin, processCall: processCall, remediateOpenPorts: remediateOpenPorts, - remediateOpenPortsHelper: remediateOpenPortsHelper + remediateOpenPortsHelper: remediateOpenPortsHelper, + checkMicrosoftDefender: checkMicrosoftDefender }; diff --git a/plugins/azure/defender/enableDefenderForContainers.js b/plugins/azure/defender/enableDefenderForContainers.js index 2fce50aabb..cb041d5c35 100644 --- a/plugins/azure/defender/enableDefenderForContainers.js +++ b/plugins/azure/defender/enableDefenderForContainers.js @@ -33,16 +33,7 @@ module.exports = { return rcb(); } - let containersPricing = pricings.data.find((pricing) => pricing.name.toLowerCase() === 'containers'); - if (containersPricing) { - if (containersPricing.pricingTier.toLowerCase() === 'standard') { - helpers.addResult(results, 0, 'Azure Defender is enabled for Containers', location, containersPricing.id); - } else { - helpers.addResult(results, 2, 'Azure Defender is not enabled for Containers', location, containersPricing.id); - } - } else { - helpers.addResult(results, 2, 'Azure Defender is not enabled for Containers', location); - } + helpers.checkMicrosoftDefender(pricings, 'containers', 'Containers', results, location); rcb(); }, function(){ diff --git a/plugins/azure/defender/enableDefenderForDNS.js b/plugins/azure/defender/enableDefenderForDNS.js index ef35836dce..30e1c1600d 100644 --- a/plugins/azure/defender/enableDefenderForDNS.js +++ b/plugins/azure/defender/enableDefenderForDNS.js @@ -33,16 +33,7 @@ module.exports = { return rcb(); } - let dnsPricing = pricings.data.find((pricing) => pricing.name && pricing.name.toLowerCase() === 'dns'); - if (dnsPricing) { - if (dnsPricing.pricingTier && dnsPricing.pricingTier.toLowerCase() === 'standard') { - helpers.addResult(results, 0, 'Azure Defender is enabled for DNS', location, dnsPricing.id); - } else { - helpers.addResult(results, 2, 'Azure Defender is not enabled for DNS', location, dnsPricing.id); - } - } else { - helpers.addResult(results, 2, 'Azure Defender is not enabled for DNS', location); - } + helpers.checkMicrosoftDefender(pricings, 'dns', 'DNS', results, location); rcb(); }, function(){ callback(null, results, source); diff --git a/plugins/azure/defender/enableDefenderForKeyVaults.js b/plugins/azure/defender/enableDefenderForKeyVaults.js index dd3ecc183a..70c234d444 100644 --- a/plugins/azure/defender/enableDefenderForKeyVaults.js +++ b/plugins/azure/defender/enableDefenderForKeyVaults.js @@ -33,16 +33,7 @@ module.exports = { return rcb(); } - let keyVaultPricing = pricings.data.find((pricing) => pricing.name && pricing.name.toLowerCase() === 'keyvaults'); - if (keyVaultPricing) { - if (keyVaultPricing.pricingTier && keyVaultPricing.pricingTier.toLowerCase() === 'standard') { - helpers.addResult(results, 0, 'Azure Defender is enabled for Key Vaults', location, keyVaultPricing.id); - } else { - helpers.addResult(results, 2, 'Azure Defender is not enabled for Key Vaults', location, keyVaultPricing.id); - } - } else { - helpers.addResult(results, 2, 'Azure Defender is not enabled for Key Vaults', location); - } + helpers.checkMicrosoftDefender(pricings, 'keyvaults', 'Key Vaults', results, location); rcb(); }, function(){ callback(null, results, source); diff --git a/plugins/azure/defender/enableDefenderForSqlServers.js b/plugins/azure/defender/enableDefenderForSqlServers.js index 9a49ce22b0..0f94987f84 100644 --- a/plugins/azure/defender/enableDefenderForSqlServers.js +++ b/plugins/azure/defender/enableDefenderForSqlServers.js @@ -33,17 +33,7 @@ module.exports = { return rcb(); } - let sqlServersPricing = pricings.data.find((pricing) => pricing.name && pricing.name.toLowerCase() === 'sqlservers'); - - if (sqlServersPricing) { - if (sqlServersPricing.pricingTier.toLowerCase() === 'standard') { - helpers.addResult(results, 0, 'Azure Defender is enabled for SQL Server Databases', location, sqlServersPricing.id); - } else { - helpers.addResult(results, 2, 'Azure Defender is not enabled for SQL Server Databases', location, sqlServersPricing.id); - } - } else { - helpers.addResult(results, 2, 'Azure Defender is not enabled for SQL Server Databases', location); - } + helpers.checkMicrosoftDefender(pricings, 'sqlservers', 'SQL Server Databases', results, location); rcb(); }, function(){ diff --git a/plugins/azure/defender/enableDefenderForStorage.js b/plugins/azure/defender/enableDefenderForStorage.js index 1299d44799..56e89c2acb 100644 --- a/plugins/azure/defender/enableDefenderForStorage.js +++ b/plugins/azure/defender/enableDefenderForStorage.js @@ -33,16 +33,7 @@ module.exports = { return rcb(); } - let storagePricing = pricings.data.find((pricing) => pricing.name.toLowerCase() === 'storageaccounts'); - if (storagePricing) { - if (storagePricing.pricingTier.toLowerCase() === 'standard') { - helpers.addResult(results, 0, 'Azure Defender is enabled for Storage Accounts', location, storagePricing.id); - } else { - helpers.addResult(results, 2, 'Azure Defender is not enabled for Storage Accounts', location, storagePricing.id); - } - } else { - helpers.addResult(results, 2, 'Azure Defender is not enabled for Storage Accounts', location); - } + helpers.checkMicrosoftDefender(pricings, 'storageaccounts', 'Storage Accounts', results, location); rcb(); }, function(){ diff --git a/plugins/azure/defender/enableDefenderForVMs.js b/plugins/azure/defender/enableDefenderForVMs.js index b40f4e7faa..d8180c7c56 100644 --- a/plugins/azure/defender/enableDefenderForVMs.js +++ b/plugins/azure/defender/enableDefenderForVMs.js @@ -33,16 +33,7 @@ module.exports = { return rcb(); } - let vmPricing = pricings.data.find((pricing) => pricing.name.toLowerCase() === 'virtualmachines'); - if (vmPricing) { - if (vmPricing.pricingTier.toLowerCase() === 'standard') { - helpers.addResult(results, 0, 'Azure Defender is enabled for Virtual Machines', location, vmPricing.id); - } else { - helpers.addResult(results, 2, 'Azure Defender is not enabled for Virtual Machines', vmPricing.id); - } - } else { - helpers.addResult(results, 2, 'Azure Defender is not enabled for Virtual Machines', location); - } + helpers.checkMicrosoftDefender(pricings, 'virtualmachines', 'Virtual Machines', results, location); rcb(); }, function(){ From 9993eee833d0789bfaefd23937faf7ae356f39aa Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Tue, 26 Dec 2023 06:43:29 +0500 Subject: [PATCH 346/498] Azure - Defender for App Services Plugin --- exports.js | 1 + .../defender/enableDefenderForAppService.js | 43 ++++++++ .../enableDefenderForAppService.spec.js | 103 ++++++++++++++++++ 3 files changed, 147 insertions(+) create mode 100644 plugins/azure/defender/enableDefenderForAppService.js create mode 100644 plugins/azure/defender/enableDefenderForAppService.spec.js diff --git a/exports.js b/exports.js index f92ab35718..bb330d0756 100644 --- a/exports.js +++ b/exports.js @@ -998,6 +998,7 @@ module.exports = { 'enableDefenderForDNS' : require(__dirname + '/plugins/azure/defender/enableDefenderForDNS.js'), 'enableDefenderForKeyVaults' : require(__dirname + '/plugins/azure/defender/enableDefenderForKeyVaults.js'), 'enableDefenderForVMs' : require(__dirname + '/plugins/azure/defender/enableDefenderForVMs.js'), + 'enableDefenderForAppService' : require(__dirname + '/plugins/azure/defender/enableDefenderForAppService.js'), 'agWafEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agWafEnabled'), 'applicationGatewayHasTags' : require(__dirname + '/plugins/azure/applicationGateway/applicationGatewayHasTags.js'), diff --git a/plugins/azure/defender/enableDefenderForAppService.js b/plugins/azure/defender/enableDefenderForAppService.js new file mode 100644 index 0000000000..b8f959302a --- /dev/null +++ b/plugins/azure/defender/enableDefenderForAppService.js @@ -0,0 +1,43 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Enable Defender For App Services', + category: 'Defender', + domain: 'Management and Governance', + description: 'Ensures that Microsoft Defender is enabled for App Services.', + more_info: 'Turning on Microsoft Defender for App Services enables threat detection, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.', + recommended_action: 'Enable Microsoft Defender for App Services in Defender plans for the subscription.', + link: 'https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-app-service-introduction', + apis: ['pricings:list'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.pricings, function(location, rcb) { + var pricings = helpers.addSource(cache, source, + ['pricings', 'list', location]); + + if (!pricings) return rcb(); + + if (pricings.err || !pricings.data) { + helpers.addResult(results, 3, + 'Unable to query for Pricing: ' + helpers.addError(pricings), location); + return rcb(); + } + + if (!pricings.data.length) { + helpers.addResult(results, 0, 'No Pricing information found', location); + return rcb(); + } + + helpers.checkMicrosoftDefender(pricings, 'appservices', 'App Services', results, location); + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/defender/enableDefenderForAppService.spec.js b/plugins/azure/defender/enableDefenderForAppService.spec.js new file mode 100644 index 0000000000..96d1ca5d76 --- /dev/null +++ b/plugins/azure/defender/enableDefenderForAppService.spec.js @@ -0,0 +1,103 @@ +var assert = require('assert'); +var expect = require('chai').expect; +var auth = require('./enableDefenderForAppService'); + +const createCache = (err, data) => { + return { + pricings: { + list: { + 'global': { + err: err, + data: data + } + } + } + } +}; + +describe('enableDefenderForAppService', function() { + describe('run', function() { + it('should give passing unknown if unable to query for pricing informatiin', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Pricing'); + expect(results[0].region).to.equal('global'); + done() + }; + + const cache = createCache( + ['error'], + null + ); + + auth.run(cache, {}, callback); + }); + it('should give passing result if no pricings found', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No Pricing information found'); + expect(results[0].region).to.equal('global'); + done() + }; + + const cache = createCache( + null, + [] + ); + + auth.run(cache, {}, callback); + }); + + it('should give failing result if Azure Defender for App Services is not enabled', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Azure Defender is not enabled for App Services'); + expect(results[0].region).to.equal('global'); + done() + }; + + const cache = createCache( + null, + [ + { + "id": "/subscriptions/e79d9a03-3ab3-4481-bdcd-c5db1d55420a/providers/Microsoft.Security/pricings/default", + "name": "KubernetesService", + "type": "Microsoft.Security/pricings", + "pricingTier": "free", + "location": "global" + } + ] + ); + + auth.run(cache, {}, callback); + }); + + it('should give passing result if Azure Defender for App Services is enabled', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Azure Defender is enabled for App Services'); + expect(results[0].region).to.equal('global'); + done() + }; + + const cache = createCache( + null, + [ + { + "id": "/subscriptions/e79d9a03-3ab3-4481-bdcd-c5db1d55420a/providers/Microsoft.Security/pricings/default", + "name": "AppServices", + "type": "Microsoft.Security/pricings", + "pricingTier": "Standard", + "location": "global" + } + ] + ); + + auth.run(cache, {}, callback); + }) + }) +}); \ No newline at end of file From d1062b4fad4af1b4c38d8f91564aa3afd78d57c0 Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Tue, 26 Dec 2023 07:29:00 +0500 Subject: [PATCH 347/498] Azure - VM Encryption At Host Plugin --- exports.js | 1 + .../virtualmachines/vmEncryptionAtHost.js | 49 ++++++++++ .../vmEncryptionAtHost.spec.js | 95 +++++++++++++++++++ 3 files changed, 145 insertions(+) create mode 100644 plugins/azure/virtualmachines/vmEncryptionAtHost.js create mode 100644 plugins/azure/virtualmachines/vmEncryptionAtHost.spec.js diff --git a/exports.js b/exports.js index 0fab601115..8304e797b4 100644 --- a/exports.js +++ b/exports.js @@ -756,6 +756,7 @@ module.exports = { 'vmVTPMEnabled' : require(__dirname + '/plugins/azure/virtualmachines/vmVTPMEnabled.js'), 'vmSecureBootEnabled' : require(__dirname + '/plugins/azure/virtualmachines/vmSecureBootEnabled.js'), 'vmDiskDeleteConfig' : require(__dirname + '/plugins/azure/virtualmachines/vmDiskDeleteConfig.js'), + 'vmEncryptionAtHost' : require(__dirname + '/plugins/azure/virtualmachines/vmEncryptionAtHost.js'), 'bastionHostExists' : require(__dirname + '/plugins/azure/bastion/bastionHostExists.js'), diff --git a/plugins/azure/virtualmachines/vmEncryptionAtHost.js b/plugins/azure/virtualmachines/vmEncryptionAtHost.js new file mode 100644 index 0000000000..1294a18f01 --- /dev/null +++ b/plugins/azure/virtualmachines/vmEncryptionAtHost.js @@ -0,0 +1,49 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure/'); + +module.exports = { + title: 'VM Encryption At Host', + category: 'Virtual Machines', + domain: 'Compute', + description: 'Ensures that encryption at host is enabled for Azure Virtual Machine disks.', + more_info: 'The data for your temporary disk and OS/data disk caches is stored on the VM host, enabling encyrption at host for Azure Virtual Machine disks allows that data to be end-to-end encrypted, ensuring compliance and bolstering overall security with Azure Disk Encryption.', + recommended_action: 'Ensure that all Azure Virtual Machines have encryption at host enabled for disks.', + link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption#encryption-at-host---end-to-end-encryption-for-your-vm-data', + apis: ['virtualMachines:listAll'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + + async.each(locations.virtualMachines, function(location, rcb) { + var virtualMachines = helpers.addSource(cache, source, + ['virtualMachines', 'listAll', location]); + + if (!virtualMachines) return rcb(); + + if (virtualMachines.err || !virtualMachines.data) { + helpers.addResult(results, 3, 'Unable to query for virtualMachines: ' + helpers.addError(virtualMachines), location); + return rcb(); + } + + if (!virtualMachines.data.length) { + helpers.addResult(results, 0, 'No existing Virtual Machines found', location); + return rcb(); + } + + virtualMachines.data.forEach(virtualMachine => { + if (virtualMachine.securityProfile && virtualMachine.securityProfile.encryptionAtHost) { + helpers.addResult(results, 0, 'Encryption at host is enabled for virtual machine disks', location, virtualMachine.id); + } else { + helpers.addResult(results, 2, 'Encryption at host is not enabled for virtual machine disks', location, virtualMachine.id); + } + }); + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/virtualmachines/vmEncryptionAtHost.spec.js b/plugins/azure/virtualmachines/vmEncryptionAtHost.spec.js new file mode 100644 index 0000000000..efc8b3af9c --- /dev/null +++ b/plugins/azure/virtualmachines/vmEncryptionAtHost.spec.js @@ -0,0 +1,95 @@ +var expect = require('chai').expect; +var vmEncryptionAtHost = require('./vmEncryptionAtHost'); + +const virtualMachines = [ + { + 'name': 'test-vm', + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE_GROUP/providers/Microsoft.Compute/virtualMachines/test-vm', + 'type': 'Microsoft.Compute/virtualMachines', + 'storageProfile': { + 'imageReference': { + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/galleries/myGallery/images/test-def-1/versions/1.0.0', + 'exactVersion': '1.0.0' + } + }, + 'securityProfile': { + 'encryptionAtHost': true + } + }, + { + 'name': 'test-vm', + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE_GROUP/providers/Microsoft.Compute/virtualMachines/test-vm', + 'type': 'Microsoft.Compute/virtualMachines', + 'storageProfile': { + 'imageReference': { + 'publisher': 'Canonical', + 'offer': 'UbuntuServer', + 'sku': '18.04-LTS', + 'version': 'latest', + 'exactVersion': '18.04.202007160' + } + } + } +]; + +const createCache = (virtualMachines) => { + let machine = {}; + if (virtualMachines) { + machine['data'] = virtualMachines; + } + return { + virtualMachines: { + listAll: { + 'eastus': machine + } + } + }; +}; + +describe('vmEncryptionAtHost', function() { + describe('run', function() { + it('should give passing result if no virtual machines', function(done) { + const cache = createCache([]); + vmEncryptionAtHost.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Virtual Machines found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for virtual machines', function(done) { + const cache = createCache(null); + vmEncryptionAtHost.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for virtualMachines'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if VM has encryption at host enabled for disks', function(done) { + const cache = createCache([virtualMachines[0]]); + vmEncryptionAtHost.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Encryption at host is enabled for virtual machine disks'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if VM does not have encryption at host enabled for disks', function(done) { + const cache = createCache([virtualMachines[1]]); + vmEncryptionAtHost.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Encryption at host is not enabled for virtual machine disks'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From aa9f6eb6adb155e9ec149ee8edd86a07de0065e9 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 26 Dec 2023 12:35:13 +0500 Subject: [PATCH 348/498] Fixed-error-spell --- plugins/azure/redisCache/redisCacheScheduledUpdates.js | 2 +- plugins/azure/redisCache/redisCacheScheduledUpdates.spec.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/redisCache/redisCacheScheduledUpdates.js b/plugins/azure/redisCache/redisCacheScheduledUpdates.js index a7188d4b8e..2039236a0e 100644 --- a/plugins/azure/redisCache/redisCacheScheduledUpdates.js +++ b/plugins/azure/redisCache/redisCacheScheduledUpdates.js @@ -44,7 +44,7 @@ module.exports = { helpers.addResult(results, 3, 'Unable to query Redis Cache scheduled updates ' + helpers.addError(patchSchedules), location, redisCache.id); } } else { - helpers.addResult(results, 0, 'Redis Cache has scheduled udpates enabled', location, redisCache.id); + helpers.addResult(results, 0, 'Redis Cache has scheduled updates enabled', location, redisCache.id); } }); diff --git a/plugins/azure/redisCache/redisCacheScheduledUpdates.spec.js b/plugins/azure/redisCache/redisCacheScheduledUpdates.spec.js index 49387e140b..bb76557867 100644 --- a/plugins/azure/redisCache/redisCacheScheduledUpdates.spec.js +++ b/plugins/azure/redisCache/redisCacheScheduledUpdates.spec.js @@ -169,7 +169,7 @@ describe('redisCacheScheduledUpdates', function() { redisCacheScheduledUpdates.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Redis Cache has scheduled udpates enabled'); + expect(results[0].message).to.include('Redis Cache has scheduled updates enabled'); expect(results[0].region).to.equal('eastus'); done(); }); From c7f4302c394325969e03cb99de94ee4720b5ec7c Mon Sep 17 00:00:00 2001 From: fatima99s Date: Tue, 26 Dec 2023 14:04:02 +0500 Subject: [PATCH 349/498] flexibleServerVersion --- exports.js | 1 + .../postgresqlserver/flexibleServerVersion.js | 63 +++++++++++ .../flexibleServerVersion.spec.js | 106 ++++++++++++++++++ 3 files changed, 170 insertions(+) create mode 100644 plugins/azure/postgresqlserver/flexibleServerVersion.js create mode 100644 plugins/azure/postgresqlserver/flexibleServerVersion.spec.js diff --git a/exports.js b/exports.js index fe8c0f16b2..b10cd13c93 100644 --- a/exports.js +++ b/exports.js @@ -833,6 +833,7 @@ module.exports = { 'diagnosticLoggingEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/diagnosticLoggingEnabled.js'), 'flexibleServerSCRAMEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/flexibleServerSCRAMEnabled.js'), 'flexibleServerDiagnosticLogs' : require(__dirname + '/plugins/azure/postgresqlserver/flexibleServerDiagnosticLogs.js'), + 'flexibleServerVersion' : require(__dirname + '/plugins/azure/postgresqlserver/flexibleServerVersion.js'), 'openOracleAutoDataWarehouse' : require(__dirname + '/plugins/azure/networksecuritygroups/openOracleAutoDataWarehouse.js'), 'networkWatcherEnabled' : require(__dirname + '/plugins/azure/networksecuritygroups/networkWatcherEnabled.js'), diff --git a/plugins/azure/postgresqlserver/flexibleServerVersion.js b/plugins/azure/postgresqlserver/flexibleServerVersion.js new file mode 100644 index 0000000000..20ac7b9ea3 --- /dev/null +++ b/plugins/azure/postgresqlserver/flexibleServerVersion.js @@ -0,0 +1,63 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'PostgreSQL Flexible Server Version', + category: 'PostgreSQL Server', + domain: 'Databases', + description: 'Ensure PostgreSQL flexible servers is using the latest server version.', + more_info: 'The latest version of PostgreSQL for flexible servers will give access to new software features, resolve reported bugs through security patches, and improve compatibility with other applications and services.', + recommended_action: 'Upgrade the version of PostgreSQL flexible server to the latest available version..', + link: 'https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-supported-versions', + apis: ['servers:listPostgresFlexibleServer'], + settings: { + server_desired_version: { + name: 'Postgressql Flexible Server Desired Version', + description: 'Desire Postgressql Flexible Server Version ', + regex: '^[0-9]+$', + default: '11' + } + }, + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + var config = { + server_desired_version: settings.server_desired_version || this.settings.server_desired_version.default + }; + + + async.each(locations.servers, (location, rcb) => { + const servers = helpers.addSource(cache, source, + ['servers', 'listPostgresFlexibleServer', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, + 'Unable to query for PostgreSQL flexible servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No existing PostgreSQL flexible servers found', location); + return rcb(); + } + + for (var flexibleServer of servers.data) { + + if(flexibleServer.version >= config.server_desired_version) { + helpers.addResult(results, 0, + 'Postgresql flexible server has the latest server version', location, flexibleServer.id); + } else { + helpers.addResult(results, 2, + 'Postgresql flexible server doesnot the latest server version', location, flexibleServer.id); + } + } + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/postgresqlserver/flexibleServerVersion.spec.js b/plugins/azure/postgresqlserver/flexibleServerVersion.spec.js new file mode 100644 index 0000000000..f3753f7de8 --- /dev/null +++ b/plugins/azure/postgresqlserver/flexibleServerVersion.spec.js @@ -0,0 +1,106 @@ +var expect = require('chai').expect; +var flexibleServerVersion = require('./flexibleServerVersion'); + +const listPostgresFlexibleServer = [ + { + "id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-server", + "type": "Microsoft.DBforPostgreSQL/flexibleServers", + "storageProfile": { + "storageMB": 5120, + "backupRetentionDays": 7, + "geoRedundantBackup": "Disabled", + "storageAutogrow": "Disabled" + }, + "version": '13' + }, + { + "id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-server1", + "type": "Microsoft.DBforPostgreSQL/flexibleServers", + "storageProfile": { + "storageMB": 5120, + "backupRetentionDays": 7, + "geoRedundantBackup": "Disabled", + "storageAutogrow": "Disabled" + }, + "version": '10' + } +]; + + +const createCache = (list) => { + return { + servers: { + listPostgresFlexibleServer: { + 'eastus': { + data: list + } + } + } + } +}; + +describe('flexibleServerVersion', function() { + describe('run', function() { + it('should give passing result if no servers', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing PostgreSQL flexible servers found'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache([]); + + flexibleServerVersion.run(cache, {}, callback); + }) + + it('should give failing result if postgresql flexiable server does nothave the latest version', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Postgresql flexible server doesnot the latest server version'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + [listPostgresFlexibleServer[1]] + ); + + flexibleServerVersion.run(cache, {}, callback); + }); + + it('should give passing result if postgresql server have the latest version', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Postgresql flexible server has the latest server version'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + [listPostgresFlexibleServer[0]] + ); + + flexibleServerVersion.run(cache, {}, callback); + }); + + it('should give unknown result if unable to query for PostgreSQL Servers', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for PostgreSQL flexible servers'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + null + ); + + flexibleServerVersion.run(cache, {}, callback); + }); + }) +}) \ No newline at end of file From 145739ed109ef471482e5ac69caf0e4eb0576d9c Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 26 Dec 2023 15:06:39 +0500 Subject: [PATCH 350/498] Azure/ACR-Content-Trust --- exports.js | 1 + .../acrContentTrustEnabled.js | 61 ++++++++++ .../acrContentTrustEnabled.spec.js | 110 ++++++++++++++++++ 3 files changed, 172 insertions(+) create mode 100644 plugins/azure/containerregistry/acrContentTrustEnabled.js create mode 100644 plugins/azure/containerregistry/acrContentTrustEnabled.spec.js diff --git a/exports.js b/exports.js index fe8c0f16b2..631ec39679 100644 --- a/exports.js +++ b/exports.js @@ -938,6 +938,7 @@ module.exports = { 'acrCMKEncryption' : require(__dirname + '/plugins/azure/containerregistry/acrCMKEncryption.js'), 'acrLogAnalyticsEnabled' : require(__dirname + '/plugins/azure/containerregistry/acrLogAnalyticsEnabled.js'), 'acrAnonymousPullAccessEnabled' : require(__dirname + '/plugins/azure/containerregistry/acrAnonymousPullAccessEnabled.js'), + 'acrContentTrustEnabled' : require(__dirname + '/plugins/azure/containerregistry/acrContentTrustEnabled.js'), 'endpointLoggingEnabled' : require(__dirname + '/plugins/azure/cdnprofiles/endpointLoggingEnabled.js'), 'detectInsecureCustomOrigin' : require(__dirname + '/plugins/azure/cdnprofiles/detectInsecureCustomOrigin.js'), diff --git a/plugins/azure/containerregistry/acrContentTrustEnabled.js b/plugins/azure/containerregistry/acrContentTrustEnabled.js new file mode 100644 index 0000000000..ff0e070552 --- /dev/null +++ b/plugins/azure/containerregistry/acrContentTrustEnabled.js @@ -0,0 +1,61 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure/'); + +module.exports = { + title: 'ACR Content Trust Enabled', + category: 'Container Registry', + domain: 'Containers', + description: 'Ensure that content trust is enabled for Azure premium container registries.', + more_info: 'Content trust allows you to sign the images you push to your registry. Consumers of your images (people or systems pulling images from your registry) can configure their clients to pull only signed images.', + recommended_action: 'Modify your container registry and enable content trust.', + link: 'https://learn.microsoft.com/en-us/azure/container-registry/container-registry-content-trust#enable-registry-content-trust', + apis: ['registries:list'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.registries, function(location, rcb) { + + var registries = helpers.addSource(cache, source, + ['registries', 'list', location]); + + if (!registries) return rcb(); + + if (registries.err || !registries.data) { + helpers.addResult(results, 3, + 'Unable to query for container registries: ' + helpers.addError(registries), location); + return rcb(); + } + + if (!registries.data.length) { + helpers.addResult(results, 0, 'No existing container registries found', location); + return rcb(); + } + + var found = false; + for (let registry of registries.data) { + if (!registry.id || (registry.sku && registry.sku.tier && registry.sku.tier!= 'Premium')) continue; + + found = true; + var trustPolicy = registry.policies && registry.policies.trustPolicy? registry.policies.trustPolicy : null; + + if (trustPolicy && trustPolicy.status && trustPolicy.status.toLowerCase() == 'enabled'){ + helpers.addResult(results, 0, 'Content trsut is enabled for container registry', location, registry.id); + } else { + helpers.addResult(results, 2, 'Content trsut is not enabled for container registry', location, registry.id); + } + } + + if(!found) { + helpers.addResult(results, 2, 'No existing container registries found', location); + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js b/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js new file mode 100644 index 0000000000..d11f843b0d --- /dev/null +++ b/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js @@ -0,0 +1,110 @@ +var assert = require('assert'); +var expect = require('chai').expect; +var acrContentTrustEnabled = require('./acrContentTrustEnabled'); + +registries = [ + { + "id": "/subscriptions/ade0e01e-f9cd-49d3-bba7-d5a5362a3414/resourceGroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/testregistry12543", + "name": "testregistry12543", + "type": "Microsoft.ContainerRegistry/registries", + "location": "eastus", + "tags": {}, + "sku": { + "name": "Premium", + "tier": "Premium" + }, + "policies": { + "quarantinePolicy": { + "status": "disabled" + }, + "trustPolicy": { + "type": "Notary", + "status": "disabled" + }, + } + }, + { + "id": "/subscriptions/ade0e01e-f9cd-49d3-bba7-d5a5362a3414/resourceGroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/testregistry12543", + "name": "testregistry12543", + "type": "Microsoft.ContainerRegistry/registries", + "location": "eastus", + "tags": {}, + "sku": { + "name": "Premium", + "tier": "Premium" + }, + "policies": { + "quarantinePolicy": { + "status": "disabled" + }, + "trustPolicy": { + "type": "Notary", + "status": "enabled" + }, + } + } + +]; +const createCache = (err, data) => { + return { + registries: { + list: { + 'eastus': { + err: err, + data: data + } + } + } + } +}; + +describe('acrContentTrustEnabled', function() { + describe('run', function() { + it('should give passing result if no container registries', function(done) { + const cache = createCache(null, []); + acrContentTrustEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing container registries found'); + expect(results[0].region).to.equal('eastus'); + done() + }); + }); + + it('should give failing result if content trsut is not enabled for container registry', function(done) { + const cache = createCache(null,[registries[0]]); + acrContentTrustEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Content trsut is not enabled for container registry'); + expect(results[0].region).to.equal('eastus'); + done() + }); + + }); + + it('should give passing result if content trsut is enabled for container registry', function(done) { + const cache = createCache(null, [registries[1]]); + acrContentTrustEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Content trsut is enabled for container registry'); + expect(results[0].region).to.equal('eastus'); + done() + }); + }); + + it('should give passing result unable to query container registry', function(done) { + const cache = createCache(null, null); + acrContentTrustEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for container registries:'); + expect(results[0].region).to.equal('eastus'); + done() + }); + + }); + + }) +}); \ No newline at end of file From a3f032416ce4952f82c57fe8d0db5ddf1548465a Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 26 Dec 2023 15:07:14 +0500 Subject: [PATCH 351/498] linting --- plugins/azure/containerregistry/acrContentTrustEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/containerregistry/acrContentTrustEnabled.js b/plugins/azure/containerregistry/acrContentTrustEnabled.js index ff0e070552..4a17a693ee 100644 --- a/plugins/azure/containerregistry/acrContentTrustEnabled.js +++ b/plugins/azure/containerregistry/acrContentTrustEnabled.js @@ -48,7 +48,7 @@ module.exports = { } } - if(!found) { + if (!found) { helpers.addResult(results, 2, 'No existing container registries found', location); } From 3510b9ed2de904d20b044c512090f38c45e9dcaa Mon Sep 17 00:00:00 2001 From: fatima99s Date: Tue, 26 Dec 2023 15:10:12 +0500 Subject: [PATCH 352/498] fixed lint --- plugins/azure/postgresqlserver/flexibleServerVersion.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/postgresqlserver/flexibleServerVersion.js b/plugins/azure/postgresqlserver/flexibleServerVersion.js index 20ac7b9ea3..a2a79e62d0 100644 --- a/plugins/azure/postgresqlserver/flexibleServerVersion.js +++ b/plugins/azure/postgresqlserver/flexibleServerVersion.js @@ -12,7 +12,7 @@ module.exports = { apis: ['servers:listPostgresFlexibleServer'], settings: { server_desired_version: { - name: 'Postgressql Flexible Server Desired Version', + name: 'Postgresql Flexible Server Desired Version', description: 'Desire Postgressql Flexible Server Version ', regex: '^[0-9]+$', default: '11' @@ -51,7 +51,7 @@ module.exports = { 'Postgresql flexible server has the latest server version', location, flexibleServer.id); } else { helpers.addResult(results, 2, - 'Postgresql flexible server doesnot the latest server version', location, flexibleServer.id); + 'Postgresql flexible server does not the latest server version', location, flexibleServer.id); } } rcb(); From b724b41e221ef02d3525f0c4abecce0d71b95203 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 26 Dec 2023 15:12:19 +0500 Subject: [PATCH 353/498] Azure/ACR-Content-Trust --- .../azure/containerregistry/acrContentTrustEnabled.spec.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js b/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js index d11f843b0d..46f3c77d32 100644 --- a/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js +++ b/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js @@ -1,5 +1,5 @@ var assert = require('assert'); -var expect = require('chai').expect; + var acrContentTrustEnabled = require('./acrContentTrustEnabled'); registries = [ @@ -9,6 +9,7 @@ registries = [ "type": "Microsoft.ContainerRegistry/registries", "location": "eastus", "tags": {}, + "anonymousPullEnabled": true, "sku": { "name": "Premium", "tier": "Premium" @@ -29,6 +30,7 @@ registries = [ "type": "Microsoft.ContainerRegistry/registries", "location": "eastus", "tags": {}, + "anonymousPullEnabled": false, "sku": { "name": "Premium", "tier": "Premium" From d3951200ff8ba63b20759fbf9c5d217d01eca632 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Tue, 26 Dec 2023 15:12:41 +0500 Subject: [PATCH 354/498] Update flexibleServerVersion.spec.js --- plugins/azure/postgresqlserver/flexibleServerVersion.spec.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/postgresqlserver/flexibleServerVersion.spec.js b/plugins/azure/postgresqlserver/flexibleServerVersion.spec.js index f3753f7de8..ab0205b57c 100644 --- a/plugins/azure/postgresqlserver/flexibleServerVersion.spec.js +++ b/plugins/azure/postgresqlserver/flexibleServerVersion.spec.js @@ -59,7 +59,7 @@ describe('flexibleServerVersion', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Postgresql flexible server doesnot the latest server version'); + expect(results[0].message).to.include('Postgresql flexible server does not the latest server version'); expect(results[0].region).to.equal('eastus'); done() }; @@ -103,4 +103,4 @@ describe('flexibleServerVersion', function() { flexibleServerVersion.run(cache, {}, callback); }); }) -}) \ No newline at end of file +}) From 26b505582c3d31c297a0de89c69e8d4e957bec1a Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 26 Dec 2023 15:45:04 +0500 Subject: [PATCH 355/498] Azure/Aks-Diagnostic-Logs --- exports.js | 1 + helpers/azure/api.js | 5 + .../aksDiagnosticLogsEnabled.js | 64 +++++++++ .../aksDiagnosticLogsEnabled.spec.js | 135 ++++++++++++++++++ 4 files changed, 205 insertions(+) create mode 100644 plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.js create mode 100644 plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.spec.js diff --git a/exports.js b/exports.js index fe8c0f16b2..dd0f79701c 100644 --- a/exports.js +++ b/exports.js @@ -931,6 +931,7 @@ module.exports = { 'aksClusterHasTags' : require(__dirname + '/plugins/azure/kubernetesservice/aksClusterHasTags.js'), 'aksEncryptionAtRestWithCMK' : require(__dirname + '/plugins/azure/kubernetesservice/aksEncryptionAtRestWithCMK'), 'aksPrivateCluster' : require(__dirname + '/plugins/azure/kubernetesservice/aksPrivateCluster.js'), + 'aksDiagnosticLogsEnabled' : require(__dirname + '/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.js'), 'acrAdminUser' : require(__dirname + '/plugins/azure/containerregistry/acrAdminUser.js'), 'acrHasTags' : require(__dirname + '/plugins/azure/containerregistry/acrHasTags.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index d2a855693d..e06bc913f5 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -1035,6 +1035,11 @@ var tertiarycalls = { properties: ['id'], url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' }, + listByAksClusters: { + reliesOnPath: 'managedClusters.list', + properties: ['id'], + url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' + } }, backupShortTermRetentionPolicies: { listByDatabase: { diff --git a/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.js b/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.js new file mode 100644 index 0000000000..59dc9d0e4e --- /dev/null +++ b/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.js @@ -0,0 +1,64 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'AKS Cluster Diagnostic Logs', + category: 'Kubernetes Service', + domain: 'Containers', + description: 'Ensures that Azure Kubernetes clusters have diagnostic logs enabled.', + more_info: '', + recommended_action: '', + link: 'https://learn.microsoft.com/en-us/azure/aks/use-tags', + apis: ['managedClusters:list','diagnosticSettings:listByAksClusters'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.managedClusters, function(location, rcb) { + var managedClusters = helpers.addSource(cache, source, + ['managedClusters', 'list', location]); + + if (!managedClusters) return rcb(); + + if (managedClusters.err || !managedClusters.data) { + helpers.addResult(results, 3, + 'Unable to query for Kubernetes clusters: ' + helpers.addError(managedClusters), location); + return rcb(); + } + + if (!managedClusters.data.length) { + helpers.addResult(results, 0, 'No existing Kubernetes clusters found', location); + return rcb(); + } + + for (let cluster of managedClusters.data) { + if (!cluster.id) continue; + + var diagnosticSettings = helpers.addSource(cache, source, + ['diagnosticSettings', 'listByAksClusters', location, cluster.id]); + + if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { + helpers.addResult(results, 3, `Unable to query for Kubernetes cluster diagnostic settings: ${helpers.addError(diagnosticSettings)}`, + location, cluster.id); + continue; + } + + var found = diagnosticSettings.data.find(ds => ds.logs && ds.logs.length); + + if (found) { + helpers.addResult(results, 0, 'AKS cluster has diagnostic logs enabled', location, cluster.id); + } else { + helpers.addResult(results, 2, 'AKS cluster does not have diagnostic logs enabled', location, cluster.id); + } + + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.spec.js b/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.spec.js new file mode 100644 index 0000000000..200c3197e1 --- /dev/null +++ b/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.spec.js @@ -0,0 +1,135 @@ +var expect = require('chai').expect; +var aksDiagnosticLogsEnabled = require('./aksDiagnosticLogsEnabled'); + +const clusters = [ + { + "id": "/subscriptions/dce7d0ad-ebf6-437f-a3b0-28fc0d22117e/resourcegroups/ABSBAKS2/providers/Microsoft.ContainerService/managedClusters/absbaks2", + }, +]; + + +const diagnosticSettings = [ + { + id: '/subscriptions/234/myrg/providers/Microsoft.ContainerService/managedClusters/absbaks2/providers/microsoft.insights/diagnosticSettings/test-setting', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'server-setting', + location: 'eastus', + kind: null, + tags: null, + eventHubName: null, + metrics: [], + logs: [ + { + "category": null, + "categoryGroup": "allLogs", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + { + "category": null, + "categoryGroup": "audit", + "enabled": false, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + logAnalyticsDestinationType: null + } +]; + +const createCache = (clusters, ds) => { + const id = clusters && clusters.length ? clusters[0].id : null; + return { + managedClusters: { + list: { + 'eastus': { + data: clusters + } + } + }, + diagnosticSettings: { + listByAksClusters: { + 'eastus': { + [id]: { + data: ds + } + } + } + + }, + }; +}; + +const createErrorCache = () => { + return { + managedClusters: { + list: { + 'eastus': {} + } + } + }; +}; + +describe('aksDiagnosticLogsEnabled', function() { + describe('run', function() { + it('should give passing result if no clusters', function(done) { + const cache = createCache([]); + aksDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Kubernetes clusters'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for kubernetes clusters', function(done) { + const cache = createErrorCache(); + aksDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Kubernetes clusters: '); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for diagnostic settings', function(done) { + const cache = createCache([clusters[0]], null); + aksDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Kubernetes cluster diagnostic settings'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if diagnostic logs enabled', function(done) { + const cache = createCache([clusters[0]], [diagnosticSettings[0]]); + aksDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('AKS cluster has diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if diagnostic logs not enabled', function(done) { + const cache = createCache([clusters[0]], [[]]); + aksDiagnosticLogsEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('AKS cluster does not have diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); From e12ee0980f86d03c0b6f6ca65c037759a47abe50 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 26 Dec 2023 15:46:42 +0500 Subject: [PATCH 356/498] fixed-spec --- plugins/azure/containerregistry/acrContentTrustEnabled.spec.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js b/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js index 46f3c77d32..9f743137df 100644 --- a/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js +++ b/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js @@ -1,5 +1,4 @@ -var assert = require('assert'); - +var expect = require('chai').expect; var acrContentTrustEnabled = require('./acrContentTrustEnabled'); registries = [ From 9fddbbace3cc84e247f34b65c00af60e35358d69 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Tue, 26 Dec 2023 15:52:45 +0500 Subject: [PATCH 357/498] Update flexibleServerVersion.js --- plugins/azure/postgresqlserver/flexibleServerVersion.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/postgresqlserver/flexibleServerVersion.js b/plugins/azure/postgresqlserver/flexibleServerVersion.js index a2a79e62d0..081d8749a4 100644 --- a/plugins/azure/postgresqlserver/flexibleServerVersion.js +++ b/plugins/azure/postgresqlserver/flexibleServerVersion.js @@ -13,7 +13,7 @@ module.exports = { settings: { server_desired_version: { name: 'Postgresql Flexible Server Desired Version', - description: 'Desire Postgressql Flexible Server Version ', + description: 'Desire Postgresql Flexible Server Version ', regex: '^[0-9]+$', default: '11' } @@ -60,4 +60,4 @@ module.exports = { callback(null, results, source); }); } -}; \ No newline at end of file +}; From 0b0155f825043a86b7afd0fb0db2cd4b966e789e Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 26 Dec 2023 15:53:11 +0500 Subject: [PATCH 358/498] Added description --- plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.js b/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.js index 59dc9d0e4e..12f8947a52 100644 --- a/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.js +++ b/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.js @@ -6,9 +6,9 @@ module.exports = { category: 'Kubernetes Service', domain: 'Containers', description: 'Ensures that Azure Kubernetes clusters have diagnostic logs enabled.', - more_info: '', - recommended_action: '', - link: 'https://learn.microsoft.com/en-us/azure/aks/use-tags', + more_info: 'Enabling diagnostic logging for for AKS clusters helps with performance monitoring, troubleshooting, and security optimization.', + recommended_action: 'Enable diagnostic logging for all AKS clusters.', + link: 'https://learn.microsoft.com/en-us/azure/aks/monitor-aks#logs', apis: ['managedClusters:list','diagnosticSettings:listByAksClusters'], run: function(cache, settings, callback) { From 4fe6f75571a7bf1d0f5f376510743127c1694799 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 26 Dec 2023 16:24:51 +0500 Subject: [PATCH 359/498] Apply suggestions from code review --- plugins/azure/containerregistry/acrContentTrustEnabled.js | 4 ++-- .../azure/containerregistry/acrContentTrustEnabled.spec.js | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/azure/containerregistry/acrContentTrustEnabled.js b/plugins/azure/containerregistry/acrContentTrustEnabled.js index 4a17a693ee..3d14987b77 100644 --- a/plugins/azure/containerregistry/acrContentTrustEnabled.js +++ b/plugins/azure/containerregistry/acrContentTrustEnabled.js @@ -42,9 +42,9 @@ module.exports = { var trustPolicy = registry.policies && registry.policies.trustPolicy? registry.policies.trustPolicy : null; if (trustPolicy && trustPolicy.status && trustPolicy.status.toLowerCase() == 'enabled'){ - helpers.addResult(results, 0, 'Content trsut is enabled for container registry', location, registry.id); + helpers.addResult(results, 0, 'Content trust is enabled for container registry', location, registry.id); } else { - helpers.addResult(results, 2, 'Content trsut is not enabled for container registry', location, registry.id); + helpers.addResult(results, 2, 'Content trust is not enabled for container registry', location, registry.id); } } diff --git a/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js b/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js index 9f743137df..b22156733c 100644 --- a/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js +++ b/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js @@ -77,7 +77,7 @@ describe('acrContentTrustEnabled', function() { acrContentTrustEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Content trsut is not enabled for container registry'); + expect(results[0].message).to.include('Content trust is not enabled for container registry'); expect(results[0].region).to.equal('eastus'); done() }); @@ -89,7 +89,7 @@ describe('acrContentTrustEnabled', function() { acrContentTrustEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Content trsut is enabled for container registry'); + expect(results[0].message).to.include('Content trust is enabled for container registry'); expect(results[0].region).to.equal('eastus'); done() }); From d00fb3e61f2766e7676b8d51a42154ddffe19299 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 26 Dec 2023 16:28:31 +0500 Subject: [PATCH 360/498] Azure/Acr-Managed-Identity --- exports.js | 1 + .../acrManagedIdentityEnabled.js | 54 ++++++ .../acrManagedIdentityEnabled.spec.js | 155 ++++++++++++++++++ 3 files changed, 210 insertions(+) create mode 100644 plugins/azure/containerregistry/acrManagedIdentityEnabled.js create mode 100644 plugins/azure/containerregistry/acrManagedIdentityEnabled.spec.js diff --git a/exports.js b/exports.js index fe8c0f16b2..00f47bcb4d 100644 --- a/exports.js +++ b/exports.js @@ -934,6 +934,7 @@ module.exports = { 'acrAdminUser' : require(__dirname + '/plugins/azure/containerregistry/acrAdminUser.js'), 'acrHasTags' : require(__dirname + '/plugins/azure/containerregistry/acrHasTags.js'), + 'acrManagedIdentityEnabled' : require(__dirname + '/plugins/azure/containerregistry/acrManagedIdentityEnabled.js'), 'acrPublicAccess' : require(__dirname + '/plugins/azure/containerregistry/acrPublicAccess.js'), 'acrCMKEncryption' : require(__dirname + '/plugins/azure/containerregistry/acrCMKEncryption.js'), 'acrLogAnalyticsEnabled' : require(__dirname + '/plugins/azure/containerregistry/acrLogAnalyticsEnabled.js'), diff --git a/plugins/azure/containerregistry/acrManagedIdentityEnabled.js b/plugins/azure/containerregistry/acrManagedIdentityEnabled.js new file mode 100644 index 0000000000..013a2cc1ba --- /dev/null +++ b/plugins/azure/containerregistry/acrManagedIdentityEnabled.js @@ -0,0 +1,54 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'ACR Managed Identity Enabled', + category: 'Container Registry', + domain: 'Containers', + description: 'Ensure that Azure container registries have managed identity enabled.', + more_info: 'Enabling managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.', + recommended_action: 'Modify container registry and enabled managed identity.', + link: 'https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication-managed-identity?tabs=azure-cli', + apis: ['registries:list'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.registries, function(location, rcb) { + var registries = helpers.addSource(cache, source, + ['registries', 'list', location]); + + if (!registries) return rcb(); + + if (registries.err || !registries.data) { + helpers.addResult(results, 3, + 'Unable to query for container registries: ' + helpers.addError(registries), location); + return rcb(); + } + + if (!registries.data.length) { + helpers.addResult(results, 0, 'No existing container registries found', location); + return rcb(); + } + + for (let registry of registries.data){ + if (!registry.id) continue; + + var identityType = registry.identity && registry.identity.type? registry.identity.type : null; + + if (identityType && (identityType.includes('systemAssigned') || identityType.includes('userAssigned'))) { + helpers.addResult(results, 0, 'Container registry has managed identity enabled', location, registry.id); + } else { + helpers.addResult(results, 2, 'Container registry does not have managed identity enabled', location, registry.id); + } + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/containerregistry/acrManagedIdentityEnabled.spec.js b/plugins/azure/containerregistry/acrManagedIdentityEnabled.spec.js new file mode 100644 index 0000000000..c3e825e146 --- /dev/null +++ b/plugins/azure/containerregistry/acrManagedIdentityEnabled.spec.js @@ -0,0 +1,155 @@ +var expect = require('chai').expect; +var acrManagedIdentityEnabled = require('./acrManagedIdentityEnabled'); + +registries = [ + { + "id": "/subscriptions/ade0e01e-f9cd-49d3-bba7-d5a5362a3414/resourceGroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/testregistry12543", + "name": "testregistry12543", + "type": "Microsoft.ContainerRegistry/registries", + "location": "eastus", + "tags": {}, + "anonymousPullEnabled": true, + "sku": { + "name": "Premium", + "tier": "Premium" + }, + "policies": { + "trustPolicy": { + "type": "Notary", + "status": "disabled" + }, + }, + "identity": { + "principalId": "f61fb52b-80c1-4adf-b9c4-0cc80c71d6d7", + "tenantId": "d207c7bd-fcb1-4dd3-855a-cfd2f9b651e8", + "type": "systemAssigned", + "userAssignedIdentities": { + "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": { + "principalId": "1d34c2cd-bd53-487d-b3a9-6064465497c9", + "clientId": "2071caa1-3668-4de3-babc-155cfe3e38e5" + } + } + }, + }, + { + "id": "/subscriptions/ade0e01e-f9cd-49d3-bba7-d5a5362a3414/resourceGroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/testregistry12543", + "name": "testregistry12543", + "type": "Microsoft.ContainerRegistry/registries", + "location": "eastus", + "tags": {}, + "anonymousPullEnabled": false, + "sku": { + "name": "Premium", + "tier": "Premium" + }, + "policies": { + "trustPolicy": { + "type": "Notary", + "status": "enabled" + }, + }, + }, + { + "id": "/subscriptions/ade0e01e-f9cd-49d3-bba7-d5a5362a3414/resourceGroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/testregistry12543", + "name": "testregistry12543", + "type": "Microsoft.ContainerRegistry/registries", + "location": "eastus", + "tags": {}, + "anonymousPullEnabled": true, + "sku": { + "name": "Premium", + "tier": "Premium" + }, + "policies": { + "trustPolicy": { + "type": "Notary", + "status": "disabled" + }, + }, + "identity": { + "principalId": "f61fb52b-80c1-4adf-b9c4-0cc80c71d6d7", + "tenantId": "d207c7bd-fcb1-4dd3-855a-cfd2f9b651e8", + "type": "systemAssigned, userAssigned", + "userAssignedIdentities": { + "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": { + "principalId": "1d34c2cd-bd53-487d-b3a9-6064465497c9", + "clientId": "2071caa1-3668-4de3-babc-155cfe3e38e5" + } + } + }, + }, + +]; +const createCache = (err, data) => { + return { + registries: { + list: { + 'eastus': { + err: err, + data: data + } + } + } + } +}; + +describe('acrManagedIdentityEnabled', function() { + describe('run', function() { + it('should give passing result if no container registries', function(done) { + const cache = createCache(null, []); + acrManagedIdentityEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing container registries found'); + expect(results[0].region).to.equal('eastus'); + done() + }); + }); + + it('should give failing result if container registry does not have managed identity enabled', function(done) { + const cache = createCache(null,[registries[1]]); + acrManagedIdentityEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Container registry does not have managed identity enabled'); + expect(results[0].region).to.equal('eastus'); + done() + }); + + }); + + it('should give passing result if container registry has managed identity enabled', function(done) { + const cache = createCache(null, [registries[0]]); + acrManagedIdentityEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Container registry has managed identity enabled'); + expect(results[0].region).to.equal('eastus'); + done() + }); + }); + + it('should give passing result if container registry has both system and user assigned managed identity enabled', function(done) { + const cache = createCache(null, [registries[2]]); + acrManagedIdentityEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Container registry has managed identity enabled'); + expect(results[0].region).to.equal('eastus'); + done() + }); + }); + + it('should give passing result unable to query container registry', function(done) { + const cache = createCache(null, null); + acrManagedIdentityEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for container registries:'); + expect(results[0].region).to.equal('eastus'); + done() + }); + + }); + }); +}); \ No newline at end of file From 61c57cca6e830dd61053b130ecf6d97f1c0f7b4c Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Tue, 26 Dec 2023 16:30:25 +0500 Subject: [PATCH 361/498] Update flexibleServerVersion.js --- plugins/azure/postgresqlserver/flexibleServerVersion.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/postgresqlserver/flexibleServerVersion.js b/plugins/azure/postgresqlserver/flexibleServerVersion.js index 081d8749a4..5e892b6bbe 100644 --- a/plugins/azure/postgresqlserver/flexibleServerVersion.js +++ b/plugins/azure/postgresqlserver/flexibleServerVersion.js @@ -46,7 +46,7 @@ module.exports = { for (var flexibleServer of servers.data) { - if(flexibleServer.version >= config.server_desired_version) { + if (flexibleServer.version >= config.server_desired_version) { helpers.addResult(results, 0, 'Postgresql flexible server has the latest server version', location, flexibleServer.id); } else { From d1d78e24fe96a0a694dedfa0499b2c05288c7c40 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Tue, 26 Dec 2023 17:07:26 +0500 Subject: [PATCH 362/498] vmss managed identity --- exports.js | 4 +- helpers/azure/api.js | 2 +- .../vmssManagedIdentityEnabled.js | 49 +++++++++++ .../vmssManagedIdentityEnabled.spec.js | 82 +++++++++++++++++++ 4 files changed, 135 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js create mode 100644 plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js diff --git a/exports.js b/exports.js index 0fab601115..cd9d1ebdb7 100644 --- a/exports.js +++ b/exports.js @@ -1038,7 +1038,9 @@ module.exports = { 'amsDiagnosticLogsEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js'), 'amsPublicAccessDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsPublicAccessDisabled.js'), 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), - 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js') + 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), + + 'vmssManagedIdentityEnabled' : require(__dirname + '/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js') }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index d2a855693d..2806750d18 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -383,7 +383,7 @@ var calls = { }, virtualMachineScaleSets: { listAll: { - url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachineScaleSets?api-version=2019-12-01' + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachineScaleSets?api-version=2023-09-01' } }, bastionHosts: { diff --git a/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js new file mode 100644 index 0000000000..87c2ffad6c --- /dev/null +++ b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js @@ -0,0 +1,49 @@ +var async = require('async'); + +var helpers = require('../../../helpers/azure'); + + +module.exports = { + title: 'VM Scale Set Managed Identity Enabled', + category: 'Virtual Machines', + domain: 'Compute', + description: 'Ensures that Azure Virtual Machine scale sets have managed identity enabled.', + more_info: 'Managed identities for Azure resources provide Azure services with an automatically managed identity in Microsoft Entra ID. You can use this identity to authenticate to any service that supports Microsoft Entra authentication, without having credentials in your code.', + link: 'https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/qs-configure-portal-windows-vmss', + recommended_action: 'Modify VM scale set and enable user or system assigned identities.', + apis: ['virtualMachineScaleSets:listAll'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.vmScaleSet, function(location, rcb) { + + var vmScaleSets = helpers.addSource(cache, source, ['virtualMachineScaleSets', 'listAll', location]); + + if (!vmScaleSets) return rcb(); + + if (vmScaleSets.err || !vmScaleSets.data) { + helpers.addResult(results, 3, 'Unable to query for Virtual Machine Scale Sets: ' + helpers.addError(vmScaleSets), location); + return rcb(); + } + if (!vmScaleSets.data.length) { + helpers.addResult(results, 0, 'No existing Virtual Machine Scale Sets found', location); + return rcb(); + } + for (let scaleSet of vmScaleSets.data) { + if (!scaleSet.id) continue; + + if (scaleSet.identity && scaleSet.identity.type){ + helpers.addResult(results, 0, 'VM scale set has managed identity enabled', location, scaleSet.id); + } else { + helpers.addResult(results, 2, 'VM scale set does not have managed identity enabled', location, scaleSet.id); + } + } + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js new file mode 100644 index 0000000000..5bfa76ccb3 --- /dev/null +++ b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js @@ -0,0 +1,82 @@ +var expect = require('chai').expect; +var vmssManagedIdentityEnabled = require('./vmssManagedIdentityEnabled'); + +const virtualMachineScaleSets = [ + { + 'name': 'test-vmss', + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/virtualMachineScaleSets/test-vmss', + 'type': 'Microsoft.Compute/virtualMachineScaleSets', + "identity": { + "type": "SystemAssigned", + "principalId": "5db3ed52-909e-4016-a31f-d2fe043952a4", + "tenantId": "d207c7bd-fcb1-4dd3-855a-cfd2f9b651e8" + }, + }, + { + 'name': 'test-vmss', + 'id': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/virtualMachineScaleSets/test-vmss', + 'type': 'Microsoft.Compute/virtualMachineScaleSets', + } +]; + +const createCache = (virtualMachineScaleSets) => { + let machine = {}; + if (virtualMachineScaleSets) { + machine['data'] = virtualMachineScaleSets; + } + return { + virtualMachineScaleSets: { + listAll: { + 'eastus': machine + } + } + }; +}; + +describe('vmssManagedIdentityEnabled', function() { + describe('run', function() { + it('should give passing result if no virtual machine scale sets', function(done) { + const cache = createCache([]); + vmssManagedIdentityEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Virtual Machine Scale Sets found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for virtual machine scale sets', function(done) { + const cache = createCache(); + vmssManagedIdentityEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Virtual Machine Scale Sets:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if VM scale set has managed identity enabled', function(done) { + const cache = createCache([virtualMachineScaleSets[0]]); + vmssManagedIdentityEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('VM scale set has managed identity enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if VM scale set does not have managed identity enabled', function(done) { + const cache = createCache([virtualMachineScaleSets[1]]); + vmssManagedIdentityEnabled.run(cache, { vmss_approved_extensions: 'healthRepairExtension' }, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('VM scale set does not have managed identity enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From d8ddc155423311f09dd6ecba3ec2bbfb4937edff Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 26 Dec 2023 22:11:10 +0500 Subject: [PATCH 363/498] Azure/Automation-Accounts --- exports.js | 4 +- helpers/azure/api.js | 11 + helpers/azure/locations.js | 3 +- helpers/azure/resources.js | 3 + .../automationAccountDiagnosticLogs.js | 70 +++++ .../automationAccountDiagnosticLogs.spec.js | 266 ++++++++++++++++++ 6 files changed, 355 insertions(+), 2 deletions(-) create mode 100644 plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js create mode 100644 plugins/azure/automationAccounts/automationAccountDiagnosticLogs.spec.js diff --git a/exports.js b/exports.js index fe8c0f16b2..2b5b1e175e 100644 --- a/exports.js +++ b/exports.js @@ -1038,7 +1038,9 @@ module.exports = { 'amsDiagnosticLogsEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js'), 'amsPublicAccessDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsPublicAccessDisabled.js'), 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), - 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js') + 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), + + 'automationAccountDiagnosticLogs': require(__dirname + '/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index d2a855693d..000db2ae6d 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -366,6 +366,11 @@ var calls = { graph: true, } }, + automationAccounts: { + list: { + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Automation/automationAccounts?api-version=2023-11-01' + } + }, registries: { list: { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.ContainerRegistry/registries?api-version=2023-01-01-preview' @@ -1035,6 +1040,12 @@ var tertiarycalls = { properties: ['id'], url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' }, + listByAutomationAccounts: { + reliesOnPath: 'automationAccounts.list', + properties: ['id'], + url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' + + } }, backupShortTermRetentionPolicies: { listByDatabase: { diff --git a/helpers/azure/locations.js b/helpers/azure/locations.js index 226bd2cd8f..1ff4c00285 100644 --- a/helpers/azure/locations.js +++ b/helpers/azure/locations.js @@ -122,6 +122,7 @@ module.exports = { mediaServices: locations, serviceBus: locations, classicFrontDoors: ['global'], - afdWafPolicies: ['global'] + afdWafPolicies: ['global'], + automationAccounts: locations }; diff --git a/helpers/azure/resources.js b/helpers/azure/resources.js index a0338bc145..2da1046696 100644 --- a/helpers/azure/resources.js +++ b/helpers/azure/resources.js @@ -256,5 +256,8 @@ module.exports = { }, devOpsAuditingSettings:{ list:'id' + }, + automationAccounts:{ + list: 'id' } }; diff --git a/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js b/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js new file mode 100644 index 0000000000..91a7446fbf --- /dev/null +++ b/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js @@ -0,0 +1,70 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Automation Account Diagnostic Logs', + category: 'Automation', + domain: 'Management and Governance', + description: '', + more_info: '', + recommended_action: '', + link: '', + apis: ['automationAccounts:list','diagnosticSettings:listByAutomationAccounts'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.automationAccounts, (location, rcb) => { + + const automationAccounts = helpers.addSource(cache, source, + ['automationAccounts', 'list', location]); + + if (!automationAccounts) return rcb(); + + if (automationAccounts.err || !automationAccounts.data) { + helpers.addResult(results, 3, + 'Unable to query Automation accounts: ' + helpers.addError(automationAccounts), location); + return rcb(); + } + + if (!automationAccounts.data.length) { + helpers.addResult(results, 0, 'No existing Automation accounts found', location); + return rcb(); + } + + for (let account of automationAccounts.data) { + if (!account.id) continue; + + var diagnosticSettings = helpers.addSource(cache, source, + ['diagnosticSettings', 'listByAutomationAccounts', location, account.id]); + + if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { + helpers.addResult(results, 3, `Unable to query Automation account diagnostic settings: ${helpers.addError(diagnosticSettings)}`, + location, account.id); + continue; + } + + var missingLogs = ['JobLogs', 'JobStreams', 'DscNodeStatus', 'AuditEvent']; + diagnosticSettings.data.forEach(settings => { + const logs = settings.logs; + missingLogs = missingLogs.filter(requiredCategory => + !logs.some(log => (log.category === requiredCategory && log.enabled) || log.categoryGroup === 'allLogs' && log.enabled) + ); + }); + + if (missingLogs.length) { + helpers.addResult(results, 2, `Automation account does not have diagnostic logs enabled. Missings logs: ${missingLogs}`, location, account.id); + } else { + helpers.addResult(results, 0, 'Automation account has diagnostic logs enabled', location, account.id); + } + } + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; + diff --git a/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.spec.js b/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.spec.js new file mode 100644 index 0000000000..474c017cb2 --- /dev/null +++ b/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.spec.js @@ -0,0 +1,266 @@ +var expect = require('chai').expect; +var automationAccountDiagnosticLogs = require('./automationAccountDiagnosticLogs.js'); + +const automationAccounts = [ + { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/DefaultResourceGroup-EUS/providers/Microsoft.Automation/automationAccounts/Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-EUS2", + "location": "EastUS2", + "name": "Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-EUS2", + "type": "Microsoft.Automation/AutomationAccounts", + "tags": {}, + "properties": { + "creationTime": "2023-10-27T07:27:02.76+00:00", + "lastModifiedTime": "2023-10-27T07:27:02.76+00:00" + } + }, + { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/DefaultResourceGroup-CUS/providers/Microsoft.Automation/automationAccounts/Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-CUS", + "location": "centralus", + "name": "Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-CUS", + "type": "Microsoft.Automation/AutomationAccounts", + "tags": {}, + "properties": { + "creationTime": "2023-07-17T13:09:21.4866667+00:00", + "lastModifiedTime": "2023-07-17T13:09:21.4866667+00:00" + } + } +]; + +const diagnosticSettings = [ + { + id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/automationAccounts/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'testaccesslogs', + location: 'global', + logs: [ + { + "category": "JobLogs", + "categoryGroup": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + ], + "logAnalyticsDestinationType": null + }, + { + id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/automationAccounts/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'testwaflogs', + location: 'global', + logs: [ + { + "category": "JobLogs", + "categoryGroup": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + { + "category": "JobStreams", + "categoryGroup": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + { + "category": "DscNodeStatus", + "categoryGroup": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + { + "category": "AuditEvent", + "categoryGroup": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + + ], + "logAnalyticsDestinationType": null + }, + {}, + { + id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/automationAccounts/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'testwaflogs', + location: 'global', + logs: [ + { + "category": "", + "categoryGroup": "allLogs", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logAnalyticsDestinationType": null + }, +] + +const createCache = (automationAccounts, diagnostics) => { + let diagnostic = {}; + if (automationAccounts.length) { + diagnostic[automationAccounts[0].id] = { + data: diagnostics + }; + } + + + return { + automationAccounts: { + list: { + 'eastus': { + data: automationAccounts + } + } + }, + diagnosticSettings: { + listByAutomationAccounts: { + 'eastus': diagnostic + } + } + }; +}; + +const createErrorCache = (key) => { + if (key == 'unknownaccount') { + return { + automationAccounts: { + list: { + 'eastus': {} + } + } + }; + } else if (key === 'noaccounts'){ + return { + automationAccounts: { + list: { + 'eastus': { + data:{} + } + } + } + }; + }else if (key === 'diagnostic') { + return { + automationAccounts: { + list: { + 'global': { + data: [automationAccounts[0]] + } + } + }, + diagnosticSettings: { + listByAutomationAccounts: { + 'global': {} + } + } + }; + } else { + const accountId = (automationAccounts && automationAccounts.length) ? automationAccounts[0].id : null; + const diagnosticSetting = (diagnosticSettings && diagnosticSettings.length) ? diagnosticSettings[0].id : null; + return { + automationAccounts: { + list: { + 'eastus': { + data: [automationAccounts[0]] + } + } + }, + diagnosticSettings: { + listByAutomationAccounts: { + 'eastus': { + data: {} + } + } + } + }; + } +}; + +describe('automationAccountDiagnosticLogs', function () { + describe('run', function () { + + it('should give pass result if No existing automation accounts found', function (done) { + const cache = createErrorCache('noaccounts'); + automationAccountDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Automation accounts found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if Unable to query automation accounts:', function (done) { + const cache = createErrorCache('unknownaccount'); + automationAccountDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Automation accounts:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if Unable to query diagnostics settings', function (done) { + const cache = createErrorCache('policy'); + automationAccountDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Automation account diagnostic settings'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if automation account has diagnostic logging enabled', function (done) { + const cache = createCache([automationAccounts[0]], [diagnosticSettings[1]]); + automationAccountDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Automation account has diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if automation account does not have diagnostic logging enabled', function (done) { + const cache = createCache([automationAccounts[1]], [diagnosticSettings[0]]); + automationAccountDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Automation account does not have diagnostic logs enabled. Missings'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + + it('should give pass result if automation account have allLogs Enabled', function(done) { + const cache = createCache([automationAccounts[1]], [diagnosticSettings[3]]); + automationAccountDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Automation account has diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From 8b4852e90b287ea92266742576a83816680a9a5c Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 26 Dec 2023 22:33:39 +0500 Subject: [PATCH 364/498] Added description --- .../automationAccounts/automationAccountDiagnosticLogs.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js b/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js index 91a7446fbf..c3fd585e13 100644 --- a/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js +++ b/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js @@ -5,10 +5,10 @@ module.exports = { title: 'Automation Account Diagnostic Logs', category: 'Automation', domain: 'Management and Governance', - description: '', - more_info: '', - recommended_action: '', - link: '', + description: 'Ensures that diagnostic logging is enabled for Azure Automation account.', + more_info: 'Azure Automation can send runbook job status and job streams to get insights, alert emails and correlate jobs accross automation accounts. It also allows you to get the audit logs related to Automation accounts, runbooks, and other asset create, modify and delete operations.', + recommended_action: 'Enable diagnostic logging for all Automation accounts.', + link: 'https://learn.microsoft.com/en-us/azure/automation/automation-manage-send-joblogs-log-analytics#azure-automation-diagnostic-settings', apis: ['automationAccounts:list','diagnosticSettings:listByAutomationAccounts'], run: function(cache, settings, callback) { From 22cc3585fec435e7261eb01cc0431179bce7878d Mon Sep 17 00:00:00 2001 From: fatima99s Date: Tue, 26 Dec 2023 22:35:34 +0500 Subject: [PATCH 365/498] enableDefenderForPostgresql --- exports.js | 2 + .../defender/enableDefenderForPostgresql.js | 53 +++++++++++ .../enableDefenderForPostgresql.spec.js | 87 +++++++++++++++++++ 3 files changed, 142 insertions(+) create mode 100644 plugins/azure/defender/enableDefenderForPostgresql.js create mode 100644 plugins/azure/defender/enableDefenderForPostgresql.spec.js diff --git a/exports.js b/exports.js index fe8c0f16b2..b69e8c7e3f 100644 --- a/exports.js +++ b/exports.js @@ -995,9 +995,11 @@ module.exports = { 'enableDefenderForStorage' : require(__dirname + '/plugins/azure/defender/enableDefenderForStorage.js'), 'enableDefenderForContainers' : require(__dirname + '/plugins/azure/defender/enableDefenderForContainers.js'), 'enableDefenderForSqlServers' : require(__dirname + '/plugins/azure/defender/enableDefenderForSqlServers.js'), + 'enableDefenderForPostgresql' : require(__dirname + '/plugins/azure/defender/enableDefenderForPostgresql.js'), 'enableEndpointIntegration' : require(__dirname + '/plugins/azure/defender/enableEndpointIntegration.js'), 'enableDefenderForDNS' : require(__dirname + '/plugins/azure/defender/enableDefenderForDNS.js'), 'enableDefenderForKeyVaults' : require(__dirname + '/plugins/azure/defender/enableDefenderForKeyVaults.js'), + 'agWafEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agWafEnabled'), 'agSecurityLoggingEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js'), diff --git a/plugins/azure/defender/enableDefenderForPostgresql.js b/plugins/azure/defender/enableDefenderForPostgresql.js new file mode 100644 index 0000000000..db3a05ff53 --- /dev/null +++ b/plugins/azure/defender/enableDefenderForPostgresql.js @@ -0,0 +1,53 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Enable Defender For PostgreSQL Flexible Servers', + category: 'Defender', + domain: 'Management and Governance', + description: 'Ensures that Microsoft Defender is enabled for Azure PostgreSQL Flexible Servers.', + more_info: 'Enabling Defender for Cloud on PostgreSQL Flexible Servers allows detection of unusual database access, query patterns, and suspicious activities, enhancing overall security.', + recommended_action: 'Enable Microsoft Defender for PostgreSQL Flexible Servers in Defender plans for the subscription.', + link: 'https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-security#microsoft-defender-for-cloud-support', + apis: ['pricings:list'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.pricings, function(location, rcb) { + var pricings = helpers.addSource(cache, source, + ['pricings', 'list', location]); + + if (!pricings) return rcb(); + + if (pricings.err || !pricings.data) { + helpers.addResult(results, 3, + 'Unable to query for Pricing: ' + helpers.addError(pricings), location); + return rcb(); + } + + if (!pricings.data.length) { + helpers.addResult(results, 0, 'No Pricing information found', location); + return rcb(); + } + + let postgresqlServersPricing = pricings.data.find((pricing) => pricing.name && pricing.name.toLowerCase() === 'opensourcerelationaldatabases'); + + if (postgresqlServersPricing) { + if (postgresqlServersPricing.pricingTier.toLowerCase() === 'standard') { + helpers.addResult(results, 0, 'Azure Defender is enabled for PostgreSQL Flexible Servers', location, postgresqlServersPricing.id); + } else { + helpers.addResult(results, 2, 'Azure Defender is not enabled for PostgreSQL Flexible Servers', location, postgresqlServersPricing.id); + } + } else { + helpers.addResult(results, 2, 'Azure Defender is not enabled for PostgreSQL Flexible Servers', location); + } + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/defender/enableDefenderForPostgresql.spec.js b/plugins/azure/defender/enableDefenderForPostgresql.spec.js new file mode 100644 index 0000000000..7ac6e14319 --- /dev/null +++ b/plugins/azure/defender/enableDefenderForPostgresql.spec.js @@ -0,0 +1,87 @@ +var assert = require('assert'); +var expect = require('chai').expect; +var auth = require('./enableDefenderForPostgresql'); + +const createCache = (err, data) => { + return { + pricings: { + list: { + 'global': { + err: err, + data: data + } + } + } + } +}; + +describe('enableDefenderForPostgresql', function() { + describe('run', function() { + it('should give passing result if no pricings found', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No Pricing information found'); + expect(results[0].region).to.equal('global'); + done() + }; + + const cache = createCache( + null, + [] + ); + + auth.run(cache, {}, callback); + }); + + it('should give failing result if Azure Defender for PostgreSQL Flexible Servers is not enabled', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Azure Defender is not enabled for PostgreSQL Flexible Servers'); + expect(results[0].region).to.equal('global'); + done() + }; + + const cache = createCache( + null, + [ + { + "id": "/subscriptions/e79d9a03-3ab3-4481-bdcd-c5db1d55420a/providers/Microsoft.Security/pricings/default", + "name": "openSourceRelationalDatabases", + "type": "Microsoft.Security/pricings", + "pricingTier": "free", + "location": "global" + } + ] + ); + + auth.run(cache, {}, callback); + }); + + it('should give passing result if Azure Defender for PostgreSQL Flexible Servers is enabled', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Azure Defender is enabled for PostgreSQL Flexible Servers'); + expect(results[0].region).to.equal('global'); + done() + }; + + const cache = createCache( + null, + [ + { + "id": "/subscriptions/e79d9a03-3ab3-4481-bdcd-c5db1d55420a/providers/Microsoft.Security/pricings/default", + "name": "openSourceRelationalDatabases", + "type": "Microsoft.Security/pricings", + "pricingTier": "Standard", + "location": "global" + } + ] + ); + + auth.run(cache, {}, callback); + }) + }) +}); \ No newline at end of file From c4475d468d8ecba3b6cf3bcadd72840b94bf80df Mon Sep 17 00:00:00 2001 From: fatima99s Date: Tue, 26 Dec 2023 22:40:11 +0500 Subject: [PATCH 366/498] enableDefenderForPostgresql --- exports.js | 1 - helpers/azure/functions.js | 17 ++++++++++++++++- .../defender/enableDefenderForPostgresql.js | 12 +----------- 3 files changed, 17 insertions(+), 13 deletions(-) diff --git a/exports.js b/exports.js index b69e8c7e3f..0a0f719be9 100644 --- a/exports.js +++ b/exports.js @@ -1000,7 +1000,6 @@ module.exports = { 'enableDefenderForDNS' : require(__dirname + '/plugins/azure/defender/enableDefenderForDNS.js'), 'enableDefenderForKeyVaults' : require(__dirname + '/plugins/azure/defender/enableDefenderForKeyVaults.js'), - 'agWafEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agWafEnabled'), 'agSecurityLoggingEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js'), 'agSslPolicy' : require(__dirname + '/plugins/azure/applicationGateway/agSslPolicy'), diff --git a/helpers/azure/functions.js b/helpers/azure/functions.js index 0a40c0a0e1..2b0dea6fbd 100644 --- a/helpers/azure/functions.js +++ b/helpers/azure/functions.js @@ -356,6 +356,20 @@ function checkServerConfigs(servers, cache, source, location, results, serverTyp }); } +function checkMicrosoftDefender(pricings, serviceName, serviceDisplayName, results, location ) { + + let pricingData = pricings.data.find((pricing) => pricing.name.toLowerCase() === serviceName); + if (pricingData) { + if (pricingData.pricingTier.toLowerCase() === 'standard') { + addResult(results, 0, `Azure Defender is enabled for ${serviceDisplayName}`, location, pricingData.id); + } else { + addResult(results, 2, `Azure Defender is not enabled for ${serviceDisplayName}`, location, pricingData.id); + } + } else { + addResult(results, 2, `Azure Defender is not enabled for ${serviceDisplayName}`, location); + } +} + function processCall(config, method, body, baseUrl, resource, callback) { var fullUrl = baseUrl.replace('{resource}', resource); @@ -702,5 +716,6 @@ module.exports = { remediatePlugin: remediatePlugin, processCall: processCall, remediateOpenPorts: remediateOpenPorts, - remediateOpenPortsHelper: remediateOpenPortsHelper + remediateOpenPortsHelper: remediateOpenPortsHelper, + checkMicrosoftDefender: checkMicrosoftDefender }; diff --git a/plugins/azure/defender/enableDefenderForPostgresql.js b/plugins/azure/defender/enableDefenderForPostgresql.js index db3a05ff53..a0da3e640b 100644 --- a/plugins/azure/defender/enableDefenderForPostgresql.js +++ b/plugins/azure/defender/enableDefenderForPostgresql.js @@ -33,17 +33,7 @@ module.exports = { return rcb(); } - let postgresqlServersPricing = pricings.data.find((pricing) => pricing.name && pricing.name.toLowerCase() === 'opensourcerelationaldatabases'); - - if (postgresqlServersPricing) { - if (postgresqlServersPricing.pricingTier.toLowerCase() === 'standard') { - helpers.addResult(results, 0, 'Azure Defender is enabled for PostgreSQL Flexible Servers', location, postgresqlServersPricing.id); - } else { - helpers.addResult(results, 2, 'Azure Defender is not enabled for PostgreSQL Flexible Servers', location, postgresqlServersPricing.id); - } - } else { - helpers.addResult(results, 2, 'Azure Defender is not enabled for PostgreSQL Flexible Servers', location); - } + helpers.checkMicrosoftDefender(pricings, 'opensourcerelationaldatabases', 'PostgreSQL Flexible Servers', results, location); rcb(); }, function(){ From b6610968f90bfcc22678bbe5dd2667f964b39d6f Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 26 Dec 2023 22:50:52 +0500 Subject: [PATCH 367/498] Azure/Automation-Accounts --- .../automationAccounts/automationAccountDiagnosticLogs.js | 4 ++-- .../automationAccountDiagnosticLogs.spec.js | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js b/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js index c3fd585e13..fff1996af9 100644 --- a/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js +++ b/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js @@ -6,7 +6,7 @@ module.exports = { category: 'Automation', domain: 'Management and Governance', description: 'Ensures that diagnostic logging is enabled for Azure Automation account.', - more_info: 'Azure Automation can send runbook job status and job streams to get insights, alert emails and correlate jobs accross automation accounts. It also allows you to get the audit logs related to Automation accounts, runbooks, and other asset create, modify and delete operations.', + more_info: 'Azure Automation can send runbook job status and job streams to get insights, alert emails and correlate jobs across automation accounts. It also allows you to get the audit logs related to Automation accounts, runbooks, and other asset create, modify and delete operations.', recommended_action: 'Enable diagnostic logging for all Automation accounts.', link: 'https://learn.microsoft.com/en-us/azure/automation/automation-manage-send-joblogs-log-analytics#azure-automation-diagnostic-settings', apis: ['automationAccounts:list','diagnosticSettings:listByAutomationAccounts'], @@ -55,7 +55,7 @@ module.exports = { }); if (missingLogs.length) { - helpers.addResult(results, 2, `Automation account does not have diagnostic logs enabled. Missings logs: ${missingLogs}`, location, account.id); + helpers.addResult(results, 2, `Automation account does not have diagnostic logs enabled. Missing logs: ${missingLogs}`, location, account.id); } else { helpers.addResult(results, 0, 'Automation account has diagnostic logs enabled', location, account.id); } diff --git a/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.spec.js b/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.spec.js index 474c017cb2..f395d07d34 100644 --- a/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.spec.js +++ b/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.spec.js @@ -245,7 +245,7 @@ describe('automationAccountDiagnosticLogs', function () { automationAccountDiagnosticLogs.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Automation account does not have diagnostic logs enabled. Missings'); + expect(results[0].message).to.include('Automation account does not have diagnostic logs enabled. Missing'); expect(results[0].region).to.equal('eastus'); done(); }); From 04d7f35aa880a2625ab9e363d4a3b33ee5db7c5d Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 27 Dec 2023 00:27:11 +0500 Subject: [PATCH 368/498] Azure/Automation-Account-Managed-identity --- exports.js | 1 + .../automationAccountManagedIdentity.js | 53 ++++++++++ .../automationAccountManagedIdentity.spec.js | 100 ++++++++++++++++++ 3 files changed, 154 insertions(+) create mode 100644 plugins/azure/automationAccounts/automationAccountManagedIdentity.js create mode 100644 plugins/azure/automationAccounts/automationAccountManagedIdentity.spec.js diff --git a/exports.js b/exports.js index 2b5b1e175e..6e7d662519 100644 --- a/exports.js +++ b/exports.js @@ -1041,6 +1041,7 @@ module.exports = { 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), 'automationAccountDiagnosticLogs': require(__dirname + '/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js'), + 'automationAccountManagedIdentity': require(__dirname + '/plugins/azure/automationAccounts/automationAccountManagedIdentity.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/automationAccounts/automationAccountManagedIdentity.js b/plugins/azure/automationAccounts/automationAccountManagedIdentity.js new file mode 100644 index 0000000000..7df58dc2bb --- /dev/null +++ b/plugins/azure/automationAccounts/automationAccountManagedIdentity.js @@ -0,0 +1,53 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Automation Account Diagnostic Logs', + category: 'Automation', + domain: 'Management and Governance', + description: 'Ensures that diagnostic logging is enabled for Azure Automation account.', + more_info: 'Azure Automation can send runbook job status and job streams to get insights, alert emails and correlate jobs across automation accounts. It also allows you to get the audit logs related to Automation accounts, runbooks, and other asset create, modify and delete operations.', + recommended_action: 'Enable diagnostic logging for all Automation accounts.', + link: 'https://learn.microsoft.com/en-us/azure/automation/automation-manage-send-joblogs-log-analytics#azure-automation-diagnostic-settings', + apis: ['automationAccounts:list','getAutomationAccount:listByAccounts'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.automationAccounts, (location, rcb) => { + const automationAccounts = helpers.addSource(cache, source, + ['automationAccounts', 'list', location]); + + if (!automationAccounts) return rcb(); + + if (automationAccounts.err || !automationAccounts.data) { + helpers.addResult(results, 3, + 'Unable to query Automation accounts: ' + helpers.addError(automationAccounts), location); + return rcb(); + } + + if (!automationAccounts.data.length) { + helpers.addResult(results, 0, 'No existing Automation accounts found', location); + return rcb(); + } + + for (var account of automationAccounts.data) { + if (!account.id) continue; + var identityType = account.identity && account.identity.type? account.identity.type : null; + + if (identityType && (identityType.includes('systemassigned') || identityType.includes('userassigned'))) { + helpers.addResult(results, 0, 'Automation account has managed identity enabled', location, account.id); + } else { + helpers.addResult(results, 2, 'Automation account does not have managed identity enabled', location, account.id); + } + } + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; + diff --git a/plugins/azure/automationAccounts/automationAccountManagedIdentity.spec.js b/plugins/azure/automationAccounts/automationAccountManagedIdentity.spec.js new file mode 100644 index 0000000000..82f76af6c9 --- /dev/null +++ b/plugins/azure/automationAccounts/automationAccountManagedIdentity.spec.js @@ -0,0 +1,100 @@ +var expect = require('chai').expect; +var automationAccountManagedIdentity = require('./automationAccountManagedIdentity.js'); + +const automationAccounts = [ + { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/DefaultResourceGroup-EUS/providers/Microsoft.Automation/automationAccounts/Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-EUS2", + "location": "EastUS2", + "name": "Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-EUS2", + "type": "Microsoft.Automation/AutomationAccounts", + "tags": {}, + "properties": { + "creationTime": "2023-10-27T07:27:02.76+00:00", + "lastModifiedTime": "2023-10-27T07:27:02.76+00:00" + }, + "identity": { + "type": "systemassigned,userassigned", + "principalId": "dc03d47d-e6df-491f-aebe-50a93412a890", + "tenantId": "d207c7bd-fcb1-4dd3-855a-cfd2f9b651e8", + "userAssignedIdentities": { + "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": { + "PrincipalId": "1d34c2cd-bd53-487d-b3a9-6064465497c9", + "ClientId": "2071caa1-3668-4de3-babc-155cfe3e38e5" + } + } + } + }, + { + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/DefaultResourceGroup-CUS/providers/Microsoft.Automation/automationAccounts/Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-CUS", + "location": "centralus", + "name": "Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-CUS", + "type": "Microsoft.Automation/AutomationAccounts", + "tags": {}, + "properties": { + "creationTime": "2023-07-17T13:09:21.4866667+00:00", + "lastModifiedTime": "2023-07-17T13:09:21.4866667+00:00" + } + } +]; + +const createCache = (automationAccounts,err) => { + return { + automationAccounts: { + list: { + 'eastus': { + data: automationAccounts, + err: err + } + } + } + } +}; + +describe('automationAccountManagedIdentity', function () { + describe('run', function () { + + it('should give pass result if No existing automation accounts found', function (done) { + const cache = createCache([]); + automationAccountManagedIdentity.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Automation accounts found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if Unable to query automation accounts:', function (done) { + const cache = createCache(null, 'Error'); + automationAccountManagedIdentity.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Automation accounts:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if automation account has managed identity enabled', function (done) { + const cache = createCache([automationAccounts[0]]); + automationAccountManagedIdentity.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Automation account has managed identity enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if automation account does not have managed identity enabled', function (done) { + const cache = createCache([automationAccounts[1]]); + automationAccountManagedIdentity.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Automation account does not have managed identity enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From 712e15eff1839f5394a89676df569478eddc8b49 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 27 Dec 2023 00:32:29 +0500 Subject: [PATCH 369/498] updated description --- .../automationAccountManagedIdentity.js | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/plugins/azure/automationAccounts/automationAccountManagedIdentity.js b/plugins/azure/automationAccounts/automationAccountManagedIdentity.js index 7df58dc2bb..72b450b3f1 100644 --- a/plugins/azure/automationAccounts/automationAccountManagedIdentity.js +++ b/plugins/azure/automationAccounts/automationAccountManagedIdentity.js @@ -2,14 +2,14 @@ const async = require('async'); const helpers = require('../../../helpers/azure'); module.exports = { - title: 'Automation Account Diagnostic Logs', + title: 'Automation Account Managed Identity', category: 'Automation', domain: 'Management and Governance', - description: 'Ensures that diagnostic logging is enabled for Azure Automation account.', - more_info: 'Azure Automation can send runbook job status and job streams to get insights, alert emails and correlate jobs across automation accounts. It also allows you to get the audit logs related to Automation accounts, runbooks, and other asset create, modify and delete operations.', - recommended_action: 'Enable diagnostic logging for all Automation accounts.', - link: 'https://learn.microsoft.com/en-us/azure/automation/automation-manage-send-joblogs-log-analytics#azure-automation-diagnostic-settings', - apis: ['automationAccounts:list','getAutomationAccount:listByAccounts'], + description: 'Ensure that Azure Automation accounts have managed identity enabled.', + more_info: 'Enabling managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.', + recommended_action: 'Modify automation account and enabled managed identity.', + link: 'https://learn.microsoft.com/en-us/azure/automation/quickstarts/enable-managed-identity', + apis: ['automationAccounts:list'], run: function(cache, settings, callback) { const results = []; From 96cb120369d9131694acbb4feab4d9ca7934a228 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Wed, 27 Dec 2023 12:38:08 +0500 Subject: [PATCH 370/498] Update plugins/aws/ec2/defaultSecurityGroupInUse.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/aws/ec2/defaultSecurityGroupInUse.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/ec2/defaultSecurityGroupInUse.js b/plugins/aws/ec2/defaultSecurityGroupInUse.js index f984506ab7..bf30dd5c93 100644 --- a/plugins/aws/ec2/defaultSecurityGroupInUse.js +++ b/plugins/aws/ec2/defaultSecurityGroupInUse.js @@ -10,7 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-security-group', recommended_action: 'Modify EC2 instances and change security group.', apis: ['EC2:describeInstances'], - realtime_triggers: ['ec2:RunInstances', 'ec2:ModifyInstanceAttribute', 'ec2:TerminateInnstances'], + realtime_triggers: ['ec2:RunInstances', 'ec2:ModifyInstanceAttribute', 'ec2:TerminateInstances'], run: function(cache, settings, callback) { var results = []; From 58e3c34266086dadbd19092c1087e32a67b4f2b0 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Wed, 27 Dec 2023 12:38:19 +0500 Subject: [PATCH 371/498] Update plugins/aws/ec2/defaultVpcInUse.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/aws/ec2/defaultVpcInUse.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/ec2/defaultVpcInUse.js b/plugins/aws/ec2/defaultVpcInUse.js index d9d0516264..f4e5cb7498 100644 --- a/plugins/aws/ec2/defaultVpcInUse.js +++ b/plugins/aws/ec2/defaultVpcInUse.js @@ -10,7 +10,7 @@ module.exports = { link: 'http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.html', recommended_action: 'Move resources from the default VPC to a new VPC created for that application or resource group.', apis: ['EC2:describeVpcs', 'EC2:describeInstances', 'ELB:describeLoadBalancers', 'Lambda:listFunctions', 'RDS:describeDBInstances', 'Redshift:describeClusters'], - realtime_triggers: ['ec2:CreateVpc', 'ec2:DeleteVpc', 'ec2:ModifyVpcAttribute', 'ec2:RunInstances', 'TerminateInstances','elb:CreateLoadBalancer','elb:ModifyLoadBalancerAttributes','elb:DeleteLoadBalancer', 'lambda:CreateFunction','lambda:UpdateFunctionConfiguration', 'lamda:DeleteFunction','rds:CreateDBInstance','rds:ModifyDBInstance','rds:DeleteDBInstance','redshift:CreateCluster','redshift:ModifyCluster', 'redshift:DeleteCluster'], + realtime_triggers: ['ec2:CreateVpc', 'ec2:DeleteVpc', 'ec2:ModifyVpcAttribute', 'ec2:RunInstances', 'ec2:TerminateInstances','elb:CreateLoadBalancer','elb:ModifyLoadBalancerAttributes','elb:DeleteLoadBalancer', 'lambda:CreateFunction','lambda:UpdateFunctionConfiguration', 'lamda:DeleteFunction','rds:CreateDBInstance','rds:ModifyDBInstance','rds:DeleteDBInstance','redshift:CreateCluster','redshift:ModifyCluster', 'redshift:DeleteCluster'], run: function(cache, settings, callback) { var results = []; From 7c94a88c285bea5317845f31564ad6cff7d23b6d Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Wed, 27 Dec 2023 12:38:27 +0500 Subject: [PATCH 372/498] Update plugins/aws/elbv2/elbv2WafEnabled.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/aws/elbv2/elbv2WafEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/elbv2/elbv2WafEnabled.js b/plugins/aws/elbv2/elbv2WafEnabled.js index d2614e700b..19993a5944 100644 --- a/plugins/aws/elbv2/elbv2WafEnabled.js +++ b/plugins/aws/elbv2/elbv2WafEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/', recommended_action: '1. Enter the WAF service. 2. Enter Web ACLs and filter by the region the Application Load Balancer is in. 3. If no Web ACL is found, Create a new Web ACL in the region the ALB resides and in Resource type to associate with web ACL, select the Load Balancer. ', apis: ['ELBv2:describeLoadBalancers', 'WAFV2:listWebACLs', 'WAFRegional:listWebACLs', 'WAFV2:listResourcesForWebACL', 'WAFRegional:listResourcesForWebACL'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'wafv2:CreateWebAcl', 'wafv2:UpdateWebAacl', 'wafregional:CreateWebAcl', 'wafregional:UpdateWebAcl', 'wafv2:DeleteWebAcl', 'wafregional:DeleteWebAcl'], + realtime_triggers: ['elbv2:CreateLoadBalancer', 'wafv2:CreateWebAcl', 'wafv2:UpdateWebAcl', 'wafregional:CreateWebAcl', 'wafregional:UpdateWebAcl', 'wafv2:DeleteWebAcl', 'wafregional:DeleteWebAcl'], run: function(cache, settings, callback) { var results = []; From 8d4f276813605f224f01290f551dfddf9a51f482 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Wed, 27 Dec 2023 12:38:39 +0500 Subject: [PATCH 373/498] Update plugins/aws/eventbridge/eventsInUse.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/aws/eventbridge/eventsInUse.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/eventbridge/eventsInUse.js b/plugins/aws/eventbridge/eventsInUse.js index 2ee7c5ae15..a30b48d90f 100644 --- a/plugins/aws/eventbridge/eventsInUse.js +++ b/plugins/aws/eventbridge/eventsInUse.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html', recommended_action: 'Create EventBridge event rules to meet regulatory and compliance requirement within your organization.', apis: ['EventBridge:listRules'], - realtime_triggers: ['eventbridge:PutRules', 'eventbridge:EnableRule', 'eventbridge:DeleteRule'], + realtime_triggers: ['eventbridge:PutRule', 'eventbridge:EnableRule', 'eventbridge:DeleteRule'], run: function(cache, settings, callback) { var results = []; From 5304c7f00a2e6898caff3a0d085851ebfad8ad5a Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Wed, 27 Dec 2023 12:38:47 +0500 Subject: [PATCH 374/498] Update plugins/aws/ec2/ebsBackupEnabled.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/aws/ec2/ebsBackupEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/ec2/ebsBackupEnabled.js b/plugins/aws/ec2/ebsBackupEnabled.js index d14288e5e7..79a64c2729 100644 --- a/plugins/aws/ec2/ebsBackupEnabled.js +++ b/plugins/aws/ec2/ebsBackupEnabled.js @@ -18,7 +18,7 @@ module.exports = { default: 'true' } }, - realtime_triggers: ['ec2:CreateSnapshot', 'ec2:CreateVloume', 'ec2: DeleteVolume', 'ec2:DeleteSnapshot'], + realtime_triggers: ['ec2:CreateSnapshot', 'ec2:CreateVolume', 'ec2: DeleteVolume', 'ec2:DeleteSnapshot'], run: function(cache, settings, callback) { let results = []; From 2c30aaddb46b5ff2f5d9c445732292a5f8f14ce3 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Wed, 27 Dec 2023 12:49:45 +0500 Subject: [PATCH 375/498] updated elb triggers --- plugins/aws/elb/appTierElbSecurity.js | 2 +- plugins/aws/elb/classicELBInUse.js | 2 +- plugins/aws/elb/connectionDrainingEnabled.js | 2 +- plugins/aws/elb/crosszoneLoadBalancing.js | 2 +- plugins/aws/elb/elbHasTags.js | 2 +- plugins/aws/elb/elbHttpsOnly.js | 2 +- plugins/aws/elb/elbLoggingEnabled.js | 2 +- plugins/aws/elb/elbNoInstances.js | 2 +- plugins/aws/elb/elbUnhealthyInstances.js | 2 +- plugins/aws/elb/insecureCiphers.js | 2 +- plugins/aws/elbv2/elbv2DeletionProtection.js | 2 +- plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js | 2 +- plugins/aws/elbv2/elbv2DeregistrationDelay.js | 2 +- plugins/aws/elbv2/elbv2HasTags.js | 2 +- plugins/aws/elbv2/elbv2HttpsOnly.js | 2 +- plugins/aws/elbv2/elbv2InsecureCiphers.js | 2 +- plugins/aws/elbv2/elbv2LoggingEnabled.js | 2 +- plugins/aws/elbv2/elbv2MinimumTargetInstances.js | 2 +- plugins/aws/elbv2/elbv2NlbListenerSecurity.js | 2 +- plugins/aws/elbv2/elbv2NoInstances.js | 2 +- plugins/aws/elbv2/elbv2SslTermination.js | 2 +- plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js | 2 +- plugins/aws/elbv2/elbv2UnhealthyInstance.js | 2 +- plugins/aws/elbv2/elbv2WafEnabled.js | 2 +- plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js | 2 +- 25 files changed, 25 insertions(+), 25 deletions(-) diff --git a/plugins/aws/elb/appTierElbSecurity.js b/plugins/aws/elb/appTierElbSecurity.js index 9e68b028bb..40255b9c5f 100644 --- a/plugins/aws/elb/appTierElbSecurity.js +++ b/plugins/aws/elb/appTierElbSecurity.js @@ -24,7 +24,7 @@ module.exports = { default: 'ELBSecurityPolicy-2016-08,ELBSecurityPolicy-TLS-1-2-2017-01,ELBSecurityPolicy-TLS-1-1-2017-01' } }, - realtime_triggers: ['elb:CreateLoadBalancerListeners','elb:CreateLoadBalancer', 'elb:DeleteLoadBalancer', 'elb:DeleteLoadBalancerListeners'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancerListeners','elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:DeleteLoadBalancer', 'elasticloadbalancing:DeleteLoadBalancerListeners'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/classicELBInUse.js b/plugins/aws/elb/classicELBInUse.js index ae2157c464..b986e5a240 100644 --- a/plugins/aws/elb/classicELBInUse.js +++ b/plugins/aws/elb/classicELBInUse.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/elasticloadbalancing/features/', recommended_action: 'Detach Classic Load balancer from HTTP/HTTPS applications and attach Application Load Balancer to those applications', apis: ['ELB:describeLoadBalancers', 'STS:getCallerIdentity'], - realtime_triggers: ['elb:CreateLoadBalancer', 'elb:DeleteLoadBalancer'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/connectionDrainingEnabled.js b/plugins/aws/elb/connectionDrainingEnabled.js index 7abd3ba7bb..58b51efe20 100644 --- a/plugins/aws/elb/connectionDrainingEnabled.js +++ b/plugins/aws/elb/connectionDrainingEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html', recommended_action: 'Update ELBs to enable connection draining', apis: ['ELB:describeLoadBalancers', 'ELB:describeLoadBalancerAttributes', 'STS:getCallerIdentity'], - realtime_triggers: ['elb:CreateLoadBalancer', 'elb:ModifyLoadBalancerAttributes', 'elb:DeleteLoadBalancer'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyLoadBalancerAttributes', 'elasticloadbalancing:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/crosszoneLoadBalancing.js b/plugins/aws/elb/crosszoneLoadBalancing.js index 14f702899c..73fd645bef 100644 --- a/plugins/aws/elb/crosszoneLoadBalancing.js +++ b/plugins/aws/elb/crosszoneLoadBalancing.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html', recommended_action: 'Update AWS ELB to enable cross zone load balancing', apis: ['ELB:describeLoadBalancers', 'ELB:describeLoadBalancerAttributes', 'STS:getCallerIdentity'], - realtime_triggers: ['elb:CreateLoadBalancer', 'elb:ModifyLoadBalancerAttributes', 'elb:AttachLoadBalancerToSubnets', 'elb:DeleteLoadBalancer'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyLoadBalancerAttributes', 'elasticloadbalancing:AttachLoadBalancerToSubnets', 'elasticloadbalancing:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/elbHasTags.js b/plugins/aws/elb/elbHasTags.js index 552ea9e9bb..4330786602 100644 --- a/plugins/aws/elb/elbHasTags.js +++ b/plugins/aws/elb/elbHasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_AddTags.html', recommended_action: 'Modify ELB and add tags.', apis: ['ELB:describeLoadBalancers', 'ResourceGroupsTaggingAPI:getResources', 'STS:getCallerIdentity'], - realtime_triggers: ['elb:CreateLoadBalancer', 'elb:AddTags', 'elb:RemoveTags', 'elb:DeleteLoadBalancer'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:AddTags', 'elasticloadbalancing:RemoveTags', 'elasticloadbalancing:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/elbHttpsOnly.js b/plugins/aws/elb/elbHttpsOnly.js index 4a5634ebd3..651912140e 100644 --- a/plugins/aws/elb/elbHttpsOnly.js +++ b/plugins/aws/elb/elbHttpsOnly.js @@ -20,7 +20,7 @@ module.exports = { apis_remediate: ['ELB:describeLoadBalancers'], actions: {remediate: ['ELB:deleteLoadBalancerListeners'], rollback: ['ELB:createLoadBalancerListeners']}, permissions: {remediate: ['elasticloadbalancing:DeleteLoadBalancerListeners'], rollback: ['elasticloadbalancing:CreateLoadBalancerListeners']}, - realtime_triggers: ['elb:CreateLoadBalancerListeners','elb:CreateLoadBalancer', 'elb:DeleteLoadBalancer', 'elb:DeleteLoadBalancerListeners'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancerListeners','elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:DeleteLoadBalancer', 'elasticloadbalancing:DeleteLoadBalancerListeners'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/elbLoggingEnabled.js b/plugins/aws/elb/elbLoggingEnabled.js index 6c7d6cdbbd..bf6c547bef 100644 --- a/plugins/aws/elb/elbLoggingEnabled.js +++ b/plugins/aws/elb/elbLoggingEnabled.js @@ -22,7 +22,7 @@ module.exports = { pci: 'PCI requires logging of all network access to environments containing ' + 'cardholder data. Enable ELB logs to log these network requests.' }, - realtime_triggers: ['elb:CreateLoadBalancer', 'elb:ModifyLoadBalancerAttributes', 'elb:DeleteLoadBalancer'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyLoadBalancerAttributes', 'elasticloadbalancing:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/elbNoInstances.js b/plugins/aws/elb/elbNoInstances.js index 2ac07c8147..6fc3420f80 100644 --- a/plugins/aws/elb/elbNoInstances.js +++ b/plugins/aws/elb/elbNoInstances.js @@ -24,7 +24,7 @@ module.exports = { remediate: ['elasticloadbalancing:DeleteLoadBalancer'], rollback: ['elasticloadbalancing:CreateLoadBalancer'] }, - realtime_triggers: ['elb:CreateLoadBalancer', 'elb:DeleteLoadBalancer'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/elbUnhealthyInstances.js b/plugins/aws/elb/elbUnhealthyInstances.js index c4e1e5aa5f..8989ccb135 100644 --- a/plugins/aws/elb/elbUnhealthyInstances.js +++ b/plugins/aws/elb/elbUnhealthyInstances.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-healthchecks.html#check-instance-health', recommended_action: 'Investigate and resolve the health issues of the instances attached to the ELB.', apis: ['ELB:describeLoadBalancers', 'ELB:describeInstanceHealth', 'STS:getCallerIdentity'], - realtime_triggers: ['elb:CreateLoadBalancer', 'elb:RegisterInstancesWithLoadBalancer', 'elb:DeregisterInstancesWithLoadBalancer', 'elb:DeleteLoadBalancer'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:RegisterInstancesWithLoadBalancer', 'elasticloadbalancing:DeregisterInstancesWithLoadBalancer', 'elasticloadbalancing:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elb/insecureCiphers.js b/plugins/aws/elb/insecureCiphers.js index ad1601330a..3fadd2ee14 100644 --- a/plugins/aws/elb/insecureCiphers.js +++ b/plugins/aws/elb/insecureCiphers.js @@ -92,7 +92,7 @@ module.exports = { pci: 'PCI requires secure transfer of cardholder data. It does not permit SSL or TLS ' + 'version 1.0. ELB listeners should be configured for TLS v1.2.' }, - realtime_triggers: ['elb:CreateLoadBalancer','elb:CreateLoadBalancerPolicy', 'elb:DeleteLoadBalancerPolicy', 'elb:DeleteLoadBalancer'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer','elasticloadbalancing:CreateLoadBalancerPolicy', 'elasticloadbalancing:DeleteLoadBalancerPolicy', 'elasticloadbalancing:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2DeletionProtection.js b/plugins/aws/elbv2/elbv2DeletionProtection.js index 323c77cf7d..164f678136 100644 --- a/plugins/aws/elbv2/elbv2DeletionProtection.js +++ b/plugins/aws/elbv2/elbv2DeletionProtection.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#deletion-protection', recommended_action: 'Update ELBv2 load balancers to use deletion protection to prevent accidental deletion', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeLoadBalancerAttributes'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyLoadBalancerAttributes', 'elbv2:DeleteLoadBalancer'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyLoadBalancerAttributes', 'elasticloadbalancing:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js b/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js index 5cda45035f..8350e5045f 100644 --- a/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js +++ b/plugins/aws/elbv2/elbv2DeprecatedSslPolicies.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html', recommended_action: 'Modify ELBv2 listeners with the latest predefined AWS security policies.', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeListeners'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:CreateListener', 'elbv2:ModifyListener', 'elbv2:DeleteLoadBalancer', 'elbv2:DeleteListener'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:CreateListener', 'elasticloadbalancing:ModifyListener', 'elasticloadbalancing:DeleteLoadBalancer', 'elasticloadbalancing:DeleteListener'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2DeregistrationDelay.js b/plugins/aws/elbv2/elbv2DeregistrationDelay.js index d078502050..48171de67f 100644 --- a/plugins/aws/elbv2/elbv2DeregistrationDelay.js +++ b/plugins/aws/elbv2/elbv2DeregistrationDelay.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#deregistration-delay', recommended_action: 'Update ELBv2 target group attributes and set the deregistration delay value', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeTargetGroups', 'ELBv2:describeTargetGroupAttributes'], - realtime_triggers: ['elbv2:CreateTargetGroup', 'elbv2:ModifyTargetGroupAttributes', 'elbv2:DeleteTargetGroup'], + realtime_triggers: ['elasticloadbalancing:CreateTargetGroup', 'elasticloadbalancing:ModifyTargetGroupAttributes', 'elasticloadbalancing:DeleteTargetGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2HasTags.js b/plugins/aws/elbv2/elbv2HasTags.js index 440dab1c44..f96fde8a83 100644 --- a/plugins/aws/elbv2/elbv2HasTags.js +++ b/plugins/aws/elbv2/elbv2HasTags.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_AddTags.html', recommended_action: 'Modify ELBv2 and add tags.', apis: ['ELBv2:describeLoadBalancers', 'ResourceGroupsTaggingAPI:getResources'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:AddTags', 'elbv2:RemoveTags', 'elbv2:DeleteLoadBalancer'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:AddTags', 'elasticloadbalancing:RemoveTags', 'elasticloadbalancing:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2HttpsOnly.js b/plugins/aws/elbv2/elbv2HttpsOnly.js index 0436d1c785..f8f1f481c5 100644 --- a/plugins/aws/elbv2/elbv2HttpsOnly.js +++ b/plugins/aws/elbv2/elbv2HttpsOnly.js @@ -20,7 +20,7 @@ module.exports = { apis_remediate: ['ELBv2:describeLoadBalancers','ELBv2:describeListeners'], actions: {remediate: ['ELBv2:deleteListener'], rollback: ['ELBv2:createListener']}, permissions: {remediate: ['elasticloadbalancing:DeleteListener'], rollback: ['elasticloadbalancing:CreateListener']}, - realtime_triggers: ['elbv2:CreateListener','elbv2:CreateLoadBalancer', 'elbv2:DeleteLoadBalancer', 'elbv2:DeleteListener'], + realtime_triggers: ['elasticloadbalancing:CreateListener','elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:DeleteLoadBalancer', 'elasticloadbalancing:DeleteListener'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2InsecureCiphers.js b/plugins/aws/elbv2/elbv2InsecureCiphers.js index 4d450073b0..1968a88815 100644 --- a/plugins/aws/elbv2/elbv2InsecureCiphers.js +++ b/plugins/aws/elbv2/elbv2InsecureCiphers.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.htmll', recommended_action: 'Modify ELBv2 listeners with the predefined AWS security policies containing secure ciphers.', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeListeners'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:CreateListener', 'elbv2:ModifyListener', 'elbv2:DeleteLoadBalancer', 'elbv2:DeleteListener'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:CreateListener', 'elasticloadbalancing:ModifyListener', 'elasticloadbalancing:DeleteLoadBalancer', 'elasticloadbalancing:DeleteListener'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2LoggingEnabled.js b/plugins/aws/elbv2/elbv2LoggingEnabled.js index cbceee5bdf..4b85542963 100644 --- a/plugins/aws/elbv2/elbv2LoggingEnabled.js +++ b/plugins/aws/elbv2/elbv2LoggingEnabled.js @@ -22,7 +22,7 @@ module.exports = { pci: 'PCI requires logging of all network access to environments containing ' + 'cardholder data. Enable ELB logs to log these network requests.' }, - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyLoadBalancerAttributes', 'elbv2:DeleteLoadBalancer'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyLoadBalancerAttributes', 'elasticloadbalancing:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2MinimumTargetInstances.js b/plugins/aws/elbv2/elbv2MinimumTargetInstances.js index dd2f498a75..1ff2828674 100644 --- a/plugins/aws/elbv2/elbv2MinimumTargetInstances.js +++ b/plugins/aws/elbv2/elbv2MinimumTargetInstances.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html', recommended_action: 'Associate at least two healthy target instances to AWS ELBv2 load balancer', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeTargetGroups', 'ELBv2:describeTargetHealth'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyTargetGroup','elbv2:RegisterTarget', 'elbv2:DeregisterTargets', 'elbv2:DeleteLoadBalancer'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyTargetGroup','elasticloadbalancing:RegisterTarget', 'elasticloadbalancing:DeregisterTargets', 'elasticloadbalancing:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2NlbListenerSecurity.js b/plugins/aws/elbv2/elbv2NlbListenerSecurity.js index afda4af422..d752b3e453 100644 --- a/plugins/aws/elbv2/elbv2NlbListenerSecurity.js +++ b/plugins/aws/elbv2/elbv2NlbListenerSecurity.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.amazonaws.cn/en_us/elasticloadbalancing/latest/network/create-tls-listener.html', recommended_action: 'Attach TLS listener to AWS Network Load Balancer', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeListeners'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:CreateListener', 'elbv2:ModifyListener','elbv2:DeleteListener', 'elbv2:DeleteLoadBalancer'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:CreateListener', 'elasticloadbalancing:ModifyListener','elasticloadbalancing:DeleteListener', 'elasticloadbalancing:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2NoInstances.js b/plugins/aws/elbv2/elbv2NoInstances.js index 3d6ddc97cd..3140b64692 100644 --- a/plugins/aws/elbv2/elbv2NoInstances.js +++ b/plugins/aws/elbv2/elbv2NoInstances.js @@ -24,7 +24,7 @@ module.exports = { remediate: ['elasticloadbalancing:DeleteLoadBalancer'], rollback: ['elasticloadbalancing:CreateLoadBalancer'] }, - realtime_triggers: ['elbv2:CreateLoadBalancer','elbv2:DeleteLoadBalancer'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer','elasticloadbalancing:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2SslTermination.js b/plugins/aws/elbv2/elbv2SslTermination.js index 5c92a98064..dacc00d35c 100644 --- a/plugins/aws/elbv2/elbv2SslTermination.js +++ b/plugins/aws/elbv2/elbv2SslTermination.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/elastic-load-balancer-support-for-ssl-termination/', recommended_action: 'Attach SSL certificate with the listener to AWS Elastic Load Balancer', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeListeners'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:CreateListeners','elbv2:ModifyListener', 'elbv2:DeleteLoadBalancer', 'elbv2:DeleteListener'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:CreateListeners','elasticloadbalancing:ModifyListener', 'elasticloadbalancing:DeleteLoadBalancer', 'elasticloadbalancing:DeleteListener'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js b/plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js index 1f4662e39c..9a8b56c6af 100644 --- a/plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js +++ b/plugins/aws/elbv2/elbv2TLSVersionCipherEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html', recommended_action: 'Update ELBv2 load balancer traffic configuration to enable TLS version and cipher headers', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeLoadBalancerAttributes'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyLoadBalancerAttributes', 'elbv2:DeleteLoadBalancer'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyLoadBalancerAttributes', 'elasticloadbalancing:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2UnhealthyInstance.js b/plugins/aws/elbv2/elbv2UnhealthyInstance.js index 5723ea1ffc..dcacd62986 100644 --- a/plugins/aws/elbv2/elbv2UnhealthyInstance.js +++ b/plugins/aws/elbv2/elbv2UnhealthyInstance.js @@ -11,7 +11,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html', recommended_action: 'Investigate and resolve the health issues with the instances attached to the ELB.', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeTargetGroups', 'ELBv2:describeTargetHealth'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyTargetGroups', 'elbv2:RegisterTarget', 'elbv2:DeregisterTargets', 'elbv2:DeleteLoadBalancer', 'elbv2:DeleteTargetGroup'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyTargetGroups', 'elasticloadbalancing:RegisterTarget', 'elasticloadbalancing:DeregisterTargets', 'elasticloadbalancing:DeleteLoadBalancer', 'elasticloadbalancing:DeleteTargetGroup'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2WafEnabled.js b/plugins/aws/elbv2/elbv2WafEnabled.js index 19993a5944..393a1f269c 100644 --- a/plugins/aws/elbv2/elbv2WafEnabled.js +++ b/plugins/aws/elbv2/elbv2WafEnabled.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/', recommended_action: '1. Enter the WAF service. 2. Enter Web ACLs and filter by the region the Application Load Balancer is in. 3. If no Web ACL is found, Create a new Web ACL in the region the ALB resides and in Resource type to associate with web ACL, select the Load Balancer. ', apis: ['ELBv2:describeLoadBalancers', 'WAFV2:listWebACLs', 'WAFRegional:listWebACLs', 'WAFV2:listResourcesForWebACL', 'WAFRegional:listResourcesForWebACL'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'wafv2:CreateWebAcl', 'wafv2:UpdateWebAcl', 'wafregional:CreateWebAcl', 'wafregional:UpdateWebAcl', 'wafv2:DeleteWebAcl', 'wafregional:DeleteWebAcl'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'wafv2:CreateWebAcl', 'wafv2:UpdateWebAcl', 'wafregional:CreateWebAcl', 'wafregional:UpdateWebAcl', 'wafv2:DeleteWebAcl', 'wafregional:DeleteWebAcl'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js b/plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js index e37fb85189..638c5f2a67 100644 --- a/plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js +++ b/plugins/aws/elbv2/elbv2crosszoneLoadBalancing.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html', recommended_action: 'Update AWS ELBv2 load balancers to enable cross zone load balancing.', apis: ['ELBv2:describeLoadBalancers', 'ELBv2:describeLoadBalancerAttributes'], - realtime_triggers: ['elbv2:CreateLoadBalancer', 'elbv2:ModifyLoadBalancerAttributes', 'elbv2:DeleteLoadBalancer'], + realtime_triggers: ['elasticloadbalancing:CreateLoadBalancer', 'elasticloadbalancing:ModifyLoadBalancerAttributes', 'elasticloadbalancing:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; From 9e4d1861ae444d29013b70d4ae00e86614c2ea10 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Wed, 27 Dec 2023 14:47:04 +0500 Subject: [PATCH 376/498] flexibleServerVNetIntegrated --- exports.js | 1 + .../flexibleServerVNetIntegrated.js | 50 ++++++++++ .../flexibleServerVNetIntegrated.spec.js | 96 +++++++++++++++++++ 3 files changed, 147 insertions(+) create mode 100644 plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.js create mode 100644 plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.spec.js diff --git a/exports.js b/exports.js index fe8c0f16b2..455b045be3 100644 --- a/exports.js +++ b/exports.js @@ -832,6 +832,7 @@ module.exports = { 'flexibleServerPrivateAccess' : require(__dirname + '/plugins/azure/postgresqlserver/flexibleServerPrivateAccess'), 'diagnosticLoggingEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/diagnosticLoggingEnabled.js'), 'flexibleServerSCRAMEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/flexibleServerSCRAMEnabled.js'), + 'flexibleServerVNetIntegrated' : require(__dirname + '/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.js'), 'flexibleServerDiagnosticLogs' : require(__dirname + '/plugins/azure/postgresqlserver/flexibleServerDiagnosticLogs.js'), 'openOracleAutoDataWarehouse' : require(__dirname + '/plugins/azure/networksecuritygroups/openOracleAutoDataWarehouse.js'), diff --git a/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.js b/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.js new file mode 100644 index 0000000000..786b728744 --- /dev/null +++ b/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.js @@ -0,0 +1,50 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'PostgreSQL Flexible Server VNet integrated', + category: 'PostgreSQL Server', + domain: 'Databases', + description: 'Ensure that PostgreSQL flexible servers has VNet integrated.', + more_info: 'Configuring PostgreSQL flexible server to operate within a Virtual Network (VNet) offers a myriad of benefits for enhanced security and operational control. By integrating with a VNet, you are proactively safeguarding your server against potential security threats and unauthorized access.', + recommended_action: 'Ensures Vnet (private access) is integrated for PostgreSQL flexible server.', + link: 'https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking-private', + apis: ['servers:listPostgresFlexibleServer'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, (location, rcb) => { + const servers = helpers.addSource(cache, source, + ['servers', 'listPostgresFlexibleServer', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, + 'Unable to query for PostgreSQL flexible servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No existing PostgreSQL flexible servers found', location); + return rcb(); + } + + for (let flexibleServer of servers.data) { + if (flexibleServer.network && flexibleServer.network.delegatedSubnetResourceId) { + helpers.addResult(results, 0, 'PostgreSQL flexible server has VNet integrated', location, flexibleServer.id); + } else { + helpers.addResult(results, 2, 'PostgreSQL flexible server does not have VNet integrated', location, flexibleServer.id); + } + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.spec.js b/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.spec.js new file mode 100644 index 0000000000..d10171db8d --- /dev/null +++ b/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.spec.js @@ -0,0 +1,96 @@ +var expect = require('chai').expect; +var flexibleServerVNetIntegrated = require('./flexibleServerVNetIntegrated'); + +const listPostgresFlexibleServer = [ +{ + "id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-server", + "type": "Microsoft.DBforPostgreSQL/flexibleServers", + "storageProfile": { + "storageMB": 5120, + "backupRetentionDays": 7, + "geoRedundantBackup": "Disabled", + "storageAutogrow": "Disabled" + }, + "network":{ + "publicNetworkAccess": "Enabled" + } +}, +{ + "id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-server2", + "type": "Microsoft.DBforPostgreSQL/flexibleServers", + "storageProfile": { + "storageMB": 5120, + "backupRetentionDays": 7, + "geoRedundantBackup": "Disabled", + "storageAutogrow": "Disabled" + }, + "network":{ + "delegatedSubnetResourceId" : "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/cloudsploit-dev/providers/Microsoft.Network/virtualNetworks/omer-virtual-network-test/subnets/default", + "privateDnsZoneArmResourceId" : "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/cloudsploit-dev/providers/Microsoft.Network/privateDnsZones/testflexibleserver11.private.postgres.database.azure.com", + "publicNetworkAccess": "Disabled" + } + +} + +]; + +const createCache = (listPostgres) => { + return { + servers: { + listPostgresFlexibleServer: { + 'eastus': { + data: listPostgres + } + } + } + }; +}; + +describe('flexibleServerVNetIntegrated', function() { + describe('run', function() { + it('should give passing result if no servers', function(done) { + const cache = createCache({}); + flexibleServerVNetIntegrated.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing PostgreSQL flexible servers found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if Vnet is not configured', function(done) { + const cache = createCache([listPostgresFlexibleServer[0]]); + flexibleServerVNetIntegrated.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('PostgreSQL flexible server does not have VNet integrated'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give should give passing result if private endpoints are configured', function(done) { + const cache = createCache([listPostgresFlexibleServer[1]]); + flexibleServerVNetIntegrated.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('PostgreSQL flexible server has VNet integrated'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give UnKnown result if unable to query postgreSQL Server', function(done) { + const cache = createCache(null); + flexibleServerVNetIntegrated.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for PostgreSQL flexible servers: '); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + }) +}) \ No newline at end of file From 03d1349a085588cd5285c9a2eba1ecdb1c5f75d5 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 27 Dec 2023 14:53:05 +0500 Subject: [PATCH 377/498] Azure/App-Configuration-Managed-identity --- exports.js | 4 +- helpers/azure/api.js | 5 + helpers/azure/locations.js | 3 +- helpers/azure/resources.js | 5 +- .../appConfigurationManagedIdentity.js | 51 ++++++++ .../appConfigurationManagedIdentity.spec.js | 118 ++++++++++++++++++ 6 files changed, 183 insertions(+), 3 deletions(-) create mode 100644 plugins/azure/appConfigurations/appConfigurationManagedIdentity.js create mode 100644 plugins/azure/appConfigurations/appConfigurationManagedIdentity.spec.js diff --git a/exports.js b/exports.js index fe8c0f16b2..e8555a1911 100644 --- a/exports.js +++ b/exports.js @@ -1038,7 +1038,9 @@ module.exports = { 'amsDiagnosticLogsEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js'), 'amsPublicAccessDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsPublicAccessDisabled.js'), 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), - 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js') + 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), + + 'appConfigurationManagedIdentity': require(__dirname + '/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index d2a855693d..5cf0368d4b 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -187,6 +187,11 @@ var calls = { rateLimit: 3000 } }, + appConfigurations: { + list: { + url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.AppConfiguration/configurationStores?api-version=2023-03-01' + } + }, virtualNetworks: { listAll: { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Network/virtualNetworks?api-version=2020-03-01' diff --git a/helpers/azure/locations.js b/helpers/azure/locations.js index 226bd2cd8f..e3bde0c48f 100644 --- a/helpers/azure/locations.js +++ b/helpers/azure/locations.js @@ -122,6 +122,7 @@ module.exports = { mediaServices: locations, serviceBus: locations, classicFrontDoors: ['global'], - afdWafPolicies: ['global'] + afdWafPolicies: ['global'], + appConfigurations: locations }; diff --git a/helpers/azure/resources.js b/helpers/azure/resources.js index a0338bc145..50fc64c9e7 100644 --- a/helpers/azure/resources.js +++ b/helpers/azure/resources.js @@ -255,6 +255,9 @@ module.exports = { list: 'id' }, devOpsAuditingSettings:{ - list:'id' + list: 'id' + }, + appConfigurations: { + list: 'id' } }; diff --git a/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js b/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js new file mode 100644 index 0000000000..e3e717a14b --- /dev/null +++ b/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js @@ -0,0 +1,51 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'App Configurations Managed Identity', + category: 'App Configuration', + domain: 'Content Delivery', + description: 'Ensures that Azure App Configurations have managed identity enabled.', + more_info: 'Enabling managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.', + link: 'https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity?tabs=core6x&pivots=framework-dotnet', + recommended_action: 'Modify App Configuration store and add managed identity.', + apis: ['appConfigurations:list'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.appConfigurations, function(location, rcb){ + var appConfigurations = helpers.addSource(cache, source, + ['appConfigurations', 'list', location]); + + if (!appConfigurations) return rcb(); + + if (appConfigurations.err || !appConfigurations.data) { + helpers.addResult(results, 3, 'Unable to query App Configuration: ' + helpers.addError(appConfigurations), location); + return rcb(); + } + + if (!appConfigurations.data.length) { + helpers.addResult(results, 0, 'No existing App Configurations found', location); + return rcb(); + } + + for (let appConfiguration of appConfigurations.data) { + if (!appConfiguration.id) continue; + var identityType = appConfiguration.identity && appConfiguration.identity.type? appConfiguration.identity.type : null; + + if (identityType && (identityType.includes('systemassigned') || identityType.includes('userassigned'))) { + helpers.addResult(results, 0, 'App Configuration has managed identity enabled', location, appConfiguration.id); + } else { + helpers.addResult(results, 2, 'App Configuration does not have managed identity enabled', location, appConfiguration.id); + } + } + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/appConfigurations/appConfigurationManagedIdentity.spec.js b/plugins/azure/appConfigurations/appConfigurationManagedIdentity.spec.js new file mode 100644 index 0000000000..c3ab1d0c76 --- /dev/null +++ b/plugins/azure/appConfigurations/appConfigurationManagedIdentity.spec.js @@ -0,0 +1,118 @@ +var expect = require('chai').expect; +var appConfigurationManagedIdentity = require('./appConfigurationManagedIdentity.js'); + +const appConfigurations = [ + { + "type": "Microsoft.AppConfiguration/configurationStores", + "location": "eastus", + "properties": { + "provisioningState": "Succeeded", + "creationDate": "2023-12-27T09:26:54+00:00", + "endpoint": "https://meerab-test-rg.azconfig.io", + "encryption": { + "keyVaultProperties": null + }, + "privateEndpointConnections": null, + "publicNetworkAccess": "Disabled", + "disableLocalAuth": false, + "softDeleteRetentionInDays": 0, + "enablePurgeProtection": false + }, + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/meerab-rg/providers/Microsoft.AppConfiguration/configurationStores/meerab-test-rg", + "name": "meerab-test-rg", + "tags": {} + }, + { + "type": "Microsoft.AppConfiguration/configurationStores", + "location": "eastus", + "properties": { + "provisioningState": "Succeeded", + "creationDate": "2023-12-27T09:26:54+00:00", + "endpoint": "https://meerab-test-rg.azconfig.io", + "encryption": { + "keyVaultProperties": null + }, + "privateEndpointConnections": null, + "publicNetworkAccess": "Disabled", + "disableLocalAuth": false, + "softDeleteRetentionInDays": 0, + "enablePurgeProtection": false + }, + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/meerab-rg/providers/Microsoft.AppConfiguration/configurationStores/meerab-test-rg", + "name": "meerab-test-rg", + "tags": {}, + "identity": { + "type": "systemassigned,userassigned", + "principalId": "dc03d47d-e6df-491f-aebe-50a93412a890", + "tenantId": "d207c7bd-fcb1-4dd3-855a-cfd2f9b651e8", + "userAssignedIdentities": { + "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": { + "PrincipalId": "1d34c2cd-bd53-487d-b3a9-6064465497c9", + "ClientId": "2071caa1-3668-4de3-babc-155cfe3e38e5" + } + } + } + } +]; + +const createCache = (appConfigurations,err) => { + return { + appConfigurations: { + list: { + 'eastus': { + data: appConfigurations, + err: err + } + } + } + } +}; + +describe('appConfigurationManagedIdentity', function () { + describe('run', function () { + + it('should give pass result if No existing app configurations found', function (done) { + const cache = createCache([]); + appConfigurationManagedIdentity.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing App Configurations found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if Unable to query app configurations:', function (done) { + const cache = createCache(null, 'Error'); + appConfigurationManagedIdentity.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query App Configuration:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if App Configuration has managed identity enabled', function (done) { + const cache = createCache([appConfigurations[1]]); + appConfigurationManagedIdentity.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('App Configuration has managed identity enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if App Configuration does not have managed identity enabled', function (done) { + const cache = createCache([appConfigurations[0]]); + appConfigurationManagedIdentity.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('App Configuration does not have managed identity enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From 7efeee709663464db94751abab02f16a1dbf510a Mon Sep 17 00:00:00 2001 From: fatima99s Date: Wed, 27 Dec 2023 15:09:11 +0500 Subject: [PATCH 378/498] flexibleServerPrivateDnsZone --- exports.js | 1 + .../flexibleServerPrivateDns.js | 50 ++++++++++ .../flexibleServerPrivateDns.spec.js | 96 +++++++++++++++++++ 3 files changed, 147 insertions(+) create mode 100644 plugins/azure/postgresqlserver/flexibleServerPrivateDns.js create mode 100644 plugins/azure/postgresqlserver/flexibleServerPrivateDns.spec.js diff --git a/exports.js b/exports.js index fe8c0f16b2..41354d3ad3 100644 --- a/exports.js +++ b/exports.js @@ -833,6 +833,7 @@ module.exports = { 'diagnosticLoggingEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/diagnosticLoggingEnabled.js'), 'flexibleServerSCRAMEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/flexibleServerSCRAMEnabled.js'), 'flexibleServerDiagnosticLogs' : require(__dirname + '/plugins/azure/postgresqlserver/flexibleServerDiagnosticLogs.js'), + 'flexibleServerPrivateDns' : require(__dirname + '/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js'), 'openOracleAutoDataWarehouse' : require(__dirname + '/plugins/azure/networksecuritygroups/openOracleAutoDataWarehouse.js'), 'networkWatcherEnabled' : require(__dirname + '/plugins/azure/networksecuritygroups/networkWatcherEnabled.js'), diff --git a/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js new file mode 100644 index 0000000000..805b30caba --- /dev/null +++ b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js @@ -0,0 +1,50 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'PostgreSQL Flexible Server Private DNS Integrated', + category: 'PostgreSQL Server', + domain: 'Databases', + description: 'Ensure that PostgreSQL flexible servers has Private DNS Zone integrated.', + more_info: 'Integrate Private DNS Zones with PostgreSQL flexible servers to enhance DNS service reliability and security within your Azure virtual network, ensuring seamless DNS resolution and streamlined domain management.', + recommended_action: 'Ensures Vnet and Private DNS Zone (private access) is integrated for PostgreSQL flexible server.', + link: 'https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking-private', + apis: ['servers:listPostgresFlexibleServer'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, (location, rcb) => { + const servers = helpers.addSource(cache, source, + ['servers', 'listPostgresFlexibleServer', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, + 'Unable to query for PostgreSQL flexible servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No existing PostgreSQL flexible servers found', location); + return rcb(); + } + + for (let flexibleServer of servers.data) { + if (flexibleServer.network && flexibleServer.network.privateDnsZoneArmResourceId) { + helpers.addResult(results, 0, 'PostgreSQL flexible server has Private DNS Zone integrated', location, flexibleServer.id); + } else { + helpers.addResult(results, 2, 'PostgreSQL flexible server does not have Private DNS Zone integrated', location, flexibleServer.id); + } + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/postgresqlserver/flexibleServerPrivateDns.spec.js b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.spec.js new file mode 100644 index 0000000000..49cd2d8222 --- /dev/null +++ b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.spec.js @@ -0,0 +1,96 @@ +var expect = require('chai').expect; +var flexibleServerPrivateDns = require('./flexibleServerPrivateDns'); + +const listPostgresFlexibleServer = [ +{ + "id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-server", + "type": "Microsoft.DBforPostgreSQL/flexibleServers", + "storageProfile": { + "storageMB": 5120, + "backupRetentionDays": 7, + "geoRedundantBackup": "Disabled", + "storageAutogrow": "Disabled" + }, + "network":{ + "publicNetworkAccess": "Enabled" + } +}, +{ + "id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-server2", + "type": "Microsoft.DBforPostgreSQL/flexibleServers", + "storageProfile": { + "storageMB": 5120, + "backupRetentionDays": 7, + "geoRedundantBackup": "Disabled", + "storageAutogrow": "Disabled" + }, + "network":{ + "delegatedSubnetResourceId" : "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/cloudsploit-dev/providers/Microsoft.Network/virtualNetworks/omer-virtual-network-test/subnets/default", + "privateDnsZoneArmResourceId" : "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/cloudsploit-dev/providers/Microsoft.Network/privateDnsZones/testflexibleserver11.private.postgres.database.azure.com", + "publicNetworkAccess": "Disabled" + } + +} + +]; + +const createCache = (listPostgres) => { + return { + servers: { + listPostgresFlexibleServer: { + 'eastus': { + data: listPostgres + } + } + } + }; +}; + +describe('flexibleServerPrivateDns', function() { + describe('run', function() { + it('should give passing result if no servers', function(done) { + const cache = createCache({}); + flexibleServerPrivateDns.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing PostgreSQL flexible servers found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if Vnet is not configured', function(done) { + const cache = createCache([listPostgresFlexibleServer[0]]); + flexibleServerPrivateDns.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('PostgreSQL flexible server does not have Private DNS Zone integrated'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give should give passing result if private endpoints are configured', function(done) { + const cache = createCache([listPostgresFlexibleServer[1]]); + flexibleServerPrivateDns.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('PostgreSQL flexible server has Private DNS Zone integrated'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give UnKnown result if unable to query postgreSQL Server', function(done) { + const cache = createCache(null); + flexibleServerPrivateDns.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for PostgreSQL flexible servers: '); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + }) +}) \ No newline at end of file From 6eefebcf4c46e6699fd8f5b0cb5bf6218a3235dc Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Wed, 27 Dec 2023 15:10:46 +0500 Subject: [PATCH 379/498] Update flexibleServerPrivateDns.js --- plugins/azure/postgresqlserver/flexibleServerPrivateDns.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js index 805b30caba..0da26c35d9 100644 --- a/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js +++ b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js @@ -2,7 +2,7 @@ const async = require('async'); const helpers = require('../../../helpers/azure'); module.exports = { - title: 'PostgreSQL Flexible Server Private DNS Integrated', + title: 'Private DNS Integrated', category: 'PostgreSQL Server', domain: 'Databases', description: 'Ensure that PostgreSQL flexible servers has Private DNS Zone integrated.', @@ -47,4 +47,4 @@ module.exports = { callback(null, results, source); }); } -}; \ No newline at end of file +}; From 2241c2037461c8a81a2dc390ed27b8737a51fc43 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Wed, 27 Dec 2023 15:12:01 +0500 Subject: [PATCH 380/498] Update flexibleServerPrivateDns.js --- plugins/azure/postgresqlserver/flexibleServerPrivateDns.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js index 0da26c35d9..70df724071 100644 --- a/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js +++ b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js @@ -2,7 +2,7 @@ const async = require('async'); const helpers = require('../../../helpers/azure'); module.exports = { - title: 'Private DNS Integrated', + title: 'Private DNS Zone Integrated', category: 'PostgreSQL Server', domain: 'Databases', description: 'Ensure that PostgreSQL flexible servers has Private DNS Zone integrated.', From 443fcf27df7332d4c49ba96241fc12437faf3674 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Wed, 27 Dec 2023 15:25:37 +0500 Subject: [PATCH 381/498] Update flexibleServerPrivateDns.js --- plugins/azure/postgresqlserver/flexibleServerPrivateDns.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js index 70df724071..9d8a4b194f 100644 --- a/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js +++ b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js @@ -34,6 +34,8 @@ module.exports = { } for (let flexibleServer of servers.data) { + if (!postgresServer.id) continue; + if (flexibleServer.network && flexibleServer.network.privateDnsZoneArmResourceId) { helpers.addResult(results, 0, 'PostgreSQL flexible server has Private DNS Zone integrated', location, flexibleServer.id); } else { From d0be862043691c26a5809154a61e47862d66ba9e Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Wed, 27 Dec 2023 15:26:13 +0500 Subject: [PATCH 382/498] Update flexibleServerPrivateDns.js --- plugins/azure/postgresqlserver/flexibleServerPrivateDns.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js index 9d8a4b194f..1ba2a26f98 100644 --- a/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js +++ b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js @@ -34,7 +34,7 @@ module.exports = { } for (let flexibleServer of servers.data) { - if (!postgresServer.id) continue; + if (!flexibleServer.id) continue; if (flexibleServer.network && flexibleServer.network.privateDnsZoneArmResourceId) { helpers.addResult(results, 0, 'PostgreSQL flexible server has Private DNS Zone integrated', location, flexibleServer.id); From faf3c7b292503eaf96de07ff7e7a650c4ff32881 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Wed, 27 Dec 2023 15:27:27 +0500 Subject: [PATCH 383/498] Update flexibleServerVNetIntegrated.js --- plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.js | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.js b/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.js index 786b728744..ea08a634b4 100644 --- a/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.js +++ b/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.js @@ -34,6 +34,7 @@ module.exports = { } for (let flexibleServer of servers.data) { + if (!flexibleServer.id) continue; if (flexibleServer.network && flexibleServer.network.delegatedSubnetResourceId) { helpers.addResult(results, 0, 'PostgreSQL flexible server has VNet integrated', location, flexibleServer.id); } else { From e46fea1d71ddb96c2c52ead3ea30e8eecbd6408c Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Wed, 27 Dec 2023 15:31:00 +0500 Subject: [PATCH 384/498] Update flexibleServerPrivateDns.spec.js --- .../azure/postgresqlserver/flexibleServerPrivateDns.spec.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/postgresqlserver/flexibleServerPrivateDns.spec.js b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.spec.js index 49cd2d8222..cbf8e8466c 100644 --- a/plugins/azure/postgresqlserver/flexibleServerPrivateDns.spec.js +++ b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.spec.js @@ -70,7 +70,7 @@ describe('flexibleServerPrivateDns', function() { }); }); - it('should give should give passing result if private endpoints are configured', function(done) { + it('should give should give passing result if Vnet is configured', function(done) { const cache = createCache([listPostgresFlexibleServer[1]]); flexibleServerPrivateDns.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); @@ -93,4 +93,4 @@ describe('flexibleServerPrivateDns', function() { }); }) -}) \ No newline at end of file +}) From 31af4a975bd7d80947e73ca5d3772f7abdea368a Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Wed, 27 Dec 2023 15:31:40 +0500 Subject: [PATCH 385/498] Update flexibleServerVNetIntegrated.spec.js --- .../postgresqlserver/flexibleServerVNetIntegrated.spec.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.spec.js b/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.spec.js index d10171db8d..ae58356393 100644 --- a/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.spec.js +++ b/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.spec.js @@ -70,7 +70,7 @@ describe('flexibleServerVNetIntegrated', function() { }); }); - it('should give should give passing result if private endpoints are configured', function(done) { + it('should give should give passing result if Vnet is configured', function(done) { const cache = createCache([listPostgresFlexibleServer[1]]); flexibleServerVNetIntegrated.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); @@ -93,4 +93,4 @@ describe('flexibleServerVNetIntegrated', function() { }); }) -}) \ No newline at end of file +}) From 4c1156a11bc4e78a54a49bb85ace8afd45a667cd Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Wed, 27 Dec 2023 15:32:47 +0500 Subject: [PATCH 386/498] Update flexibleServerPrivateDns.spec.js --- .../azure/postgresqlserver/flexibleServerPrivateDns.spec.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/postgresqlserver/flexibleServerPrivateDns.spec.js b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.spec.js index cbf8e8466c..d9939a12cc 100644 --- a/plugins/azure/postgresqlserver/flexibleServerPrivateDns.spec.js +++ b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.spec.js @@ -59,7 +59,7 @@ describe('flexibleServerPrivateDns', function() { }); }); - it('should give failing result if Vnet is not configured', function(done) { + it('should give failing result if Private Dns Zone is not integrated', function(done) { const cache = createCache([listPostgresFlexibleServer[0]]); flexibleServerPrivateDns.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); @@ -70,7 +70,7 @@ describe('flexibleServerPrivateDns', function() { }); }); - it('should give should give passing result if Vnet is configured', function(done) { + it('should give should give passing result if Private Dns Zone is integrated', function(done) { const cache = createCache([listPostgresFlexibleServer[1]]); flexibleServerPrivateDns.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); From 5506c8dea4d039d4587fba1b43c5cc0b92b8bfe8 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 27 Dec 2023 15:52:56 +0500 Subject: [PATCH 387/498] Azure/App-Configuration-Diagnostic-Logs --- exports.js | 2 + helpers/azure/api.js | 5 + .../appConfigurationDiagnosticLogs.js | 63 ++++++++ .../appConfigurationDiagnosticLogs.spec.js | 135 ++++++++++++++++++ 4 files changed, 205 insertions(+) create mode 100644 plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js create mode 100644 plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.spec.js diff --git a/exports.js b/exports.js index e8555a1911..73c88ae4b0 100644 --- a/exports.js +++ b/exports.js @@ -1041,6 +1041,8 @@ module.exports = { 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), 'appConfigurationManagedIdentity': require(__dirname + '/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js'), + 'appConfigurationDiagnosticLogs': require(__dirname + '/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js'), + }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 5cf0368d4b..68a4db145c 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -1040,6 +1040,11 @@ var tertiarycalls = { properties: ['id'], url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' }, + listByAppConfigurations: { + reliesOnPath: 'appConfigurations.list', + properties: ['id'], + url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview' + } }, backupShortTermRetentionPolicies: { listByDatabase: { diff --git a/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js b/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js new file mode 100644 index 0000000000..3be62e56c8 --- /dev/null +++ b/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js @@ -0,0 +1,63 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'App Configuration Diagnostic Logs', + category: 'App Configuration', + domain: 'Developer Tools', + description: 'Ensures that Azure App Configuration have diagnostic logs enabled.', + more_info: 'Enabling diagnostic logging for for App Configuration helps with performance monitoring, troubleshooting, and security optimization.', + recommended_action: 'Enable diagnostic logging for all App Configuration.', + link: 'https://learn.microsoft.com/en-us/azure/azure-app-configuration/monitor-app-configuration?tabs=portal#monitoringdata', + apis: ['appConfigurations:list','diagnosticSettings:listByAppConfigurations'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.appConfigurations, function(location, rcb) { + var appConfigurations = helpers.addSource(cache, source, + ['appConfigurations', 'list', location]); + + if (!appConfigurations) return rcb(); + + if (appConfigurations.err || !appConfigurations.data) { + helpers.addResult(results, 3, 'Unable to query App Configuration: ' + helpers.addError(appConfigurations), location); + return rcb(); + } + + if (!appConfigurations.data.length) { + helpers.addResult(results, 0, 'No existing App Configurations found', location); + return rcb(); + } + + for (let appConfiguration of appConfigurations.data) { + if (!appConfiguration.id) continue; + + var diagnosticSettings = helpers.addSource(cache, source, + ['diagnosticSettings', 'listByAppConfigurations', location, appConfiguration.id]); + + if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { + helpers.addResult(results, 3, `Unable to query for App Configuration diagnostic settings: ${helpers.addError(diagnosticSettings)}`, + location, appConfiguration.id); + continue; + } + + var found = diagnosticSettings.data.find(ds => ds.logs && ds.logs.length); + + if (found) { + helpers.addResult(results, 0, 'App Configuration has diagnostic logs enabled', location, appConfiguration.id); + } else { + helpers.addResult(results, 2, 'App Configuration does not have diagnostic logs enabled', location, appConfiguration.id); + } + + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.spec.js b/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.spec.js new file mode 100644 index 0000000000..06e453b606 --- /dev/null +++ b/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.spec.js @@ -0,0 +1,135 @@ +var expect = require('chai').expect; +var appConfigurationDiagnosticLogs = require('./appConfigurationDiagnosticLogs'); + +const appConfigurations = [ + { + "id": "/subscriptions/dce7d0ad-ebf6-437f-a3b0-28fc0d22117e/resourcegroups/ABSBAKS2/providers/Microsoft.ContainerService/managedappConfigurations/absbaks2", + }, +]; + + +const diagnosticSettings = [ + { + id: '/subscriptions/234/myrg/providers/Microsoft.ContainerService/appConfigurations/absbaks2/providers/microsoft.insights/diagnosticSettings/test-setting', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'server-setting', + location: 'eastus', + kind: null, + tags: null, + eventHubName: null, + metrics: [], + logs: [ + { + "category": null, + "categoryGroup": "allLogs", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + }, + { + "category": null, + "categoryGroup": "audit", + "enabled": false, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + logAnalyticsDestinationType: null + } +]; + +const createCache = (appConfigurations, ds) => { + const id = appConfigurations && appConfigurations.length ? appConfigurations[0].id : null; + return { + appConfigurations: { + list: { + 'eastus': { + data: appConfigurations + } + } + }, + diagnosticSettings: { + listByAppConfigurations: { + 'eastus': { + [id]: { + data: ds + } + } + } + + }, + }; +}; + +const createErrorCache = () => { + return { + appConfigurations: { + list: { + 'eastus': {} + } + } + }; +}; + +describe('appConfigurationDiagnosticLogs', function() { + describe('run', function() { + it('should give pass result if No existing app configurations found', function (done) { + const cache = createCache([]); + appConfigurationDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing App Configurations found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if Unable to query app configurations:', function (done) { + const cache = createCache(null, 'Error'); + appConfigurationDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query App Configuration:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for diagnostic settings', function(done) { + const cache = createCache([appConfigurations[0]], null); + appConfigurationDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for App Configuration diagnostic settings:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if diagnostic logs enabled', function(done) { + const cache = createCache([appConfigurations[0]], [diagnosticSettings[0]]); + appConfigurationDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('App Configuration has diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if diagnostic logs not enabled', function(done) { + const cache = createCache([appConfigurations[0]], [[]]); + appConfigurationDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('App Configuration does not have diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From 43202808bf783ebaaa691b1d18890993e80c69d9 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 27 Dec 2023 15:55:26 +0500 Subject: [PATCH 388/498] updated domain --- .../azure/appConfigurations/appConfigurationManagedIdentity.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js b/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js index e3e717a14b..9e2b91298b 100644 --- a/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js +++ b/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js @@ -4,7 +4,7 @@ var helpers = require('../../../helpers/azure'); module.exports = { title: 'App Configurations Managed Identity', category: 'App Configuration', - domain: 'Content Delivery', + domain: 'Developer Tools', description: 'Ensures that Azure App Configurations have managed identity enabled.', more_info: 'Enabling managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.', link: 'https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity?tabs=core6x&pivots=framework-dotnet', From f7a61399b6e2b56dacdb8b87f720a0d70dec4875 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 27 Dec 2023 16:13:05 +0500 Subject: [PATCH 389/498] Azure/App-Configuration-Public-Access --- exports.js | 2 + .../appConfigurationPublicAccess.js | 50 ++++++++ .../appConfigurationPublicAccess.spec.js | 114 ++++++++++++++++++ 3 files changed, 166 insertions(+) create mode 100644 plugins/azure/appConfigurations/appConfigurationPublicAccess.js create mode 100644 plugins/azure/appConfigurations/appConfigurationPublicAccess.spec.js diff --git a/exports.js b/exports.js index e8555a1911..fdaee7f7d5 100644 --- a/exports.js +++ b/exports.js @@ -1041,6 +1041,8 @@ module.exports = { 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), 'appConfigurationManagedIdentity': require(__dirname + '/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js'), + 'appConfigurationPublicAccess' : require(__dirname + '/plugins/azure/appConfigurations/appConfigurationPublicAccess.js'), + }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/appConfigurations/appConfigurationPublicAccess.js b/plugins/azure/appConfigurations/appConfigurationPublicAccess.js new file mode 100644 index 0000000000..ad995e2961 --- /dev/null +++ b/plugins/azure/appConfigurations/appConfigurationPublicAccess.js @@ -0,0 +1,50 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'App Configurations Public Access', + category: 'App Configuration', + domain: 'Developer Tools', + description: 'Ensures that Azure App Configurations have public access disabled.', + more_info: '', + link: '', + recommended_action: 'Modify App Configuration and disable public access.', + apis: ['appConfigurations:list'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.appConfigurations, function(location, rcb){ + var appConfigurations = helpers.addSource(cache, source, + ['appConfigurations', 'list', location]); + + if (!appConfigurations) return rcb(); + + if (appConfigurations.err || !appConfigurations.data) { + helpers.addResult(results, 3, 'Unable to query App Configuration: ' + helpers.addError(appConfigurations), location); + return rcb(); + } + + if (!appConfigurations.data.length) { + helpers.addResult(results, 0, 'No existing App Configurations found', location); + return rcb(); + } + + for (let appConfiguration of appConfigurations.data) { + if (!appConfiguration.id) continue; + + if (appConfiguration.publicNetworkAccess && appConfiguration.publicNetworkAccess.toLowerCase() === 'disabled') { + helpers.addResult(results, 0, 'App Configuration has public network access disabled', location, appConfiguration.id); + } else { + helpers.addResult(results, 2, 'App Configuration does not have public network access disabled', location, appConfiguration.id); + } + } + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/appConfigurations/appConfigurationPublicAccess.spec.js b/plugins/azure/appConfigurations/appConfigurationPublicAccess.spec.js new file mode 100644 index 0000000000..f22f176462 --- /dev/null +++ b/plugins/azure/appConfigurations/appConfigurationPublicAccess.spec.js @@ -0,0 +1,114 @@ +var expect = require('chai').expect; +var appConfigurationPublicAccess = require('./appConfigurationPublicAccess.js'); + +const appConfigurations = [ + { + "type": "Microsoft.AppConfiguration/configurationStores", + "location": "eastus", + "provisioningState": "Succeeded", + "creationDate": "2023-12-27T09:26:54+00:00", + "endpoint": "https://meerab-test-rg.azconfig.io", + "encryption": { + "keyVaultProperties": null + }, + "privateEndpointConnections": null, + "publicNetworkAccess": "Enabled", + "disableLocalAuth": false, + "softDeleteRetentionInDays": 0, + "enablePurgeProtection": false, + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/meerab-rg/providers/Microsoft.AppConfiguration/configurationStores/meerab-test-rg", + "name": "meerab-test-rg", + "tags": {} + }, + { + "type": "Microsoft.AppConfiguration/configurationStores", + "location": "eastus", + "provisioningState": "Succeeded", + "creationDate": "2023-12-27T09:26:54+00:00", + "endpoint": "https://meerab-test-rg.azconfig.io", + "encryption": { + "keyVaultProperties": null + }, + "privateEndpointConnections": null, + "publicNetworkAccess": "Disabled", + "disableLocalAuth": false, + "softDeleteRetentionInDays": 0, + "enablePurgeProtection": false, + "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/meerab-rg/providers/Microsoft.AppConfiguration/configurationStores/meerab-test-rg", + "name": "meerab-test-rg", + "tags": {}, + "identity": { + "type": "systemassigned,userassigned", + "principalId": "dc03d47d-e6df-491f-aebe-50a93412a890", + "tenantId": "d207c7bd-fcb1-4dd3-855a-cfd2f9b651e8", + "userAssignedIdentities": { + "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": { + "PrincipalId": "1d34c2cd-bd53-487d-b3a9-6064465497c9", + "ClientId": "2071caa1-3668-4de3-babc-155cfe3e38e5" + } + } + } + } +]; + +const createCache = (appConfigurations,err) => { + return { + appConfigurations: { + list: { + 'eastus': { + data: appConfigurations, + err: err + } + } + } + } +}; + +describe('appConfigurationPublicAccess', function () { + describe('run', function () { + + it('should give pass result if No existing app configurations found', function (done) { + const cache = createCache([]); + appConfigurationPublicAccess.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing App Configurations found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if Unable to query app configurations:', function (done) { + const cache = createCache(null, 'Error'); + appConfigurationPublicAccess.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query App Configuration:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if App Configuration has public network access disabled', function (done) { + const cache = createCache([appConfigurations[1]]); + appConfigurationPublicAccess.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('App Configuration has public network access disabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if App Configuration does not have public network access disabled', function (done) { + const cache = createCache([appConfigurations[0]]); + appConfigurationPublicAccess.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('App Configuration does not have public network access disabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From 87913c371377d28fbbb944a3f8f24a5d4ae48cb4 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 27 Dec 2023 16:16:34 +0500 Subject: [PATCH 390/498] Azure/App-Configuration-Public-Access --- .../azure/appConfigurations/appConfigurationPublicAccess.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/appConfigurations/appConfigurationPublicAccess.js b/plugins/azure/appConfigurations/appConfigurationPublicAccess.js index ad995e2961..d1114ed117 100644 --- a/plugins/azure/appConfigurations/appConfigurationPublicAccess.js +++ b/plugins/azure/appConfigurations/appConfigurationPublicAccess.js @@ -6,8 +6,8 @@ module.exports = { category: 'App Configuration', domain: 'Developer Tools', description: 'Ensures that Azure App Configurations have public access disabled.', - more_info: '', - link: '', + more_info: 'Disabling public network access improves security by ensuring that the app configuration isn\'t exposed on the public internet. Limit exposure of your resources by creating private endpoints instead.', + link: 'https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-disable-public-access?tabs=azure-portal', recommended_action: 'Modify App Configuration and disable public access.', apis: ['appConfigurations:list'], From 9f718b339aedaa4a542b1973aef664dc44869f72 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 27 Dec 2023 20:41:37 +0500 Subject: [PATCH 391/498] Azure/Redis-cache-managed-identity --- exports.js | 1 + .../redisCache/redisCacheManagedIdentity.js | 51 +++++++++++ .../redisCacheManagedIdentity.spec.js | 87 +++++++++++++++++++ 3 files changed, 139 insertions(+) create mode 100644 plugins/azure/redisCache/redisCacheManagedIdentity.js create mode 100644 plugins/azure/redisCache/redisCacheManagedIdentity.spec.js diff --git a/exports.js b/exports.js index fe8c0f16b2..88c3ca2a88 100644 --- a/exports.js +++ b/exports.js @@ -698,6 +698,7 @@ module.exports = { 'sslAccessOnlyEnabled' : require(__dirname + '/plugins/azure/redisCache/sslAccessOnlyEnabled.js'), 'redisCacheHasTags' : require(__dirname + '/plugins/azure/redisCache/redisCacheHasTags.js'), 'redisCachePrivateEndpoint' : require(__dirname + '/plugins/azure/redisCache/redisCachePrivateEndpoint.js'), + 'redisCacheManagedIdentity' : require(__dirname + '/plugins/azure/redisCache/redisCacheManagedIdentity.js'), 'multipleSubnets' : require(__dirname + '/plugins/azure/virtualnetworks/multipleSubnets.js'), 'ddosStandardProtectionEnabled' : require(__dirname + '/plugins/azure/virtualnetworks/ddosStandardProtectionEnabled.js'), diff --git a/plugins/azure/redisCache/redisCacheManagedIdentity.js b/plugins/azure/redisCache/redisCacheManagedIdentity.js new file mode 100644 index 0000000000..2b0b95c1b4 --- /dev/null +++ b/plugins/azure/redisCache/redisCacheManagedIdentity.js @@ -0,0 +1,51 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Redis Cache Managed Identity Enabled', + category: 'Redis Cache', + domain: 'Databases', + description: 'Ensures that Azure Cache for Redis have managed identity enabled.', + more_info: 'Enabling managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.', + recommended_action: 'Modify Azure Cache for Redis and add managed identity.', + link: 'https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-managed-identity#enable-managed-identity', + apis: ['redisCaches:listBySubscription'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.redisCaches, function(location, rcb) { + const caches = helpers.addSource(cache, source, + ['redisCaches', 'listBySubscription', location]); + + if (!caches) return rcb(); + + if (caches.err || !caches.data) { + helpers.addResult(results, 3, 'Unable to query Redis Caches: ' + helpers.addError(caches), location); + return rcb(); + } + + if (!caches.data.length) { + helpers.addResult(results, 0, 'No Redis Caches found', location); + return rcb(); + } + + for (let cache of caches.data) { + if (!cache.id) continue; + + if (cache.identity){ + helpers.addResult(results, 0, 'Redis Cache has managed identity enabled', location, cache.id); + } else { + helpers.addResult(results, 2, 'Redis Cache does not have managed identity enabled', location, cache.id); + } + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/redisCache/redisCacheManagedIdentity.spec.js b/plugins/azure/redisCache/redisCacheManagedIdentity.spec.js new file mode 100644 index 0000000000..dff6e643b3 --- /dev/null +++ b/plugins/azure/redisCache/redisCacheManagedIdentity.spec.js @@ -0,0 +1,87 @@ +var expect = require('chai').expect; +var redisCacheManagedIdentity = require('./redisCacheManagedIdentity'); + +const redisCaches = [ + { + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Cache/Redis/test-cache', + 'location': 'East US', + 'name': 'test-cache', + 'type': 'Microsoft.Cache/Redis', + 'tags': { "key": "value" }, + "identity": { + "type": "SystemAssigned", + "principalId": "1ca87ddb-6850-430d-9800-08be5b6b33bf", + "tenantId": "d207c7bd-fcb1-4dd3-855a-cfd2f9b651e8" + } + }, + { + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Cache/Redis/test-cache', + 'location': 'East US', + 'name': 'test-cache', + 'type': 'Microsoft.Cache/Redis', + 'tags': {}, + }, + +]; + +const createCache = (redisCaches) => { + let caches = {}; + if (redisCaches) { + caches['data'] = redisCaches; + } + return { + redisCaches: { + listBySubscription: { + 'eastus': caches + } + }, + }; +}; + +describe('redisCacheManagedIdentity', function() { + describe('run', function() { + it('should give passing result if no redis caches', function(done) { + const cache = createCache([]); + redisCacheManagedIdentity.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No Redis Caches found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for redis caches', function(done) { + const cache = createCache(null); + redisCacheManagedIdentity.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Redis Caches'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if redis cache has managed identity enabled associated', function(done) { + const cache = createCache([redisCaches[0]]); + redisCacheManagedIdentity.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Redis Cache has managed identity enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if redis cache does not have managed identity enabled', function(done) { + const cache = createCache([redisCaches[1]]); + redisCacheManagedIdentity.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Redis Cache does not have managed identity enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From fb2b5e44f1920b9381546dbf34a7e8e89f8a8bf6 Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Thu, 28 Dec 2023 09:46:37 +0500 Subject: [PATCH 392/498] Apply suggestions from code review --- plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.js | 2 +- .../azure/kubernetesservice/aksDiagnosticLogsEnabled.spec.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.js b/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.js index 12f8947a52..b1b465eb33 100644 --- a/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.js +++ b/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.js @@ -6,7 +6,7 @@ module.exports = { category: 'Kubernetes Service', domain: 'Containers', description: 'Ensures that Azure Kubernetes clusters have diagnostic logs enabled.', - more_info: 'Enabling diagnostic logging for for AKS clusters helps with performance monitoring, troubleshooting, and security optimization.', + more_info: 'Enabling diagnostic logging for AKS clusters helps with performance monitoring, troubleshooting, and security optimization.', recommended_action: 'Enable diagnostic logging for all AKS clusters.', link: 'https://learn.microsoft.com/en-us/azure/aks/monitor-aks#logs', apis: ['managedClusters:list','diagnosticSettings:listByAksClusters'], diff --git a/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.spec.js b/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.spec.js index 200c3197e1..938638a580 100644 --- a/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.spec.js +++ b/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.spec.js @@ -3,7 +3,7 @@ var aksDiagnosticLogsEnabled = require('./aksDiagnosticLogsEnabled'); const clusters = [ { - "id": "/subscriptions/dce7d0ad-ebf6-437f-a3b0-28fc0d22117e/resourcegroups/ABSBAKS2/providers/Microsoft.ContainerService/managedClusters/absbaks2", + "id": "/subscriptions/123-test/resourcegroups/ABSBAKS2/providers/Microsoft.ContainerService/managedClusters/absbaks2", }, ]; From ec66af9773e64fffbb46cceaf0f4bac4b72d10cc Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Thu, 28 Dec 2023 10:15:34 +0500 Subject: [PATCH 393/498] Update plugins/azure/redisCache/redisVersion.js --- plugins/azure/redisCache/redisVersion.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/redisCache/redisVersion.js b/plugins/azure/redisCache/redisVersion.js index ab45755f27..5a0ec6ea60 100644 --- a/plugins/azure/redisCache/redisVersion.js +++ b/plugins/azure/redisCache/redisVersion.js @@ -6,7 +6,7 @@ module.exports = { category: 'Redis Cache', domain: 'Databases', description: 'Ensures that Azure Cache for Redis is using the latest redis version.', - more_info: 'Using the latest Redis Version will add new security features and ensures better performance.', + more_info: 'Using the latest Redis Version ensures access to the latest features, improvements, and security patches, enhancing performance and reducing vulnerabilities.', recommended_action: 'Ensure that Azure cache for Redis is using the latest version', link: 'https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-overview#redis-versions', apis: ['redisCaches:listBySubscription'], From 78717b77fecb3ee4c0bfa599d17df0b5c77ce672 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Thu, 28 Dec 2023 12:09:52 +0500 Subject: [PATCH 394/498] resolve issues --- .../postgresqlserver/flexibleServerVersion.js | 23 +++++-------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/plugins/azure/postgresqlserver/flexibleServerVersion.js b/plugins/azure/postgresqlserver/flexibleServerVersion.js index 5e892b6bbe..aa7dd46d48 100644 --- a/plugins/azure/postgresqlserver/flexibleServerVersion.js +++ b/plugins/azure/postgresqlserver/flexibleServerVersion.js @@ -6,27 +6,16 @@ module.exports = { category: 'PostgreSQL Server', domain: 'Databases', description: 'Ensure PostgreSQL flexible servers is using the latest server version.', - more_info: 'The latest version of PostgreSQL for flexible servers will give access to new software features, resolve reported bugs through security patches, and improve compatibility with other applications and services.', - recommended_action: 'Upgrade the version of PostgreSQL flexible server to the latest available version..', + more_info: 'Using the latest version of PostgreSQL for flexible servers will give access to new software features, resolve reported bugs through security patches, and improve compatibility with other applications and services.', + recommended_action: 'Upgrade the version of PostgreSQL flexible server to the latest available version.', link: 'https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-supported-versions', - apis: ['servers:listPostgresFlexibleServer'], - settings: { - server_desired_version: { - name: 'Postgresql Flexible Server Desired Version', - description: 'Desire Postgresql Flexible Server Version ', - regex: '^[0-9]+$', - default: '11' - } - }, + apis: ['servers:listPostgresFlexibleServer'], + run: function(cache, settings, callback) { const results = []; const source = {}; const locations = helpers.locations(settings.govcloud); - var config = { - server_desired_version: settings.server_desired_version || this.settings.server_desired_version.default - }; - - + async.each(locations.servers, (location, rcb) => { const servers = helpers.addSource(cache, source, ['servers', 'listPostgresFlexibleServer', location]); @@ -46,7 +35,7 @@ module.exports = { for (var flexibleServer of servers.data) { - if (flexibleServer.version >= config.server_desired_version) { + if (flexibleServer.version >= 13) { helpers.addResult(results, 0, 'Postgresql flexible server has the latest server version', location, flexibleServer.id); } else { From feebc9baffe3a6d68b957c9cc08082aa939f6a33 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Thu, 28 Dec 2023 12:12:16 +0500 Subject: [PATCH 395/498] resolve issues --- plugins/azure/postgresqlserver/flexibleServerVersion.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/azure/postgresqlserver/flexibleServerVersion.js b/plugins/azure/postgresqlserver/flexibleServerVersion.js index aa7dd46d48..f760e2b1f9 100644 --- a/plugins/azure/postgresqlserver/flexibleServerVersion.js +++ b/plugins/azure/postgresqlserver/flexibleServerVersion.js @@ -34,8 +34,9 @@ module.exports = { } for (var flexibleServer of servers.data) { + let version = parseFloat(flexibleServer.version); - if (flexibleServer.version >= 13) { + if (version && version >= 13) { helpers.addResult(results, 0, 'Postgresql flexible server has the latest server version', location, flexibleServer.id); } else { From 5f3181aa6b5c3c89cc525fb5723858fb1744160d Mon Sep 17 00:00:00 2001 From: fatima99s Date: Thu, 28 Dec 2023 12:23:22 +0500 Subject: [PATCH 396/498] resolve issues --- exports.js | 2 +- .../azure/defender/enableDefenderForOSRD.js | 43 +++++++++ .../defender/enableDefenderForOSRD.spec.js | 87 +++++++++++++++++++ 3 files changed, 131 insertions(+), 1 deletion(-) create mode 100644 plugins/azure/defender/enableDefenderForOSRD.js create mode 100644 plugins/azure/defender/enableDefenderForOSRD.spec.js diff --git a/exports.js b/exports.js index 0a0f719be9..f3d99398e2 100644 --- a/exports.js +++ b/exports.js @@ -995,7 +995,7 @@ module.exports = { 'enableDefenderForStorage' : require(__dirname + '/plugins/azure/defender/enableDefenderForStorage.js'), 'enableDefenderForContainers' : require(__dirname + '/plugins/azure/defender/enableDefenderForContainers.js'), 'enableDefenderForSqlServers' : require(__dirname + '/plugins/azure/defender/enableDefenderForSqlServers.js'), - 'enableDefenderForPostgresql' : require(__dirname + '/plugins/azure/defender/enableDefenderForPostgresql.js'), + 'enableDefenderForOSRD' : require(__dirname + '/plugins/azure/defender/enableDefenderForOSRD.js'), 'enableEndpointIntegration' : require(__dirname + '/plugins/azure/defender/enableEndpointIntegration.js'), 'enableDefenderForDNS' : require(__dirname + '/plugins/azure/defender/enableDefenderForDNS.js'), 'enableDefenderForKeyVaults' : require(__dirname + '/plugins/azure/defender/enableDefenderForKeyVaults.js'), diff --git a/plugins/azure/defender/enableDefenderForOSRD.js b/plugins/azure/defender/enableDefenderForOSRD.js new file mode 100644 index 0000000000..f066b783b0 --- /dev/null +++ b/plugins/azure/defender/enableDefenderForOSRD.js @@ -0,0 +1,43 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Enable Defender For Open Source Relational Databases', + category: 'Defender', + domain: 'Management and Governance', + description: 'Ensures that Microsoft Defender is enabled for Open Source Relational Databases.', + more_info: 'Enabling Defender for Cloud on Open Source Relational Databases allows detection of unusual database access, query patterns, and suspicious activities, enhancing overall security.', + recommended_action: 'Enable Microsoft Defender for Open Source Relational Databases in Defender plans for the subscription.', + link: 'https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-security#microsoft-defender-for-cloud-support', + apis: ['pricings:list'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.pricings, function(location, rcb) { + var pricings = helpers.addSource(cache, source, + ['pricings', 'list', location]); + + if (!pricings) return rcb(); + + if (pricings.err || !pricings.data) { + helpers.addResult(results, 3, + 'Unable to query for Pricing: ' + helpers.addError(pricings), location); + return rcb(); + } + + if (!pricings.data.length) { + helpers.addResult(results, 0, 'No Pricing information found', location); + return rcb(); + } + + helpers.checkMicrosoftDefender(pricings, 'opensourcerelationaldatabases', 'Open Source Relational Databases', results, location); + + rcb(); + }, function(){ + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/defender/enableDefenderForOSRD.spec.js b/plugins/azure/defender/enableDefenderForOSRD.spec.js new file mode 100644 index 0000000000..935c733407 --- /dev/null +++ b/plugins/azure/defender/enableDefenderForOSRD.spec.js @@ -0,0 +1,87 @@ +var assert = require('assert'); +var expect = require('chai').expect; +var auth = require('./enableDefenderForOSRD'); + +const createCache = (err, data) => { + return { + pricings: { + list: { + 'global': { + err: err, + data: data + } + } + } + } +}; + +describe('enableDefenderForPostgresql', function() { + describe('run', function() { + it('should give passing result if no pricings found', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No Pricing information found'); + expect(results[0].region).to.equal('global'); + done() + }; + + const cache = createCache( + null, + [] + ); + + auth.run(cache, {}, callback); + }); + + it('should give failing result if Azure Defender for Open Source Relational Databases is not enabled', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Azure Defender is not enabled for Open Source Relational Databases'); + expect(results[0].region).to.equal('global'); + done() + }; + + const cache = createCache( + null, + [ + { + "id": "/subscriptions/12340a/providers/Microsoft.Security/pricings/default", + "name": "openSourceRelationalDatabases", + "type": "Microsoft.Security/pricings", + "pricingTier": "free", + "location": "global" + } + ] + ); + + auth.run(cache, {}, callback); + }); + + it('should give passing result if Azure Defender for Open Source Relational Databases is enabled', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Azure Defender is enabled for Open Source Relational Databases'); + expect(results[0].region).to.equal('global'); + done() + }; + + const cache = createCache( + null, + [ + { + "id": "/subscriptions/12345/providers/Microsoft.Security/pricings/default", + "name": "openSourceRelationalDatabases", + "type": "Microsoft.Security/pricings", + "pricingTier": "Standard", + "location": "global" + } + ] + ); + + auth.run(cache, {}, callback); + }) + }) +}); \ No newline at end of file From ea060fc6c93bd94f1bf59d3612f834fd1a7e8a97 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Thu, 28 Dec 2023 12:28:02 +0500 Subject: [PATCH 397/498] resolve issues --- .../defender/enableDefenderForOSRD.spec.js | 4 +- .../defender/enableDefenderForPostgresql.js | 43 --------- .../enableDefenderForPostgresql.spec.js | 87 ------------------- 3 files changed, 2 insertions(+), 132 deletions(-) delete mode 100644 plugins/azure/defender/enableDefenderForPostgresql.js delete mode 100644 plugins/azure/defender/enableDefenderForPostgresql.spec.js diff --git a/plugins/azure/defender/enableDefenderForOSRD.spec.js b/plugins/azure/defender/enableDefenderForOSRD.spec.js index 935c733407..5208d1bdbb 100644 --- a/plugins/azure/defender/enableDefenderForOSRD.spec.js +++ b/plugins/azure/defender/enableDefenderForOSRD.spec.js @@ -47,7 +47,7 @@ describe('enableDefenderForPostgresql', function() { null, [ { - "id": "/subscriptions/12340a/providers/Microsoft.Security/pricings/default", + "id": "/subscriptions/12340/providers/Microsoft.Security/pricings/default", "name": "openSourceRelationalDatabases", "type": "Microsoft.Security/pricings", "pricingTier": "free", @@ -72,7 +72,7 @@ describe('enableDefenderForPostgresql', function() { null, [ { - "id": "/subscriptions/12345/providers/Microsoft.Security/pricings/default", + "id": "/subscriptions/12340/providers/Microsoft.Security/pricings/default", "name": "openSourceRelationalDatabases", "type": "Microsoft.Security/pricings", "pricingTier": "Standard", diff --git a/plugins/azure/defender/enableDefenderForPostgresql.js b/plugins/azure/defender/enableDefenderForPostgresql.js deleted file mode 100644 index a0da3e640b..0000000000 --- a/plugins/azure/defender/enableDefenderForPostgresql.js +++ /dev/null @@ -1,43 +0,0 @@ -var async = require('async'); -var helpers = require('../../../helpers/azure'); - -module.exports = { - title: 'Enable Defender For PostgreSQL Flexible Servers', - category: 'Defender', - domain: 'Management and Governance', - description: 'Ensures that Microsoft Defender is enabled for Azure PostgreSQL Flexible Servers.', - more_info: 'Enabling Defender for Cloud on PostgreSQL Flexible Servers allows detection of unusual database access, query patterns, and suspicious activities, enhancing overall security.', - recommended_action: 'Enable Microsoft Defender for PostgreSQL Flexible Servers in Defender plans for the subscription.', - link: 'https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-security#microsoft-defender-for-cloud-support', - apis: ['pricings:list'], - - run: function(cache, settings, callback) { - var results = []; - var source = {}; - var locations = helpers.locations(settings.govcloud); - - async.each(locations.pricings, function(location, rcb) { - var pricings = helpers.addSource(cache, source, - ['pricings', 'list', location]); - - if (!pricings) return rcb(); - - if (pricings.err || !pricings.data) { - helpers.addResult(results, 3, - 'Unable to query for Pricing: ' + helpers.addError(pricings), location); - return rcb(); - } - - if (!pricings.data.length) { - helpers.addResult(results, 0, 'No Pricing information found', location); - return rcb(); - } - - helpers.checkMicrosoftDefender(pricings, 'opensourcerelationaldatabases', 'PostgreSQL Flexible Servers', results, location); - - rcb(); - }, function(){ - callback(null, results, source); - }); - } -}; \ No newline at end of file diff --git a/plugins/azure/defender/enableDefenderForPostgresql.spec.js b/plugins/azure/defender/enableDefenderForPostgresql.spec.js deleted file mode 100644 index 7ac6e14319..0000000000 --- a/plugins/azure/defender/enableDefenderForPostgresql.spec.js +++ /dev/null @@ -1,87 +0,0 @@ -var assert = require('assert'); -var expect = require('chai').expect; -var auth = require('./enableDefenderForPostgresql'); - -const createCache = (err, data) => { - return { - pricings: { - list: { - 'global': { - err: err, - data: data - } - } - } - } -}; - -describe('enableDefenderForPostgresql', function() { - describe('run', function() { - it('should give passing result if no pricings found', function(done) { - const callback = (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('No Pricing information found'); - expect(results[0].region).to.equal('global'); - done() - }; - - const cache = createCache( - null, - [] - ); - - auth.run(cache, {}, callback); - }); - - it('should give failing result if Azure Defender for PostgreSQL Flexible Servers is not enabled', function(done) { - const callback = (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Azure Defender is not enabled for PostgreSQL Flexible Servers'); - expect(results[0].region).to.equal('global'); - done() - }; - - const cache = createCache( - null, - [ - { - "id": "/subscriptions/e79d9a03-3ab3-4481-bdcd-c5db1d55420a/providers/Microsoft.Security/pricings/default", - "name": "openSourceRelationalDatabases", - "type": "Microsoft.Security/pricings", - "pricingTier": "free", - "location": "global" - } - ] - ); - - auth.run(cache, {}, callback); - }); - - it('should give passing result if Azure Defender for PostgreSQL Flexible Servers is enabled', function(done) { - const callback = (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Azure Defender is enabled for PostgreSQL Flexible Servers'); - expect(results[0].region).to.equal('global'); - done() - }; - - const cache = createCache( - null, - [ - { - "id": "/subscriptions/e79d9a03-3ab3-4481-bdcd-c5db1d55420a/providers/Microsoft.Security/pricings/default", - "name": "openSourceRelationalDatabases", - "type": "Microsoft.Security/pricings", - "pricingTier": "Standard", - "location": "global" - } - ] - ); - - auth.run(cache, {}, callback); - }) - }) -}); \ No newline at end of file From 3c45393fa7a10a63f67aecdf588eebca2ec0adc4 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Thu, 28 Dec 2023 12:30:16 +0500 Subject: [PATCH 398/498] Update enableDefenderForOSRD.js --- plugins/azure/defender/enableDefenderForOSRD.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/defender/enableDefenderForOSRD.js b/plugins/azure/defender/enableDefenderForOSRD.js index f066b783b0..1e0e05cdce 100644 --- a/plugins/azure/defender/enableDefenderForOSRD.js +++ b/plugins/azure/defender/enableDefenderForOSRD.js @@ -8,7 +8,7 @@ module.exports = { description: 'Ensures that Microsoft Defender is enabled for Open Source Relational Databases.', more_info: 'Enabling Defender for Cloud on Open Source Relational Databases allows detection of unusual database access, query patterns, and suspicious activities, enhancing overall security.', recommended_action: 'Enable Microsoft Defender for Open Source Relational Databases in Defender plans for the subscription.', - link: 'https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-security#microsoft-defender-for-cloud-support', + link: 'https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-databases-introduction#what-are-the-benefits-of-microsoft-defender-for-open-source-relational-databases', apis: ['pricings:list'], run: function(cache, settings, callback) { @@ -40,4 +40,4 @@ module.exports = { callback(null, results, source); }); } -}; \ No newline at end of file +}; From 80efe713d39fc7da1f52039e598066b339e2d304 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Thu, 28 Dec 2023 12:32:40 +0500 Subject: [PATCH 399/498] resolve issues --- .../azure/postgresqlserver/flexibleServerVNetIntegrated.js | 4 ++-- .../postgresqlserver/flexibleServerVNetIntegrated.spec.js | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.js b/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.js index ea08a634b4..bd29a6d340 100644 --- a/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.js +++ b/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.js @@ -2,10 +2,10 @@ const async = require('async'); const helpers = require('../../../helpers/azure'); module.exports = { - title: 'PostgreSQL Flexible Server VNet integrated', + title: 'PostgreSQL Flexible Server VNet Integrated', category: 'PostgreSQL Server', domain: 'Databases', - description: 'Ensure that PostgreSQL flexible servers has VNet integrated.', + description: 'Ensures that PostgreSQL flexible servers have VNet integrated.', more_info: 'Configuring PostgreSQL flexible server to operate within a Virtual Network (VNet) offers a myriad of benefits for enhanced security and operational control. By integrating with a VNet, you are proactively safeguarding your server against potential security threats and unauthorized access.', recommended_action: 'Ensures Vnet (private access) is integrated for PostgreSQL flexible server.', link: 'https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking-private', diff --git a/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.spec.js b/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.spec.js index ae58356393..74760edc1d 100644 --- a/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.spec.js +++ b/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.spec.js @@ -25,8 +25,8 @@ const listPostgresFlexibleServer = [ "storageAutogrow": "Disabled" }, "network":{ - "delegatedSubnetResourceId" : "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/cloudsploit-dev/providers/Microsoft.Network/virtualNetworks/omer-virtual-network-test/subnets/default", - "privateDnsZoneArmResourceId" : "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/cloudsploit-dev/providers/Microsoft.Network/privateDnsZones/testflexibleserver11.private.postgres.database.azure.com", + "delegatedSubnetResourceId" : "/subscriptions/12345/resourceGroups/cloudsploit-dev/providers/Microsoft.Network/virtualNetworks/test/subnets/default", + "privateDnsZoneArmResourceId" : "/subscriptions/12345/resourceGroups/cloudsploit-dev/providers/Microsoft.Network/privateDnsZones/testflexibleserver11.private.postgres.database.azure.com", "publicNetworkAccess": "Disabled" } From c16b103f64cee2b38569919b05c16fe9d759ea1e Mon Sep 17 00:00:00 2001 From: fatima99s Date: Thu, 28 Dec 2023 12:39:15 +0500 Subject: [PATCH 400/498] resolve issues --- .../postgresqlserver/flexibleServerPrivateDns.js | 12 ++++++------ .../flexibleServerPrivateDns.spec.js | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js index 1ba2a26f98..f9f3d015ac 100644 --- a/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js +++ b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.js @@ -5,10 +5,10 @@ module.exports = { title: 'Private DNS Zone Integrated', category: 'PostgreSQL Server', domain: 'Databases', - description: 'Ensure that PostgreSQL flexible servers has Private DNS Zone integrated.', - more_info: 'Integrate Private DNS Zones with PostgreSQL flexible servers to enhance DNS service reliability and security within your Azure virtual network, ensuring seamless DNS resolution and streamlined domain management.', - recommended_action: 'Ensures Vnet and Private DNS Zone (private access) is integrated for PostgreSQL flexible server.', - link: 'https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking-private', + description: 'Ensure that PostgreSQL flexible servers have private DNS zone integrated.', + more_info: 'Integrating Private DNS Zones with PostgreSQL flexible servers enhances DNS service reliability and security within your Azure virtual network, ensuring seamless DNS resolution and streamlined domain management.', + recommended_action: 'Ensure Vnet and private DNS zone (private access) is integrated for PostgreSQL flexible server.', + link: 'https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking-private#using-private-dns-zone', apis: ['servers:listPostgresFlexibleServer'], run: function(cache, settings, callback) { @@ -37,9 +37,9 @@ module.exports = { if (!flexibleServer.id) continue; if (flexibleServer.network && flexibleServer.network.privateDnsZoneArmResourceId) { - helpers.addResult(results, 0, 'PostgreSQL flexible server has Private DNS Zone integrated', location, flexibleServer.id); + helpers.addResult(results, 0, 'PostgreSQL flexible server has private DNS zone integrated', location, flexibleServer.id); } else { - helpers.addResult(results, 2, 'PostgreSQL flexible server does not have Private DNS Zone integrated', location, flexibleServer.id); + helpers.addResult(results, 2, 'PostgreSQL flexible server does not have private DNS zone integrated', location, flexibleServer.id); } } diff --git a/plugins/azure/postgresqlserver/flexibleServerPrivateDns.spec.js b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.spec.js index d9939a12cc..4c2d681d79 100644 --- a/plugins/azure/postgresqlserver/flexibleServerPrivateDns.spec.js +++ b/plugins/azure/postgresqlserver/flexibleServerPrivateDns.spec.js @@ -25,8 +25,8 @@ const listPostgresFlexibleServer = [ "storageAutogrow": "Disabled" }, "network":{ - "delegatedSubnetResourceId" : "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/cloudsploit-dev/providers/Microsoft.Network/virtualNetworks/omer-virtual-network-test/subnets/default", - "privateDnsZoneArmResourceId" : "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/cloudsploit-dev/providers/Microsoft.Network/privateDnsZones/testflexibleserver11.private.postgres.database.azure.com", + "delegatedSubnetResourceId" : "/subscriptions/12345/resourceGroups/cloudsploit-dev/providers/Microsoft.Network/virtualNetworks/test/subnets/default", + "privateDnsZoneArmResourceId" : "/subscriptions/12345/resourceGroups/cloudsploit-dev/providers/Microsoft.Network/privateDnsZones/testflexibleserver11.private.postgres.database.azure.com", "publicNetworkAccess": "Disabled" } @@ -59,23 +59,23 @@ describe('flexibleServerPrivateDns', function() { }); }); - it('should give failing result if Private Dns Zone is not integrated', function(done) { + it('should give failing result if private Dns zone is not integrated', function(done) { const cache = createCache([listPostgresFlexibleServer[0]]); flexibleServerPrivateDns.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('PostgreSQL flexible server does not have Private DNS Zone integrated'); + expect(results[0].message).to.include('PostgreSQL flexible server does not have private DNS zone integrated'); expect(results[0].region).to.equal('eastus'); done(); }); }); - it('should give should give passing result if Private Dns Zone is integrated', function(done) { + it('should give should give passing result if private Dns zone is integrated', function(done) { const cache = createCache([listPostgresFlexibleServer[1]]); flexibleServerPrivateDns.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('PostgreSQL flexible server has Private DNS Zone integrated'); + expect(results[0].message).to.include('PostgreSQL flexible server has private DNS zone integrated'); expect(results[0].region).to.equal('eastus'); done(); }); From 97ffc6ea530e5e8c193e160b98d991a3d135ffcd Mon Sep 17 00:00:00 2001 From: fatima99s Date: Thu, 28 Dec 2023 12:56:15 +0500 Subject: [PATCH 401/498] resolve --- plugins/aws/autoscaling/appTierIamRole.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/autoscaling/appTierIamRole.js b/plugins/aws/autoscaling/appTierIamRole.js index 002b9036c0..2ee59f90c5 100644 --- a/plugins/aws/autoscaling/appTierIamRole.js +++ b/plugins/aws/autoscaling/appTierIamRole.js @@ -18,7 +18,7 @@ module.exports = { default: '' } }, - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','autoscaling:createLaunchConfiguration','autoscaling:DeleteLaunchConfiguration'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','autoscaling:CreateLaunchConfiguration','autoscaling:DeleteLaunchConfiguration'], run: function(cache, settings, callback) { var results = []; From a935fdf471fb107d41da959539442d2a898c7853 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Thu, 28 Dec 2023 13:09:10 +0500 Subject: [PATCH 402/498] Suggested-Changes --- ...dentity.js => appConfigManagedIdentity.js} | 5 ++-- ...ec.js => appConfigManagedIdentity.spec.js} | 30 +++++++++---------- 2 files changed, 17 insertions(+), 18 deletions(-) rename plugins/azure/appConfigurations/{appConfigurationManagedIdentity.js => appConfigManagedIdentity.js} (85%) rename plugins/azure/appConfigurations/{appConfigurationManagedIdentity.spec.js => appConfigManagedIdentity.spec.js} (72%) diff --git a/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js b/plugins/azure/appConfigurations/appConfigManagedIdentity.js similarity index 85% rename from plugins/azure/appConfigurations/appConfigurationManagedIdentity.js rename to plugins/azure/appConfigurations/appConfigManagedIdentity.js index 9e2b91298b..3193e9b6b0 100644 --- a/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js +++ b/plugins/azure/appConfigurations/appConfigManagedIdentity.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Developer Tools', description: 'Ensures that Azure App Configurations have managed identity enabled.', more_info: 'Enabling managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.', - link: 'https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity?tabs=core6x&pivots=framework-dotnet', + link: 'https://learn.microsoft.com/en-us/azure/azure-app-configuration/overview-managed-identity', recommended_action: 'Modify App Configuration store and add managed identity.', apis: ['appConfigurations:list'], @@ -34,9 +34,8 @@ module.exports = { for (let appConfiguration of appConfigurations.data) { if (!appConfiguration.id) continue; - var identityType = appConfiguration.identity && appConfiguration.identity.type? appConfiguration.identity.type : null; - if (identityType && (identityType.includes('systemassigned') || identityType.includes('userassigned'))) { + if (appConfiguration.identity) { helpers.addResult(results, 0, 'App Configuration has managed identity enabled', location, appConfiguration.id); } else { helpers.addResult(results, 2, 'App Configuration does not have managed identity enabled', location, appConfiguration.id); diff --git a/plugins/azure/appConfigurations/appConfigurationManagedIdentity.spec.js b/plugins/azure/appConfigurations/appConfigManagedIdentity.spec.js similarity index 72% rename from plugins/azure/appConfigurations/appConfigurationManagedIdentity.spec.js rename to plugins/azure/appConfigurations/appConfigManagedIdentity.spec.js index c3ab1d0c76..47c4c96aad 100644 --- a/plugins/azure/appConfigurations/appConfigurationManagedIdentity.spec.js +++ b/plugins/azure/appConfigurations/appConfigManagedIdentity.spec.js @@ -1,5 +1,5 @@ var expect = require('chai').expect; -var appConfigurationManagedIdentity = require('./appConfigurationManagedIdentity.js'); +var appConfigManagedIdentity = require('./appConfigManagedIdentity.js'); const appConfigurations = [ { @@ -8,7 +8,7 @@ const appConfigurations = [ "properties": { "provisioningState": "Succeeded", "creationDate": "2023-12-27T09:26:54+00:00", - "endpoint": "https://meerab-test-rg.azconfig.io", + "endpoint": "https://dummy-test-rg.azconfig.io", "encryption": { "keyVaultProperties": null }, @@ -18,7 +18,7 @@ const appConfigurations = [ "softDeleteRetentionInDays": 0, "enablePurgeProtection": false }, - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/meerab-rg/providers/Microsoft.AppConfiguration/configurationStores/meerab-test-rg", + "id": "/subscriptions/123/resourceGroups/meerab-rg/providers/Microsoft.AppConfiguration/configurationStores/meerab-test-rg", "name": "meerab-test-rg", "tags": {} }, @@ -28,7 +28,7 @@ const appConfigurations = [ "properties": { "provisioningState": "Succeeded", "creationDate": "2023-12-27T09:26:54+00:00", - "endpoint": "https://meerab-test-rg.azconfig.io", + "endpoint": "https://dummy-test-rg.azconfig.io", "encryption": { "keyVaultProperties": null }, @@ -38,17 +38,17 @@ const appConfigurations = [ "softDeleteRetentionInDays": 0, "enablePurgeProtection": false }, - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/meerab-rg/providers/Microsoft.AppConfiguration/configurationStores/meerab-test-rg", + "id": "/subscriptions/123/resourceGroups/meerab-rg/providers/Microsoft.AppConfiguration/configurationStores/meerab-test-rg", "name": "meerab-test-rg", "tags": {}, "identity": { "type": "systemassigned,userassigned", - "principalId": "dc03d47d-e6df-491f-aebe-50a93412a890", - "tenantId": "d207c7bd-fcb1-4dd3-855a-cfd2f9b651e8", + "principalId": "12345", + "tenantId": "123456", "userAssignedIdentities": { - "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": { - "PrincipalId": "1d34c2cd-bd53-487d-b3a9-6064465497c9", - "ClientId": "2071caa1-3668-4de3-babc-155cfe3e38e5" + "/subscriptions/123/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": { + "PrincipalId": "1234567", + "ClientId": "123456789" } } } @@ -68,12 +68,12 @@ const createCache = (appConfigurations,err) => { } }; -describe('appConfigurationManagedIdentity', function () { +describe('appConfigManagedIdentity', function () { describe('run', function () { it('should give pass result if No existing app configurations found', function (done) { const cache = createCache([]); - appConfigurationManagedIdentity.run(cache, {}, (err, results) => { + appConfigManagedIdentity.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('No existing App Configurations found'); @@ -84,7 +84,7 @@ describe('appConfigurationManagedIdentity', function () { it('should give unknown result if Unable to query app configurations:', function (done) { const cache = createCache(null, 'Error'); - appConfigurationManagedIdentity.run(cache, {}, (err, results) => { + appConfigManagedIdentity.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].message).to.include('Unable to query App Configuration:'); @@ -95,7 +95,7 @@ describe('appConfigurationManagedIdentity', function () { it('should give passing result if App Configuration has managed identity enabled', function (done) { const cache = createCache([appConfigurations[1]]); - appConfigurationManagedIdentity.run(cache, {}, (err, results) => { + appConfigManagedIdentity.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('App Configuration has managed identity enabled'); @@ -106,7 +106,7 @@ describe('appConfigurationManagedIdentity', function () { it('should give failing result if App Configuration does not have managed identity enabled', function (done) { const cache = createCache([appConfigurations[0]]); - appConfigurationManagedIdentity.run(cache, {}, (err, results) => { + appConfigManagedIdentity.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); expect(results[0].message).to.include('App Configuration does not have managed identity enabled'); From 24c445b191ab0e0bab2d46d151220d9a506f5126 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 28 Dec 2023 13:11:24 +0500 Subject: [PATCH 403/498] Update exports.js --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index e8555a1911..2bd5d5ca27 100644 --- a/exports.js +++ b/exports.js @@ -1040,7 +1040,7 @@ module.exports = { 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), - 'appConfigurationManagedIdentity': require(__dirname + '/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js'), + 'appConfigManagedIdentity': require(__dirname + '/plugins/azure/appConfigurations/appConfigManagedIdentity.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), From 602cc2998b1554b881bab718581f94b3cec1dadf Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Thu, 28 Dec 2023 13:11:59 +0500 Subject: [PATCH 404/498] Azure/App-Configuration-Managed-identity --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index 2bd5d5ca27..938f703903 100644 --- a/exports.js +++ b/exports.js @@ -1040,7 +1040,7 @@ module.exports = { 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), - 'appConfigManagedIdentity': require(__dirname + '/plugins/azure/appConfigurations/appConfigManagedIdentity.js'), + 'appConfigManagedIdentity' : require(__dirname + '/plugins/azure/appConfigurations/appConfigManagedIdentity.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), From 6f8f47dd85ac04004b7e78a2b178b37a1828bf36 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Thu, 28 Dec 2023 13:16:04 +0500 Subject: [PATCH 405/498] Azure/App-Configuration-Public-Access --- exports.js | 2 +- ...dentity.js => appConfigManagedIdentity.js} | 5 ++--- ...ec.js => appConfigManagedIdentity.spec.js} | 12 +++++----- .../appConfigurationPublicAccess.spec.js | 22 +++++++++---------- 4 files changed, 20 insertions(+), 21 deletions(-) rename plugins/azure/appConfigurations/{appConfigurationManagedIdentity.js => appConfigManagedIdentity.js} (85%) rename plugins/azure/appConfigurations/{appConfigurationManagedIdentity.spec.js => appConfigManagedIdentity.spec.js} (90%) diff --git a/exports.js b/exports.js index fdaee7f7d5..abb2239618 100644 --- a/exports.js +++ b/exports.js @@ -1040,7 +1040,7 @@ module.exports = { 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), - 'appConfigurationManagedIdentity': require(__dirname + '/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js'), + 'appConfigManagedIdentity' : require(__dirname + '/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js'), 'appConfigurationPublicAccess' : require(__dirname + '/plugins/azure/appConfigurations/appConfigurationPublicAccess.js'), }, diff --git a/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js b/plugins/azure/appConfigurations/appConfigManagedIdentity.js similarity index 85% rename from plugins/azure/appConfigurations/appConfigurationManagedIdentity.js rename to plugins/azure/appConfigurations/appConfigManagedIdentity.js index 9e2b91298b..3193e9b6b0 100644 --- a/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js +++ b/plugins/azure/appConfigurations/appConfigManagedIdentity.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Developer Tools', description: 'Ensures that Azure App Configurations have managed identity enabled.', more_info: 'Enabling managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.', - link: 'https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity?tabs=core6x&pivots=framework-dotnet', + link: 'https://learn.microsoft.com/en-us/azure/azure-app-configuration/overview-managed-identity', recommended_action: 'Modify App Configuration store and add managed identity.', apis: ['appConfigurations:list'], @@ -34,9 +34,8 @@ module.exports = { for (let appConfiguration of appConfigurations.data) { if (!appConfiguration.id) continue; - var identityType = appConfiguration.identity && appConfiguration.identity.type? appConfiguration.identity.type : null; - if (identityType && (identityType.includes('systemassigned') || identityType.includes('userassigned'))) { + if (appConfiguration.identity) { helpers.addResult(results, 0, 'App Configuration has managed identity enabled', location, appConfiguration.id); } else { helpers.addResult(results, 2, 'App Configuration does not have managed identity enabled', location, appConfiguration.id); diff --git a/plugins/azure/appConfigurations/appConfigurationManagedIdentity.spec.js b/plugins/azure/appConfigurations/appConfigManagedIdentity.spec.js similarity index 90% rename from plugins/azure/appConfigurations/appConfigurationManagedIdentity.spec.js rename to plugins/azure/appConfigurations/appConfigManagedIdentity.spec.js index c3ab1d0c76..c078215db1 100644 --- a/plugins/azure/appConfigurations/appConfigurationManagedIdentity.spec.js +++ b/plugins/azure/appConfigurations/appConfigManagedIdentity.spec.js @@ -1,5 +1,5 @@ var expect = require('chai').expect; -var appConfigurationManagedIdentity = require('./appConfigurationManagedIdentity.js'); +var appConfigManagedIdentity = require('./appConfigManagedIdentity.js'); const appConfigurations = [ { @@ -68,12 +68,12 @@ const createCache = (appConfigurations,err) => { } }; -describe('appConfigurationManagedIdentity', function () { +describe('appConfigManagedIdentity', function () { describe('run', function () { it('should give pass result if No existing app configurations found', function (done) { const cache = createCache([]); - appConfigurationManagedIdentity.run(cache, {}, (err, results) => { + appConfigManagedIdentity.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('No existing App Configurations found'); @@ -84,7 +84,7 @@ describe('appConfigurationManagedIdentity', function () { it('should give unknown result if Unable to query app configurations:', function (done) { const cache = createCache(null, 'Error'); - appConfigurationManagedIdentity.run(cache, {}, (err, results) => { + appConfigManagedIdentity.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].message).to.include('Unable to query App Configuration:'); @@ -95,7 +95,7 @@ describe('appConfigurationManagedIdentity', function () { it('should give passing result if App Configuration has managed identity enabled', function (done) { const cache = createCache([appConfigurations[1]]); - appConfigurationManagedIdentity.run(cache, {}, (err, results) => { + appConfigManagedIdentity.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('App Configuration has managed identity enabled'); @@ -106,7 +106,7 @@ describe('appConfigurationManagedIdentity', function () { it('should give failing result if App Configuration does not have managed identity enabled', function (done) { const cache = createCache([appConfigurations[0]]); - appConfigurationManagedIdentity.run(cache, {}, (err, results) => { + appConfigManagedIdentity.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); expect(results[0].message).to.include('App Configuration does not have managed identity enabled'); diff --git a/plugins/azure/appConfigurations/appConfigurationPublicAccess.spec.js b/plugins/azure/appConfigurations/appConfigurationPublicAccess.spec.js index f22f176462..7503b92375 100644 --- a/plugins/azure/appConfigurations/appConfigurationPublicAccess.spec.js +++ b/plugins/azure/appConfigurations/appConfigurationPublicAccess.spec.js @@ -7,7 +7,7 @@ const appConfigurations = [ "location": "eastus", "provisioningState": "Succeeded", "creationDate": "2023-12-27T09:26:54+00:00", - "endpoint": "https://meerab-test-rg.azconfig.io", + "endpoint": "https://dummy-test-rg.azconfig.io", "encryption": { "keyVaultProperties": null }, @@ -16,8 +16,8 @@ const appConfigurations = [ "disableLocalAuth": false, "softDeleteRetentionInDays": 0, "enablePurgeProtection": false, - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/meerab-rg/providers/Microsoft.AppConfiguration/configurationStores/meerab-test-rg", - "name": "meerab-test-rg", + "id": "/subscriptions/123/resourceGroups/dummy-rg/providers/Microsoft.AppConfiguration/configurationStores/dummy-test-rg", + "name": "dummy-test-rg", "tags": {} }, { @@ -25,7 +25,7 @@ const appConfigurations = [ "location": "eastus", "provisioningState": "Succeeded", "creationDate": "2023-12-27T09:26:54+00:00", - "endpoint": "https://meerab-test-rg.azconfig.io", + "endpoint": "https://dummy-test-rg.azconfig.io", "encryption": { "keyVaultProperties": null }, @@ -34,17 +34,17 @@ const appConfigurations = [ "disableLocalAuth": false, "softDeleteRetentionInDays": 0, "enablePurgeProtection": false, - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/meerab-rg/providers/Microsoft.AppConfiguration/configurationStores/meerab-test-rg", - "name": "meerab-test-rg", + "id": "/subscriptions/123/resourceGroups/dummy-rg/providers/Microsoft.AppConfiguration/configurationStores/dummy-test-rg", + "name": "dummy-test-rg", "tags": {}, "identity": { "type": "systemassigned,userassigned", - "principalId": "dc03d47d-e6df-491f-aebe-50a93412a890", - "tenantId": "d207c7bd-fcb1-4dd3-855a-cfd2f9b651e8", + "principalId": "1234", + "tenantId": "1234", "userAssignedIdentities": { - "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": { - "PrincipalId": "1d34c2cd-bd53-487d-b3a9-6064465497c9", - "ClientId": "2071caa1-3668-4de3-babc-155cfe3e38e5" + "/subscriptions/123/resourcegroups/dummy-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testdummy": { + "PrincipalId": "12344", + "ClientId": "123445" } } } From c17b35ea936afa644290194de348ee8e7ab4283b Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 28 Dec 2023 13:19:20 +0500 Subject: [PATCH 406/498] Update exports.js --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index abb2239618..3d3a2b681e 100644 --- a/exports.js +++ b/exports.js @@ -1040,7 +1040,7 @@ module.exports = { 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), - 'appConfigManagedIdentity' : require(__dirname + '/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js'), + 'appConfigManagedIdentity' : require(__dirname + '/plugins/azure/appConfigurations/appConfigManagedIdentity.js'), 'appConfigurationPublicAccess' : require(__dirname + '/plugins/azure/appConfigurations/appConfigurationPublicAccess.js'), }, From 1fa1051ea93b2cde5359721e58a90ee3f61cc08e Mon Sep 17 00:00:00 2001 From: fatima99s Date: Thu, 28 Dec 2023 13:23:39 +0500 Subject: [PATCH 407/498] resolve issues --- plugins/aws/autoscaling/asgMissingELB.js | 2 +- plugins/aws/autoscaling/sameAzElb.js | 2 +- plugins/aws/computeoptimizer/ebsVolumesOptimized.js | 2 +- plugins/aws/computeoptimizer/ec2InstancesOptimized.js | 2 +- plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js | 2 +- plugins/aws/iam/certificateExpiry.js | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/plugins/aws/autoscaling/asgMissingELB.js b/plugins/aws/autoscaling/asgMissingELB.js index dd91470d48..2bdeb60f71 100644 --- a/plugins/aws/autoscaling/asgMissingELB.js +++ b/plugins/aws/autoscaling/asgMissingELB.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/attach-load-balancer-asg.html', recommended_action: 'Ensure that the Auto Scaling group load balancer has not been deleted. If so, remove it from the ASG.', apis: ['AutoScaling:describeAutoScalingGroups', 'ELB:describeLoadBalancers', 'ELBv2:describeLoadBalancers'], - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup','autoscaling:AttachLoadBalancers','autoscaling:DetachLoadBalancers','elb:CreateLoadBalancer','elbv2:CreateLoadBalancer','elb:DeleteLoadBalancer','elbv2:DeleteLoadBalancer'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup','autoscaling:AttachLoadBalancers','autoscaling:DetachLoadBalancers','elasticloadbalancing:CreateLoadBalancer','elasticloadbalancing:CreateLoadBalancer','elasticloadbalancing:DeleteLoadBalancer','elasticloadbalancing:DeleteLoadBalancer'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/autoscaling/sameAzElb.js b/plugins/aws/autoscaling/sameAzElb.js index de247466ae..1f5aa218b4 100644 --- a/plugins/aws/autoscaling/sameAzElb.js +++ b/plugins/aws/autoscaling/sameAzElb.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-availability-zone.html', recommended_action: 'Update the ELB to use the same availability zones as the autoscaling group.', apis: ['AutoScaling:describeAutoScalingGroups', 'ELB:describeLoadBalancers', 'ELBv2:describeLoadBalancers'], - realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup','elb:CreateLoadBalancer','elbv2:CreateLoadBalancer','elb:DeleteLoadBalancer','elbv2:DeleteLoadBalancer'], + realtime_triggers: ['autoscaling:CreateAutoScalingGroup','autoscaling:UpdateAutoScalingGroup','autoscaling:DeleteAutoScalingGroup','elasticloadbalancing:CreateLoadBalancer','elasticloadbalancing:CreateLoadBalancer','elasticloadbalancing:DeleteLoadBalancer','elasticloadbalancing:DeleteLoadBalancer'], diff --git a/plugins/aws/computeoptimizer/ebsVolumesOptimized.js b/plugins/aws/computeoptimizer/ebsVolumesOptimized.js index c979a54842..c98e6e7ac8 100644 --- a/plugins/aws/computeoptimizer/ebsVolumesOptimized.js +++ b/plugins/aws/computeoptimizer/ebsVolumesOptimized.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-ebs-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for EBS volumes.', apis: ['ComputeOptimizer:getRecommendationSummaries'], - realtime_triggers: ['ComputeOptimizer:UpdateEnrollmentStatus','ec2:CreateVolume','ec2:ModifyVolume','ec2:deleteVolume'], + realtime_triggers: ['ComputeOptimizer:UpdateEnrollmentStatus','ec2:CreateVolume','ec2:ModifyVolume','ec2:DeleteVolume'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/ec2InstancesOptimized.js b/plugins/aws/computeoptimizer/ec2InstancesOptimized.js index 35846d6dcb..cdf533f495 100644 --- a/plugins/aws/computeoptimizer/ec2InstancesOptimized.js +++ b/plugins/aws/computeoptimizer/ec2InstancesOptimized.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-ec2-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for EC2 instances.', apis: ['ComputeOptimizer:getRecommendationSummaries'], - realtime_triggers: ['ComputeOptimizer:UpdateEnrollmentStatus','ec2:RunInstances','ec2:TerminateInstances','ec2:ModifyInstanceAttribute','ec2:StartInstances','ec2:stopInstances'], + realtime_triggers: ['ComputeOptimizer:UpdateEnrollmentStatus','ec2:RunInstances','ec2:TerminateInstances','ec2:ModifyInstanceAttribute','ec2:StartInstances','ec2:StopInstances', 'ec2:StartInstance', 'ec2:StopInstance'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js b/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js index f04facc489..bdeb162b31 100644 --- a/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js +++ b/plugins/aws/computeoptimizer/lambdaFunctionsOptimized.js @@ -10,7 +10,7 @@ module.exports = { link: 'https://docs.aws.amazon.com/compute-optimizer/latest/ug/view-lambda-recommendations.html', recommended_action: 'Resolve Compute Optimizer recommendations for Lambda functions.', apis: ['ComputeOptimizer:getRecommendationSummaries'], - realtime_triggers: ['ComputeOptimizer:UpdateEnrollmentStatus','lambda:CreateFunction','lambda:UpdateFunctionConfiguration','lambda:deleteFunction'], + realtime_triggers: ['ComputeOptimizer:UpdateEnrollmentStatus','lambda:CreateFunction','lambda:UpdateFunctionConfiguration','lambda:DeleteFunction'], run: function(cache, settings, callback) { var results = []; diff --git a/plugins/aws/iam/certificateExpiry.js b/plugins/aws/iam/certificateExpiry.js index c76f383359..0932db5e73 100644 --- a/plugins/aws/iam/certificateExpiry.js +++ b/plugins/aws/iam/certificateExpiry.js @@ -35,7 +35,7 @@ module.exports = { } ] }, - realtime_triggers: ['iam:UploadServerCertificate','iam:DeleteServerCertificate','elb:SetLoadBalancerListenerSSLCertificate'], + realtime_triggers: ['iam:UploadServerCertificate','iam:DeleteServerCertificate','elasticloadbalancing:SetLoadBalancerListenerSSLCertificate'], run: function(cache, settings, callback) { var config = { From 8903fd19d80386208cb5c7c46a7884c1805f8050 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 28 Dec 2023 13:24:44 +0500 Subject: [PATCH 408/498] Update plugins/azure/containerregistry/acrContentTrustEnabled.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/containerregistry/acrContentTrustEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/containerregistry/acrContentTrustEnabled.js b/plugins/azure/containerregistry/acrContentTrustEnabled.js index 3d14987b77..599ab9dc51 100644 --- a/plugins/azure/containerregistry/acrContentTrustEnabled.js +++ b/plugins/azure/containerregistry/acrContentTrustEnabled.js @@ -6,7 +6,7 @@ module.exports = { category: 'Container Registry', domain: 'Containers', description: 'Ensure that content trust is enabled for Azure premium container registries.', - more_info: 'Content trust allows you to sign the images you push to your registry. Consumers of your images (people or systems pulling images from your registry) can configure their clients to pull only signed images.', + more_info: 'Content trust allows you to sign the images you push to your registry. Consumers of your images (people or systems pulling images from your registry) can configure their clients to pull only signed images which enhances container image security by ensuring the integrity and authenticity of images and safeguards against unauthorized or tampered content.', recommended_action: 'Modify your container registry and enable content trust.', link: 'https://learn.microsoft.com/en-us/azure/container-registry/container-registry-content-trust#enable-registry-content-trust', apis: ['registries:list'], From 1a034e4d17d8b54e83de3dc169b04c207fa46729 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Thu, 28 Dec 2023 13:35:25 +0500 Subject: [PATCH 409/498] Added check for premium --- .../acrContentTrustEnabled.js | 24 ++++++------ .../acrContentTrustEnabled.spec.js | 37 ++++++++++++++++++- 2 files changed, 47 insertions(+), 14 deletions(-) diff --git a/plugins/azure/containerregistry/acrContentTrustEnabled.js b/plugins/azure/containerregistry/acrContentTrustEnabled.js index 599ab9dc51..8667a3df57 100644 --- a/plugins/azure/containerregistry/acrContentTrustEnabled.js +++ b/plugins/azure/containerregistry/acrContentTrustEnabled.js @@ -34,23 +34,23 @@ module.exports = { return rcb(); } - var found = false; for (let registry of registries.data) { - if (!registry.id || (registry.sku && registry.sku.tier && registry.sku.tier!= 'Premium')) continue; + if (!registry.id) continue; - found = true; - var trustPolicy = registry.policies && registry.policies.trustPolicy? registry.policies.trustPolicy : null; - - if (trustPolicy && trustPolicy.status && trustPolicy.status.toLowerCase() == 'enabled'){ - helpers.addResult(results, 0, 'Content trust is enabled for container registry', location, registry.id); + if (registry.sku && registry.sku.tier && registry.sku.tier!='Premium') { + helpers.addResult(results, 0, 'Content trust is feature of Premium tier container registry', location, registry.id); } else { - helpers.addResult(results, 2, 'Content trust is not enabled for container registry', location, registry.id); - } + + var trustPolicy = registry.policies && registry.policies.trustPolicy? registry.policies.trustPolicy : null; + + if (trustPolicy && trustPolicy.status && trustPolicy.status.toLowerCase() == 'enabled'){ + helpers.addResult(results, 0, 'Content trust is enabled for container registry', location, registry.id); + } else { + helpers.addResult(results, 2, 'Content trust is not enabled for container registry', location, registry.id); + } + } } - if (!found) { - helpers.addResult(results, 2, 'No existing container registries found', location); - } rcb(); }, function() { diff --git a/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js b/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js index b22156733c..1d891eaaa4 100644 --- a/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js +++ b/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js @@ -3,7 +3,7 @@ var acrContentTrustEnabled = require('./acrContentTrustEnabled'); registries = [ { - "id": "/subscriptions/ade0e01e-f9cd-49d3-bba7-d5a5362a3414/resourceGroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/testregistry12543", + "id": "/subscriptions/123445/resourceGroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/testregistry12543", "name": "testregistry12543", "type": "Microsoft.ContainerRegistry/registries", "location": "eastus", @@ -24,7 +24,7 @@ registries = [ } }, { - "id": "/subscriptions/ade0e01e-f9cd-49d3-bba7-d5a5362a3414/resourceGroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/testregistry12543", + "id": "/subscriptions/123445/resourceGroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/testregistry12543", "name": "testregistry12543", "type": "Microsoft.ContainerRegistry/registries", "location": "eastus", @@ -43,6 +43,27 @@ registries = [ "status": "enabled" }, } + }, + { + "id": "/subscriptions/123445/resourceGroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/testregistry12543", + "name": "testregistry12543", + "type": "Microsoft.ContainerRegistry/registries", + "location": "eastus", + "tags": {}, + "anonymousPullEnabled": false, + "sku": { + "name": "Basic", + "tier": "Basic" + }, + "policies": { + "quarantinePolicy": { + "status": "disabled" + }, + "trustPolicy": { + "type": "Notary", + "status": "enabled" + }, + } } ]; @@ -107,5 +128,17 @@ describe('acrContentTrustEnabled', function() { }); + it('should give passing result if registry is non premium', function(done) { + const cache = createCache(null, [registries[2]]); + acrContentTrustEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Content trust is feature of Premium tier container registry only'); + expect(results[0].region).to.equal('eastus'); + done() + }); + + }); + }) }); \ No newline at end of file From cf029a8dffb9e7bd9027827a81ce41368f0da788 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Thu, 28 Dec 2023 13:38:16 +0500 Subject: [PATCH 410/498] Updated spec --- plugins/azure/containerregistry/acrContentTrustEnabled.js | 2 +- plugins/azure/containerregistry/acrContentTrustEnabled.spec.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/containerregistry/acrContentTrustEnabled.js b/plugins/azure/containerregistry/acrContentTrustEnabled.js index 8667a3df57..e44358d759 100644 --- a/plugins/azure/containerregistry/acrContentTrustEnabled.js +++ b/plugins/azure/containerregistry/acrContentTrustEnabled.js @@ -37,7 +37,7 @@ module.exports = { for (let registry of registries.data) { if (!registry.id) continue; - if (registry.sku && registry.sku.tier && registry.sku.tier!='Premium') { + if (registry.sku && registry.sku.tier && registry.sku.tier.toLowerCase() !='premium') { helpers.addResult(results, 0, 'Content trust is feature of Premium tier container registry', location, registry.id); } else { diff --git a/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js b/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js index 1d891eaaa4..4e89590add 100644 --- a/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js +++ b/plugins/azure/containerregistry/acrContentTrustEnabled.spec.js @@ -133,7 +133,7 @@ describe('acrContentTrustEnabled', function() { acrContentTrustEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Content trust is feature of Premium tier container registry only'); + expect(results[0].message).to.include('Content trust is feature of Premium tier container registry'); expect(results[0].region).to.equal('eastus'); done() }); From 4cc0634b4d6fdc273e5378025d889c85846cd6e4 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 28 Dec 2023 13:40:08 +0500 Subject: [PATCH 411/498] Update plugins/azure/containerregistry/acrManagedIdentityEnabled.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/containerregistry/acrManagedIdentityEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/containerregistry/acrManagedIdentityEnabled.js b/plugins/azure/containerregistry/acrManagedIdentityEnabled.js index 013a2cc1ba..d682c7d651 100644 --- a/plugins/azure/containerregistry/acrManagedIdentityEnabled.js +++ b/plugins/azure/containerregistry/acrManagedIdentityEnabled.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Containers', description: 'Ensure that Azure container registries have managed identity enabled.', more_info: 'Enabling managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.', - recommended_action: 'Modify container registry and enabled managed identity.', + recommended_action: 'Modify container registry and enable managed identity.', link: 'https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication-managed-identity?tabs=azure-cli', apis: ['registries:list'], From 2bc1be8e279bac0bfebbe4188b13538f0ef97255 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 28 Dec 2023 13:40:15 +0500 Subject: [PATCH 412/498] Update plugins/azure/containerregistry/acrManagedIdentityEnabled.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- plugins/azure/containerregistry/acrManagedIdentityEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/containerregistry/acrManagedIdentityEnabled.js b/plugins/azure/containerregistry/acrManagedIdentityEnabled.js index d682c7d651..f3bdd0960c 100644 --- a/plugins/azure/containerregistry/acrManagedIdentityEnabled.js +++ b/plugins/azure/containerregistry/acrManagedIdentityEnabled.js @@ -38,7 +38,7 @@ module.exports = { var identityType = registry.identity && registry.identity.type? registry.identity.type : null; - if (identityType && (identityType.includes('systemAssigned') || identityType.includes('userAssigned'))) { + if (identityType && (identityType.toLowerCase().includes('systemassigned') || identityType.toLowerCase().includes('userassigned'))) { helpers.addResult(results, 0, 'Container registry has managed identity enabled', location, registry.id); } else { helpers.addResult(results, 2, 'Container registry does not have managed identity enabled', location, registry.id); From ff16328fcaffbab4968be8d22946df73a0d59947 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Thu, 28 Dec 2023 13:43:21 +0500 Subject: [PATCH 413/498] Replaced-dummy-values --- .../acrManagedIdentityEnabled.js | 4 +-- .../acrManagedIdentityEnabled.spec.js | 26 +++++++++---------- 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/plugins/azure/containerregistry/acrManagedIdentityEnabled.js b/plugins/azure/containerregistry/acrManagedIdentityEnabled.js index f3bdd0960c..cc26f7676c 100644 --- a/plugins/azure/containerregistry/acrManagedIdentityEnabled.js +++ b/plugins/azure/containerregistry/acrManagedIdentityEnabled.js @@ -36,9 +36,7 @@ module.exports = { for (let registry of registries.data){ if (!registry.id) continue; - var identityType = registry.identity && registry.identity.type? registry.identity.type : null; - - if (identityType && (identityType.toLowerCase().includes('systemassigned') || identityType.toLowerCase().includes('userassigned'))) { + if (registry.identity) { helpers.addResult(results, 0, 'Container registry has managed identity enabled', location, registry.id); } else { helpers.addResult(results, 2, 'Container registry does not have managed identity enabled', location, registry.id); diff --git a/plugins/azure/containerregistry/acrManagedIdentityEnabled.spec.js b/plugins/azure/containerregistry/acrManagedIdentityEnabled.spec.js index c3e825e146..7e717b488e 100644 --- a/plugins/azure/containerregistry/acrManagedIdentityEnabled.spec.js +++ b/plugins/azure/containerregistry/acrManagedIdentityEnabled.spec.js @@ -3,7 +3,7 @@ var acrManagedIdentityEnabled = require('./acrManagedIdentityEnabled'); registries = [ { - "id": "/subscriptions/ade0e01e-f9cd-49d3-bba7-d5a5362a3414/resourceGroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/testregistry12543", + "id": "/subscriptions/123445/resourceGroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/testregistry12543", "name": "testregistry12543", "type": "Microsoft.ContainerRegistry/registries", "location": "eastus", @@ -20,19 +20,19 @@ registries = [ }, }, "identity": { - "principalId": "f61fb52b-80c1-4adf-b9c4-0cc80c71d6d7", - "tenantId": "d207c7bd-fcb1-4dd3-855a-cfd2f9b651e8", + "principalId": "1234", + "tenantId": "1234009", "type": "systemAssigned", "userAssignedIdentities": { - "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": { - "principalId": "1d34c2cd-bd53-487d-b3a9-6064465497c9", - "clientId": "2071caa1-3668-4de3-babc-155cfe3e38e5" + "/subscriptions/12343345/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": { + "principalId": "1234333345", + "clientId": "1234333345" } } }, }, { - "id": "/subscriptions/ade0e01e-f9cd-49d3-bba7-d5a5362a3414/resourceGroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/testregistry12543", + "id": "/subscriptions/123445/resourceGroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/testregistry12543", "name": "testregistry12543", "type": "Microsoft.ContainerRegistry/registries", "location": "eastus", @@ -50,7 +50,7 @@ registries = [ }, }, { - "id": "/subscriptions/ade0e01e-f9cd-49d3-bba7-d5a5362a3414/resourceGroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/testregistry12543", + "id": "/subscriptions/123445/resourceGroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/testregistry12543", "name": "testregistry12543", "type": "Microsoft.ContainerRegistry/registries", "location": "eastus", @@ -67,13 +67,13 @@ registries = [ }, }, "identity": { - "principalId": "f61fb52b-80c1-4adf-b9c4-0cc80c71d6d7", - "tenantId": "d207c7bd-fcb1-4dd3-855a-cfd2f9b651e8", + "principalId": "1234", + "tenantId": "1234009", "type": "systemAssigned, userAssigned", "userAssignedIdentities": { - "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": { - "principalId": "1d34c2cd-bd53-487d-b3a9-6064465497c9", - "clientId": "2071caa1-3668-4de3-babc-155cfe3e38e5" + "/subscriptions/12343345/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": { + "principalId": "1234333345", + "clientId": "1234333345" } } }, From c16046e772188628ed7d2d8e3b5e8daef1c874e7 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Thu, 28 Dec 2023 14:19:12 +0500 Subject: [PATCH 414/498] Added-setting --- .../redisCache/redisCacheDiagnosticLogs.js | 31 +++++--- .../redisCacheDiagnosticLogs.spec.js | 75 +++++++++++-------- 2 files changed, 65 insertions(+), 41 deletions(-) diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js index cbb8aa1ce5..eaa21fa99a 100644 --- a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js @@ -10,12 +10,24 @@ module.exports = { recommended_action: 'Enable diagnostic logging for all Redis Caches.', link: 'https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-monitor-diagnostic-settings?tabs=basic-standard-premium', apis: ['redisCaches:listBySubscription','diagnosticSettings:listByRedisCache'], + settings: { + diagnostic_logs: { + name: 'Diagnostic Logs Enabled', + description: 'Comma separated list of diagnostic logs that should be enabled at minimum i.e. ConnectedClientList. If you have enabled allLogs, then resource produces pass result', + regex: '^.*$', + default: 'ConnectedClientList' + }, + }, run: function(cache, settings, callback) { const results = []; const source = {}; const locations = helpers.locations(settings.govcloud); + var config = { + diagnostic_logs: settings.diagnostic_logs || this.settings.diagnostic_logs.default, + }; + async.each(locations.redisCaches, function(location, rcb) { const caches = helpers.addSource(cache, source, ['redisCaches', 'listBySubscription', location]); @@ -41,18 +53,19 @@ module.exports = { if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { helpers.addResult(results, 3, 'Unable to query Redis Cache diagnostics settings: ' + helpers.addError(diagnosticSettings), location, redisCache.id); } else { - var redisCacheDiagnosticLogs = false; - diagnosticSettings.data.forEach(setting => { - var logs = setting.logs; - if (logs.some(log => (log.categoryGroup === 'audit' || log.categoryGroup === 'allLogs' || log.category === 'ConnectedClientList') && log.enabled)) { - redisCacheDiagnosticLogs = true; - } + var missingLogs = config.diagnostic_logs.split(','); + + diagnosticSettings.data.forEach(settings => { + const logs = settings.logs; + missingLogs = missingLogs.filter(requiredCategory => + !logs.some(log => (log.category === requiredCategory && log.enabled) || log.categoryGroup === 'allLogs' && log.enabled) + ); }); - if (redisCacheDiagnosticLogs) { - helpers.addResult(results, 0, 'Redis Cache has diagnostic logs enabled', location, redisCache.id); + if (missingLogs.length) { + helpers.addResult(results, 2, `Redis Cache does not have diagnostic logs enabled for following: ${missingLogs}`, location, redisCache.id); } else { - helpers.addResult(results, 2, 'Redis Cache does not have diagnostic logs enabled', location, redisCache.id); + helpers.addResult(results, 0, 'Redis Cache has diagnostic logs enabled.', location, redisCache.id); } } }); diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js index 19847cb83a..54e7b17f79 100644 --- a/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js @@ -36,7 +36,7 @@ const diagnosticSettings = [ logs: [ { category: null, - categoryGroup: 'audit', + categoryGroup: 'allLogs', enabled: true, retentionPolicy: { enabled: false, days: 0 } }, @@ -176,38 +176,38 @@ const createErrorCache = (key) => { describe('redisCacheDiagnosticLogs', function () { describe('run', function () { - it('should give pass result if No existing Redis Caches found', function (done) { - const cache = createErrorCache('nocache'); - redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('No existing Redis Caches found'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); + // it('should give pass result if No existing Redis Caches found', function (done) { + // const cache = createErrorCache('nocache'); + // redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + // expect(results.length).to.equal(1); + // expect(results[0].status).to.equal(0); + // expect(results[0].message).to.include('No existing Redis Caches found'); + // expect(results[0].region).to.equal('eastus'); + // done(); + // }); + // }); - it('should give unknown result if Unable to query Redis Caches:', function (done) { - const cache = createErrorCache('redisCache'); - redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query Redis Caches:'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); + // it('should give unknown result if Unable to query Redis Caches:', function (done) { + // const cache = createErrorCache('redisCache'); + // redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + // expect(results.length).to.equal(1); + // expect(results[0].status).to.equal(3); + // expect(results[0].message).to.include('Unable to query Redis Caches:'); + // expect(results[0].region).to.equal('eastus'); + // done(); + // }); + // }); - it('should give unknown result if Unable to query diagnostics settings', function (done) { - const cache = createErrorCache('settings'); - redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query Redis Cache diagnostics settings'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); + // it('should give unknown result if Unable to query diagnostics settings', function (done) { + // const cache = createErrorCache('settings'); + // redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + // expect(results.length).to.equal(1); + // expect(results[0].status).to.equal(3); + // expect(results[0].message).to.include('Unable to query Redis Cache diagnostics settings'); + // expect(results[0].region).to.equal('eastus'); + // done(); + // }); + // }); it('should give passing result if redis cache has diagnostic logs enabled', function (done) { const cache = createCache([redisCaches[0]], [diagnosticSettings[2]]); @@ -220,7 +220,7 @@ describe('redisCacheDiagnosticLogs', function () { }); }); - it('should give passing result if redis cache has diagnostic logs enabled with audit', function (done) { + it('should give passing result if redis cache has diagnostic logs enabled with all Logs', function (done) { const cache = createCache([redisCaches[0]], [diagnosticSettings[0]]); redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); @@ -241,5 +241,16 @@ describe('redisCacheDiagnosticLogs', function () { done(); }); }); + + it('should give failing result if Redis Cache does not have diagnostic logs enabled with settings', function (done) { + const cache = createCache([redisCaches[1]], [diagnosticSettings[1]]); + redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: 'testsetting'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); }); }); \ No newline at end of file From 8aac727abd76ef705e047327dbb01cd5cbf020ba Mon Sep 17 00:00:00 2001 From: fatima99s Date: Thu, 28 Dec 2023 14:24:54 +0500 Subject: [PATCH 415/498] hotfix/SqlPublicAccess --- plugins/azure/sqlserver/noPublicAccess.js | 57 +++++++++++-------- .../azure/sqlserver/noPublicAccess.spec.js | 44 ++++++++++++-- 2 files changed, 70 insertions(+), 31 deletions(-) diff --git a/plugins/azure/sqlserver/noPublicAccess.js b/plugins/azure/sqlserver/noPublicAccess.js index 5f071453a6..70726a7a2c 100644 --- a/plugins/azure/sqlserver/noPublicAccess.js +++ b/plugins/azure/sqlserver/noPublicAccess.js @@ -48,39 +48,46 @@ module.exports = { } servers.data.forEach(function(server) { - const firewallRules = helpers.addSource(cache, source, - ['firewallRules', 'listByServer', location, server.id]); + + if (server.publicNetworkAccess && server.publicNetworkAccess === 'Disabled') { + helpers.addResult(results, 0, 'The SQL server has public network access disabled', location, server.id); - if (!firewallRules || firewallRules.err || !firewallRules.data) { - helpers.addResult(results, 3, - 'Unable to query SQL Server Firewall Rules: ' + helpers.addError(firewallRules), location, server.id); } else { - if (!firewallRules.data.length) { - helpers.addResult(results, 0, 'No existing SQL Server Firewall Rules found', location, server.id); + const firewallRules = helpers.addSource(cache, source, + ['firewallRules', 'listByServer', location, server.id]); + + if (!firewallRules || firewallRules.err || !firewallRules.data) { + helpers.addResult(results, 3, + 'Unable to query SQL Server Firewall Rules: ' + helpers.addError(firewallRules), location, server.id); } else { - var publicAccess = false; - - firewallRules.data.forEach(firewallRule => { - const startIpAddr = firewallRule['startIpAddress']; - - if (checkEndIp) { - const endIpAddr = firewallRule['endIpAddress']; - if (startIpAddr && startIpAddr.toString().indexOf('0.0.0.0') > -1 && - endIpAddr && config.server_firewall_end_ip.includes(endIpAddr.toString())) { + if (!firewallRules.data.length) { + helpers.addResult(results, 0, 'No existing SQL Server Firewall Rules found', location, server.id); + } else { + var publicAccess = false; + + firewallRules.data.forEach(firewallRule => { + const startIpAddr = firewallRule['startIpAddress']; + + if (checkEndIp) { + const endIpAddr = firewallRule['endIpAddress']; + if (startIpAddr && startIpAddr.toString().indexOf('0.0.0.0') > -1 && + endIpAddr && config.server_firewall_end_ip.includes(endIpAddr.toString())) { + publicAccess = true; + } + } else if (startIpAddr && startIpAddr.toString().indexOf('0.0.0.0') > -1) { publicAccess = true; } - } else if (startIpAddr && startIpAddr.toString().indexOf('0.0.0.0') > -1) { - publicAccess = true; + }); + + if (publicAccess) { + helpers.addResult(results, 2, 'The SQL Server is open to outside traffic', location, server.id); + } else { + helpers.addResult(results, 0, 'The SQL server is protected from outside traffic', location, server.id); } - }); - - if (publicAccess) { - helpers.addResult(results, 2, 'The SQL Server is open to outside traffic', location, server.id); - } else { - helpers.addResult(results, 0, 'The SQL server is protected from outside traffic', location, server.id); } } - } + + } }); rcb(); diff --git a/plugins/azure/sqlserver/noPublicAccess.spec.js b/plugins/azure/sqlserver/noPublicAccess.spec.js index 08bf5cca75..dfa073d5f5 100644 --- a/plugins/azure/sqlserver/noPublicAccess.spec.js +++ b/plugins/azure/sqlserver/noPublicAccess.spec.js @@ -4,7 +4,23 @@ var noPublicAccess = require('./noPublicAccess'); const servers = [ { "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server", - } + "publicNetworkAccess" : "Disabled" + }, + { + "kind": "v12.0", + "location": "eastus", + "tags": { 'key': 'value' }, + "id": "/subscriptions/123/resourceGroups/akhtar-rg/providers/Microsoft.Sql/servers/test-server", + "name": "test-server", + "type": "Microsoft.Sql/servers", + "administratorLogin": "aqua", + "version": "12.0", + "state": "Ready", + "fullyQualifiedDomainName": "test-server.database.windows.net", + "privateEndpointConnections": [], + "minimalTlsVersion": "1.1", + "publicNetworkAccess": "Enabled" + }, ]; const firewallRules = [ @@ -89,7 +105,23 @@ describe('noPublicAccess', function() { }; const cache = createCache( - servers, + [servers[1]], + [] + ); + + noPublicAccess.run(cache, {}, callback); + }); + it('should give passing result if SQL Server has prive netwrok access disabled', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('The SQL server has public network access disabled'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + [servers[0]], [] ); @@ -106,7 +138,7 @@ describe('noPublicAccess', function() { }; const cache = createCache( - servers, + [servers[1]], [firewallRules[1]] ); @@ -123,7 +155,7 @@ describe('noPublicAccess', function() { }; const cache = createCache( - servers, + [servers[1]], [firewallRules[2]] ); @@ -140,7 +172,7 @@ describe('noPublicAccess', function() { }; const cache = createCache( - servers, + [servers[1]], [firewallRules[0]] ); @@ -175,7 +207,7 @@ describe('noPublicAccess', function() { }; const cache = createCache( - servers, + [servers[1]], [], null, { message: 'Unable to query for server firewall rules'} From 487e97203cb4ac74893d1caf3ebfdc3301a457ac Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Thu, 28 Dec 2023 14:50:34 +0500 Subject: [PATCH 416/498] Setting --- .../redisCache/redisCacheDiagnosticLogs.js | 38 ++++++++++--------- .../redisCacheDiagnosticLogs.spec.js | 11 ++++++ 2 files changed, 31 insertions(+), 18 deletions(-) diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js index eaa21fa99a..878ce340ff 100644 --- a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js @@ -9,17 +9,17 @@ module.exports = { more_info: 'Enabling diagnostic setting helps you understand who is connecting to your caches and the timestamp of those connections. The log data could be used to identify the scope of a security breach and for security auditing purposes.', recommended_action: 'Enable diagnostic logging for all Redis Caches.', link: 'https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-monitor-diagnostic-settings?tabs=basic-standard-premium', - apis: ['redisCaches:listBySubscription','diagnosticSettings:listByRedisCache'], + apis: ['redisCaches:listBySubscription', 'diagnosticSettings:listByRedisCache'], settings: { diagnostic_logs: { name: 'Diagnostic Logs Enabled', - description: 'Comma separated list of diagnostic logs that should be enabled at minimum i.e. ConnectedClientList. If you have enabled allLogs, then resource produces pass result', + description: 'Comma separated list of diagnostic logs that should be enabled at minimum i.e. ConnectedClientList. If you have enabled allLogs, then resource produces pass result. If you only want to check if logging is enabled or not, irrespecitve of log type, then add * in setting.', regex: '^.*$', default: 'ConnectedClientList' }, }, - run: function(cache, settings, callback) { + run: function (cache, settings, callback) { const results = []; const source = {}; const locations = helpers.locations(settings.govcloud); @@ -28,7 +28,7 @@ module.exports = { diagnostic_logs: settings.diagnostic_logs || this.settings.diagnostic_logs.default, }; - async.each(locations.redisCaches, function(location, rcb) { + async.each(locations.redisCaches, function (location, rcb) { const caches = helpers.addSource(cache, source, ['redisCaches', 'listBySubscription', location]); @@ -44,7 +44,7 @@ module.exports = { return rcb(); } - caches.data.forEach(function(redisCache) { + caches.data.forEach(function (redisCache) { if (!redisCache.id) return; const diagnosticSettings = helpers.addSource(cache, source, @@ -53,25 +53,27 @@ module.exports = { if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { helpers.addResult(results, 3, 'Unable to query Redis Cache diagnostics settings: ' + helpers.addError(diagnosticSettings), location, redisCache.id); } else { - var missingLogs = config.diagnostic_logs.split(','); - - diagnosticSettings.data.forEach(settings => { - const logs = settings.logs; - missingLogs = missingLogs.filter(requiredCategory => - !logs.some(log => (log.category === requiredCategory && log.enabled) || log.categoryGroup === 'allLogs' && log.enabled) - ); - }); - - if (missingLogs.length) { - helpers.addResult(results, 2, `Redis Cache does not have diagnostic logs enabled for following: ${missingLogs}`, location, redisCache.id); - } else { + if (config.diagnostic_logs == '*' ) { helpers.addResult(results, 0, 'Redis Cache has diagnostic logs enabled.', location, redisCache.id); + } else { + var missingLogs = config.diagnostic_logs.split(','); + diagnosticSettings.data.forEach(settings => { + const logs = settings.logs; + missingLogs = missingLogs.filter(requiredCategory => + !logs.some(log => (log.category === requiredCategory && log.enabled) || log.categoryGroup === 'allLogs' && log.enabled) + ); + }); + if (missingLogs.length) { + helpers.addResult(results, 2, `Redis Cache does not have diagnostic logs enabled for following: ${missingLogs}`, location, redisCache.id); + } else { + helpers.addResult(results, 0, 'Redis Cache has diagnostic logs enabled.', location, redisCache.id); + } } } }); rcb(); - }, function() { + }, function () { // Global checking goes here callback(null, results, source); }); diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js index 54e7b17f79..f71b17cec5 100644 --- a/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js @@ -252,5 +252,16 @@ describe('redisCacheDiagnosticLogs', function () { done(); }); }); + + it('should give passing result if Redis Cache has diagnostic logs enabled with * setting', function (done) { + const cache = createCache([redisCaches[1]], [diagnosticSettings[1]]); + redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: '*'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Redis Cache has diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); }); }); \ No newline at end of file From a0afc7c8c4c8200f4c94aedecd13e210a996ea55 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Thu, 28 Dec 2023 16:28:55 +0500 Subject: [PATCH 417/498] Added setting --- .../redisCache/redisCacheDiagnosticLogs.js | 19 ++-- .../redisCacheDiagnosticLogs.spec.js | 96 ++++++++++++------- 2 files changed, 74 insertions(+), 41 deletions(-) diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js index 878ce340ff..b875b37ac5 100644 --- a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js @@ -53,21 +53,24 @@ module.exports = { if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { helpers.addResult(results, 3, 'Unable to query Redis Cache diagnostics settings: ' + helpers.addError(diagnosticSettings), location, redisCache.id); } else { - if (config.diagnostic_logs == '*' ) { - helpers.addResult(results, 0, 'Redis Cache has diagnostic logs enabled.', location, redisCache.id); + var found = true; + var missingLogs = []; + if (config.diagnostic_logs == '*') { + found = diagnosticSettings.data.some(ds => ds.logs && ds.logs.length); } else { - var missingLogs = config.diagnostic_logs.split(','); + missingLogs = config.diagnostic_logs.split(','); diagnosticSettings.data.forEach(settings => { const logs = settings.logs; missingLogs = missingLogs.filter(requiredCategory => !logs.some(log => (log.category === requiredCategory && log.enabled) || log.categoryGroup === 'allLogs' && log.enabled) ); }); - if (missingLogs.length) { - helpers.addResult(results, 2, `Redis Cache does not have diagnostic logs enabled for following: ${missingLogs}`, location, redisCache.id); - } else { - helpers.addResult(results, 0, 'Redis Cache has diagnostic logs enabled.', location, redisCache.id); - } + + } + if(!missingLogs.length && found) { + helpers.addResult(results, 0, 'Redis Cache has diagnostic logs enabled.', location, redisCache.id); + } else { + helpers.addResult(results, 2, `Redis Cache does not have diagnostic logs enabled ${missingLogs.length? `for following: ${missingLogs}`: ''}`, location, redisCache.id); } } }); diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js index f71b17cec5..f89dfdf273 100644 --- a/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js @@ -89,7 +89,26 @@ const diagnosticSettings = [ ], logAnalyticsDestinationType: null }, - {} + {}, + { + id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cache/redis/omerredistest/providers/microsoft.insights/diagnosticSettings/test', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'test', + location: null, + kind: null, + tags: null, + identity: null, + storageAccountId: null, + serviceBusRuleId: null, + workspaceId: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/test/providers/microsoft.operationalinsights/workspaces/ctolabsanalytics', + eventHubAuthorizationRuleId: null, + eventHubName: null, + metrics: [ [Object] ], + logs: [ + ], + logAnalyticsDestinationType: null + + } ] const createCache = (redisCaches, diagnostics) => { @@ -176,38 +195,38 @@ const createErrorCache = (key) => { describe('redisCacheDiagnosticLogs', function () { describe('run', function () { - // it('should give pass result if No existing Redis Caches found', function (done) { - // const cache = createErrorCache('nocache'); - // redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { - // expect(results.length).to.equal(1); - // expect(results[0].status).to.equal(0); - // expect(results[0].message).to.include('No existing Redis Caches found'); - // expect(results[0].region).to.equal('eastus'); - // done(); - // }); - // }); + it('should give pass result if No existing Redis Caches found', function (done) { + const cache = createErrorCache('nocache'); + redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Redis Caches found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); - // it('should give unknown result if Unable to query Redis Caches:', function (done) { - // const cache = createErrorCache('redisCache'); - // redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { - // expect(results.length).to.equal(1); - // expect(results[0].status).to.equal(3); - // expect(results[0].message).to.include('Unable to query Redis Caches:'); - // expect(results[0].region).to.equal('eastus'); - // done(); - // }); - // }); + it('should give unknown result if Unable to query Redis Caches:', function (done) { + const cache = createErrorCache('redisCache'); + redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Redis Caches:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); - // it('should give unknown result if Unable to query diagnostics settings', function (done) { - // const cache = createErrorCache('settings'); - // redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { - // expect(results.length).to.equal(1); - // expect(results[0].status).to.equal(3); - // expect(results[0].message).to.include('Unable to query Redis Cache diagnostics settings'); - // expect(results[0].region).to.equal('eastus'); - // done(); - // }); - // }); + it('should give unknown result if Unable to query diagnostics settings', function (done) { + const cache = createErrorCache('settings'); + redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Redis Cache diagnostics settings'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); it('should give passing result if redis cache has diagnostic logs enabled', function (done) { const cache = createCache([redisCaches[0]], [diagnosticSettings[2]]); @@ -236,7 +255,7 @@ describe('redisCacheDiagnosticLogs', function () { redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled'); + expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled for following:'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -247,7 +266,7 @@ describe('redisCacheDiagnosticLogs', function () { redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: 'testsetting'}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled'); + expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled for following:'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -263,5 +282,16 @@ describe('redisCacheDiagnosticLogs', function () { done(); }); }); + + it('should give failing result if Redis Cache has diagnostic logs enabled with * setting but there are not logs', function (done) { + const cache = createCache([redisCaches[1]], [diagnosticSettings[4]]); + redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: '*'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); }); }); \ No newline at end of file From f418961271e24e374d8cd5911df740bc8d9d0bb2 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Thu, 28 Dec 2023 16:29:56 +0500 Subject: [PATCH 418/498] Azure/Redis-cache-diagnostic-logs --- plugins/azure/redisCache/redisCacheDiagnosticLogs.js | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js index b875b37ac5..875252d860 100644 --- a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js @@ -19,7 +19,7 @@ module.exports = { }, }, - run: function (cache, settings, callback) { + run: function(cache, settings, callback) { const results = []; const source = {}; const locations = helpers.locations(settings.govcloud); @@ -28,7 +28,7 @@ module.exports = { diagnostic_logs: settings.diagnostic_logs || this.settings.diagnostic_logs.default, }; - async.each(locations.redisCaches, function (location, rcb) { + async.each(locations.redisCaches, function(location, rcb) { const caches = helpers.addSource(cache, source, ['redisCaches', 'listBySubscription', location]); @@ -44,7 +44,7 @@ module.exports = { return rcb(); } - caches.data.forEach(function (redisCache) { + caches.data.forEach(function(redisCache) { if (!redisCache.id) return; const diagnosticSettings = helpers.addSource(cache, source, @@ -58,7 +58,7 @@ module.exports = { if (config.diagnostic_logs == '*') { found = diagnosticSettings.data.some(ds => ds.logs && ds.logs.length); } else { - missingLogs = config.diagnostic_logs.split(','); + missingLogs = config.diagnostic_logs.split(','); diagnosticSettings.data.forEach(settings => { const logs = settings.logs; missingLogs = missingLogs.filter(requiredCategory => @@ -67,7 +67,7 @@ module.exports = { }); } - if(!missingLogs.length && found) { + if (!missingLogs.length && found) { helpers.addResult(results, 0, 'Redis Cache has diagnostic logs enabled.', location, redisCache.id); } else { helpers.addResult(results, 2, `Redis Cache does not have diagnostic logs enabled ${missingLogs.length? `for following: ${missingLogs}`: ''}`, location, redisCache.id); @@ -76,7 +76,7 @@ module.exports = { }); rcb(); - }, function () { + }, function() { // Global checking goes here callback(null, results, source); }); From 10a3dc452388782c6104a8482dff26fa5b980f37 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 28 Dec 2023 17:26:38 +0500 Subject: [PATCH 419/498] Update plugins/azure/servicebus/namespaceInfraEncryption.js --- plugins/azure/servicebus/namespaceInfraEncryption.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/plugins/azure/servicebus/namespaceInfraEncryption.js b/plugins/azure/servicebus/namespaceInfraEncryption.js index 10497c8ed4..17df9e6a7c 100644 --- a/plugins/azure/servicebus/namespaceInfraEncryption.js +++ b/plugins/azure/servicebus/namespaceInfraEncryption.js @@ -21,8 +21,6 @@ module.exports = { ['serviceBus', 'listNamespacesBySubscription', location]); if (!namespaces) return rcb(); - - if (namespaces.err || !namespaces.data) { helpers.addResult(results, 3, 'Unable to query Service Bus namespaces: ' + helpers.addError(namespaces), location); return rcb(); From 1212831ba707bdb0f1549af485160a07ca1ddce4 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 28 Dec 2023 17:27:03 +0500 Subject: [PATCH 420/498] Update plugins/azure/servicebus/namespaceInfraEncryption.js --- plugins/azure/servicebus/namespaceInfraEncryption.js | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/azure/servicebus/namespaceInfraEncryption.js b/plugins/azure/servicebus/namespaceInfraEncryption.js index 17df9e6a7c..d8adef32e7 100644 --- a/plugins/azure/servicebus/namespaceInfraEncryption.js +++ b/plugins/azure/servicebus/namespaceInfraEncryption.js @@ -21,6 +21,7 @@ module.exports = { ['serviceBus', 'listNamespacesBySubscription', location]); if (!namespaces) return rcb(); + if (namespaces.err || !namespaces.data) { helpers.addResult(results, 3, 'Unable to query Service Bus namespaces: ' + helpers.addError(namespaces), location); return rcb(); From 05696283185d1992bf326f77945384c2f9088d2e Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 28 Dec 2023 18:37:46 +0500 Subject: [PATCH 421/498] Update plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js --- .../azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js index 87c2ffad6c..5ff5ea3850 100644 --- a/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js +++ b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js @@ -2,7 +2,6 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); - module.exports = { title: 'VM Scale Set Managed Identity Enabled', category: 'Virtual Machines', From 0dd625272676ad4a005859175e4663783382a01d Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 28 Dec 2023 18:37:53 +0500 Subject: [PATCH 422/498] Update plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js --- .../azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js index 5ff5ea3850..b2fab5d701 100644 --- a/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js +++ b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js @@ -1,5 +1,4 @@ var async = require('async'); - var helpers = require('../../../helpers/azure'); module.exports = { From d4c3784f513be23ab3905ee3c46c8324e0ab9c35 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 28 Dec 2023 20:15:37 +0500 Subject: [PATCH 423/498] Update plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js --- .../virtualmachinescaleset/scalesetSecureBootEnabled.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js b/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js index 2785aebe29..decd71e6cb 100644 --- a/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js +++ b/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js @@ -35,9 +35,10 @@ module.exports = { for (let virtualMachineScaleSet of virtualMachineScaleSets.data) { - if (virtualMachineScaleSet.virtualMachineProfile && virtualMachineScaleSet.virtualMachineProfile.securityProfile && - virtualMachineScaleSet.virtualMachineProfile.securityProfile.uefiSettings && - virtualMachineScaleSet.virtualMachineProfile.securityProfile.uefiSettings.secureBootEnabled) { + if (virtualMachineScaleSet.virtualMachineProfile && + virtualMachineScaleSet.virtualMachineProfile.securityProfile && + virtualMachineScaleSet.virtualMachineProfile.securityProfile.uefiSettings && + virtualMachineScaleSet.virtualMachineProfile.securityProfile.uefiSettings.secureBootEnabled) { helpers.addResult(results, 0, 'Virtual Machine Scale Set has secure boot enabled', location, virtualMachineScaleSet.id); } else { From b904c6756a7e767932eae06037b7eeea11566843 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 28 Dec 2023 20:17:37 +0500 Subject: [PATCH 424/498] Apply suggestions from code review --- .../azure/virtualmachinescaleset/scalesetSecureBootEnabled.js | 4 ++-- .../virtualmachinescaleset/scalesetSecureBootEnabled.spec.js | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js b/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js index decd71e6cb..0dd0d007fc 100644 --- a/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js +++ b/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js @@ -5,7 +5,7 @@ module.exports = { title: 'Scale Sets Secure Boot Enabled', category: 'Virtual Machines', domain: 'Compute', - description: 'Ensures that secure boot is enabled for virtual machine scale sets.', + description: 'Ensures that secure boot is enabled for Virtual Machine Scale Sets.', more_info: 'Secure Boot, which is implemented in platform firmware, protects against the installation of malware-based rootkits and boot kits. Secure Boot works to ensure that only signed operating systems and drivers can boot. It establishes a "root of trust" for the software stack on your VMSS.', recommended_action: 'Modify virtual machine scale set configurations and enable secure boot', link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#secure-boot', @@ -43,7 +43,7 @@ module.exports = { 'Virtual Machine Scale Set has secure boot enabled', location, virtualMachineScaleSet.id); } else { helpers.addResult(results, 2, - 'Virtual Machine Scale Set has secure boot disabled', location, virtualMachineScaleSet.id); + 'Virtual Machine Scale Set does not have secure boot enabled', location, virtualMachineScaleSet.id); } } rcb(); diff --git a/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.spec.js b/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.spec.js index 419869abde..ac178cef5b 100644 --- a/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.spec.js +++ b/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.spec.js @@ -88,7 +88,7 @@ describe('scaleSetSecureBootEnabled', function() { scaleSetSecureBootEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Virtual Machine Scale Set has secure boot disabled'); + expect(results[0].message).to.include('Virtual Machine Scale Set does not have secure boot enabled'); expect(results[0].region).to.equal('eastus'); done(); }); From a527e8a5601a85d44b5f1eefecad19dac0e506c9 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 28 Dec 2023 20:25:21 +0500 Subject: [PATCH 425/498] Apply suggestions from code review --- plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.js b/plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.js index c276495e45..8bc6977700 100644 --- a/plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.js +++ b/plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.js @@ -35,9 +35,10 @@ module.exports = { for (let virtualMachineScaleSet of virtualMachineScaleSets.data) { - if (virtualMachineScaleSet.virtualMachineProfile && virtualMachineScaleSet.virtualMachineProfile.securityProfile && - virtualMachineScaleSet.virtualMachineProfile.securityProfile.securityType && - virtualMachineScaleSet.virtualMachineProfile.securityProfile.securityType.toLowerCase() == 'trustedlaunch') { + if (virtualMachineScaleSet.virtualMachineProfile && + virtualMachineScaleSet.virtualMachineProfile.securityProfile && + virtualMachineScaleSet.virtualMachineProfile.securityProfile.securityType && + virtualMachineScaleSet.virtualMachineProfile.securityProfile.securityType.toLowerCase() == 'trustedlaunch') { helpers.addResult(results, 0, 'Virtual Machine Scale Set has trusted launch enabled', location, virtualMachineScaleSet.id); } else { From 0a1beba39faac2a6188970079cdac3f789e5605f Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 28 Dec 2023 20:34:00 +0500 Subject: [PATCH 426/498] Apply suggestions from code review --- .../virtualmachinescaleset/scalesetVTPMEnabled.js | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js b/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js index 54b460af70..7ea6546543 100644 --- a/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js +++ b/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js @@ -5,10 +5,10 @@ module.exports = { title: 'Scale Sets vTPM Enabled', category: 'Virtual Machines', domain: 'Compute', - description: 'Ensure that Virtual Trusted Platform Module (vTPM) is enabled for virtual machine scale sets.', + description: 'Ensures that Virtual Trusted Platform Module (vTPM) is enabled for Virtual Machine Scale Sets.', more_info: 'vTPM is TPM2.0 compliant and enhances security by validating VM boot integrity and providing a secure storage mechanism for keys and secrets. The vTPM enables attestation by measuring the entire boot chain of your VM (UEFI, OS, system, and drivers).', recommended_action: 'Modify virtual machine scale set configurations and enable vTPM', - link: 'https://learn.microsoft.com/en-us/azure/confidential-computing/virtual-tpms-in-azure-confidential-vm', + link: 'https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/trusted-platform-module-overview', apis: ['virtualMachineScaleSets:listAll'], run: function(cache, settings, callback) { @@ -35,9 +35,10 @@ module.exports = { for (let virtualMachineScaleSet of virtualMachineScaleSets.data) { - if (virtualMachineScaleSet.virtualMachineProfile && virtualMachineScaleSet.virtualMachineProfile.securityProfile && - virtualMachineScaleSet.virtualMachineProfile.securityProfile.uefiSettings && - virtualMachineScaleSet.virtualMachineProfile.securityProfile.uefiSettings.vTpmEnabled) { + if (virtualMachineScaleSet.virtualMachineProfile && + virtualMachineScaleSet.virtualMachineProfile.securityProfile && + virtualMachineScaleSet.virtualMachineProfile.securityProfile.uefiSettings && + virtualMachineScaleSet.virtualMachineProfile.securityProfile.uefiSettings.vTpmEnabled) { helpers.addResult(results, 0, 'Virtual Machine Scale Set has vTPM enabled', location, virtualMachineScaleSet.id); } else { From bb7d5d533b226be234e4afbb9f1a2d29c9433074 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 28 Dec 2023 20:34:24 +0500 Subject: [PATCH 427/498] Update plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js --- plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js b/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js index 7ea6546543..29c57f14b9 100644 --- a/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js +++ b/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js @@ -36,9 +36,9 @@ module.exports = { for (let virtualMachineScaleSet of virtualMachineScaleSets.data) { if (virtualMachineScaleSet.virtualMachineProfile && - virtualMachineScaleSet.virtualMachineProfile.securityProfile && - virtualMachineScaleSet.virtualMachineProfile.securityProfile.uefiSettings && - virtualMachineScaleSet.virtualMachineProfile.securityProfile.uefiSettings.vTpmEnabled) { + virtualMachineScaleSet.virtualMachineProfile.securityProfile && + virtualMachineScaleSet.virtualMachineProfile.securityProfile.uefiSettings && + virtualMachineScaleSet.virtualMachineProfile.securityProfile.uefiSettings.vTpmEnabled) { helpers.addResult(results, 0, 'Virtual Machine Scale Set has vTPM enabled', location, virtualMachineScaleSet.id); } else { From bbbca89f1069820582c3a774ec6edac1d94ac1bb Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 28 Dec 2023 20:36:53 +0500 Subject: [PATCH 428/498] Apply suggestions from code review --- .../azure/virtualmachinescaleset/scalesetSecureBootEnabled.js | 2 +- .../virtualmachinescaleset/scalesetSecureBootEnabled.spec.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js b/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js index 0dd0d007fc..ccd2406bdd 100644 --- a/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js +++ b/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js @@ -43,7 +43,7 @@ module.exports = { 'Virtual Machine Scale Set has secure boot enabled', location, virtualMachineScaleSet.id); } else { helpers.addResult(results, 2, - 'Virtual Machine Scale Set does not have secure boot enabled', location, virtualMachineScaleSet.id); + 'Virtual Machine Scale Set have secure boot disabled', location, virtualMachineScaleSet.id); } } rcb(); diff --git a/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.spec.js b/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.spec.js index ac178cef5b..35456aa98c 100644 --- a/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.spec.js +++ b/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.spec.js @@ -88,7 +88,7 @@ describe('scaleSetSecureBootEnabled', function() { scaleSetSecureBootEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Virtual Machine Scale Set does not have secure boot enabled'); + expect(results[0].message).to.include('Virtual Machine Scale Set have secure boot disabled'); expect(results[0].region).to.equal('eastus'); done(); }); From 80219c31ce0ec815932d6c5cc45b68f7f9a3842b Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 29 Dec 2023 00:03:24 +0500 Subject: [PATCH 429/498] Added case sensitivity --- .../redisCache/redisCacheDiagnosticLogs.js | 5 +- .../redisCacheDiagnosticLogs.spec.js | 160 +++++++++--------- 2 files changed, 83 insertions(+), 82 deletions(-) diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js index 875252d860..a538645af3 100644 --- a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js @@ -58,11 +58,12 @@ module.exports = { if (config.diagnostic_logs == '*') { found = diagnosticSettings.data.some(ds => ds.logs && ds.logs.length); } else { - missingLogs = config.diagnostic_logs.split(','); + config.diagnostic_logs = config.diagnostic_logs.replace(/\s/g, ''); + missingLogs = config.diagnostic_logs.toLowerCase().split(','); diagnosticSettings.data.forEach(settings => { const logs = settings.logs; missingLogs = missingLogs.filter(requiredCategory => - !logs.some(log => (log.category === requiredCategory && log.enabled) || log.categoryGroup === 'allLogs' && log.enabled) + !logs.some(log => (log.category && log.category.toLowerCase() === requiredCategory && log.enabled) || log.categoryGroup === 'allLogs' && log.enabled) ); }); diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js index f89dfdf273..e8354db4a0 100644 --- a/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js @@ -195,38 +195,38 @@ const createErrorCache = (key) => { describe('redisCacheDiagnosticLogs', function () { describe('run', function () { - it('should give pass result if No existing Redis Caches found', function (done) { - const cache = createErrorCache('nocache'); - redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('No existing Redis Caches found'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); + // it('should give pass result if No existing Redis Caches found', function (done) { + // const cache = createErrorCache('nocache'); + // redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + // expect(results.length).to.equal(1); + // expect(results[0].status).to.equal(0); + // expect(results[0].message).to.include('No existing Redis Caches found'); + // expect(results[0].region).to.equal('eastus'); + // done(); + // }); + // }); - it('should give unknown result if Unable to query Redis Caches:', function (done) { - const cache = createErrorCache('redisCache'); - redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query Redis Caches:'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); + // it('should give unknown result if Unable to query Redis Caches:', function (done) { + // const cache = createErrorCache('redisCache'); + // redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + // expect(results.length).to.equal(1); + // expect(results[0].status).to.equal(3); + // expect(results[0].message).to.include('Unable to query Redis Caches:'); + // expect(results[0].region).to.equal('eastus'); + // done(); + // }); + // }); - it('should give unknown result if Unable to query diagnostics settings', function (done) { - const cache = createErrorCache('settings'); - redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query Redis Cache diagnostics settings'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); + // it('should give unknown result if Unable to query diagnostics settings', function (done) { + // const cache = createErrorCache('settings'); + // redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + // expect(results.length).to.equal(1); + // expect(results[0].status).to.equal(3); + // expect(results[0].message).to.include('Unable to query Redis Cache diagnostics settings'); + // expect(results[0].region).to.equal('eastus'); + // done(); + // }); + // }); it('should give passing result if redis cache has diagnostic logs enabled', function (done) { const cache = createCache([redisCaches[0]], [diagnosticSettings[2]]); @@ -239,59 +239,59 @@ describe('redisCacheDiagnosticLogs', function () { }); }); - it('should give passing result if redis cache has diagnostic logs enabled with all Logs', function (done) { - const cache = createCache([redisCaches[0]], [diagnosticSettings[0]]); - redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Redis Cache has diagnostic logs enabled'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); + // it('should give passing result if redis cache has diagnostic logs enabled with all Logs', function (done) { + // const cache = createCache([redisCaches[0]], [diagnosticSettings[0]]); + // redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + // expect(results.length).to.equal(1); + // expect(results[0].status).to.equal(0); + // expect(results[0].message).to.include('Redis Cache has diagnostic logs enabled'); + // expect(results[0].region).to.equal('eastus'); + // done(); + // }); + // }); - it('should give failing result if Redis Cache does not have diagnostic logs enabled', function (done) { - const cache = createCache([redisCaches[1]], [diagnosticSettings[1]]); - redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled for following:'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); + // it('should give failing result if Redis Cache does not have diagnostic logs enabled', function (done) { + // const cache = createCache([redisCaches[1]], [diagnosticSettings[1]]); + // redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + // expect(results.length).to.equal(1); + // expect(results[0].status).to.equal(2); + // expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled for following:'); + // expect(results[0].region).to.equal('eastus'); + // done(); + // }); + // }); - it('should give failing result if Redis Cache does not have diagnostic logs enabled with settings', function (done) { - const cache = createCache([redisCaches[1]], [diagnosticSettings[1]]); - redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: 'testsetting'}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled for following:'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); + // it('should give failing result if Redis Cache does not have diagnostic logs enabled with settings', function (done) { + // const cache = createCache([redisCaches[1]], [diagnosticSettings[1]]); + // redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: 'testsetting'}, (err, results) => { + // expect(results.length).to.equal(1); + // expect(results[0].status).to.equal(2); + // expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled for following:'); + // expect(results[0].region).to.equal('eastus'); + // done(); + // }); + // }); - it('should give passing result if Redis Cache has diagnostic logs enabled with * setting', function (done) { - const cache = createCache([redisCaches[1]], [diagnosticSettings[1]]); - redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: '*'}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Redis Cache has diagnostic logs enabled'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); + // it('should give passing result if Redis Cache has diagnostic logs enabled with * setting', function (done) { + // const cache = createCache([redisCaches[1]], [diagnosticSettings[1]]); + // redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: '*'}, (err, results) => { + // expect(results.length).to.equal(1); + // expect(results[0].status).to.equal(0); + // expect(results[0].message).to.include('Redis Cache has diagnostic logs enabled'); + // expect(results[0].region).to.equal('eastus'); + // done(); + // }); + // }); - it('should give failing result if Redis Cache has diagnostic logs enabled with * setting but there are not logs', function (done) { - const cache = createCache([redisCaches[1]], [diagnosticSettings[4]]); - redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: '*'}, (err, results) => { - expect(results.length).to.equal(1); - expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled'); - expect(results[0].region).to.equal('eastus'); - done(); - }); - }); + // it('should give failing result if Redis Cache has diagnostic logs enabled with * setting but there are not logs', function (done) { + // const cache = createCache([redisCaches[1]], [diagnosticSettings[4]]); + // redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: '*'}, (err, results) => { + // expect(results.length).to.equal(1); + // expect(results[0].status).to.equal(2); + // expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled'); + // expect(results[0].region).to.equal('eastus'); + // done(); + // }); + // }); }); }); \ No newline at end of file From 4d28dfb54da09bf04747a7b2b62f1886267d22e3 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 29 Dec 2023 00:18:38 +0500 Subject: [PATCH 430/498] Requested-changes --- .../redisCache/redisCacheDiagnosticLogs.js | 41 +++++++++---- .../redisCacheDiagnosticLogs.spec.js | 58 ++++++++++++++++++- .../redisCacheScheduledUpdates.spec.js | 2 +- 3 files changed, 86 insertions(+), 15 deletions(-) diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js index cbb8aa1ce5..a538645af3 100644 --- a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js @@ -9,13 +9,25 @@ module.exports = { more_info: 'Enabling diagnostic setting helps you understand who is connecting to your caches and the timestamp of those connections. The log data could be used to identify the scope of a security breach and for security auditing purposes.', recommended_action: 'Enable diagnostic logging for all Redis Caches.', link: 'https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-monitor-diagnostic-settings?tabs=basic-standard-premium', - apis: ['redisCaches:listBySubscription','diagnosticSettings:listByRedisCache'], + apis: ['redisCaches:listBySubscription', 'diagnosticSettings:listByRedisCache'], + settings: { + diagnostic_logs: { + name: 'Diagnostic Logs Enabled', + description: 'Comma separated list of diagnostic logs that should be enabled at minimum i.e. ConnectedClientList. If you have enabled allLogs, then resource produces pass result. If you only want to check if logging is enabled or not, irrespecitve of log type, then add * in setting.', + regex: '^.*$', + default: 'ConnectedClientList' + }, + }, run: function(cache, settings, callback) { const results = []; const source = {}; const locations = helpers.locations(settings.govcloud); + var config = { + diagnostic_logs: settings.diagnostic_logs || this.settings.diagnostic_logs.default, + }; + async.each(locations.redisCaches, function(location, rcb) { const caches = helpers.addSource(cache, source, ['redisCaches', 'listBySubscription', location]); @@ -41,18 +53,25 @@ module.exports = { if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { helpers.addResult(results, 3, 'Unable to query Redis Cache diagnostics settings: ' + helpers.addError(diagnosticSettings), location, redisCache.id); } else { - var redisCacheDiagnosticLogs = false; - diagnosticSettings.data.forEach(setting => { - var logs = setting.logs; - if (logs.some(log => (log.categoryGroup === 'audit' || log.categoryGroup === 'allLogs' || log.category === 'ConnectedClientList') && log.enabled)) { - redisCacheDiagnosticLogs = true; - } - }); + var found = true; + var missingLogs = []; + if (config.diagnostic_logs == '*') { + found = diagnosticSettings.data.some(ds => ds.logs && ds.logs.length); + } else { + config.diagnostic_logs = config.diagnostic_logs.replace(/\s/g, ''); + missingLogs = config.diagnostic_logs.toLowerCase().split(','); + diagnosticSettings.data.forEach(settings => { + const logs = settings.logs; + missingLogs = missingLogs.filter(requiredCategory => + !logs.some(log => (log.category && log.category.toLowerCase() === requiredCategory && log.enabled) || log.categoryGroup === 'allLogs' && log.enabled) + ); + }); - if (redisCacheDiagnosticLogs) { - helpers.addResult(results, 0, 'Redis Cache has diagnostic logs enabled', location, redisCache.id); + } + if (!missingLogs.length && found) { + helpers.addResult(results, 0, 'Redis Cache has diagnostic logs enabled.', location, redisCache.id); } else { - helpers.addResult(results, 2, 'Redis Cache does not have diagnostic logs enabled', location, redisCache.id); + helpers.addResult(results, 2, `Redis Cache does not have diagnostic logs enabled ${missingLogs.length? `for following: ${missingLogs}`: ''}`, location, redisCache.id); } } }); diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js index 19847cb83a..f89dfdf273 100644 --- a/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js @@ -36,7 +36,7 @@ const diagnosticSettings = [ logs: [ { category: null, - categoryGroup: 'audit', + categoryGroup: 'allLogs', enabled: true, retentionPolicy: { enabled: false, days: 0 } }, @@ -89,7 +89,26 @@ const diagnosticSettings = [ ], logAnalyticsDestinationType: null }, - {} + {}, + { + id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cache/redis/omerredistest/providers/microsoft.insights/diagnosticSettings/test', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'test', + location: null, + kind: null, + tags: null, + identity: null, + storageAccountId: null, + serviceBusRuleId: null, + workspaceId: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/test/providers/microsoft.operationalinsights/workspaces/ctolabsanalytics', + eventHubAuthorizationRuleId: null, + eventHubName: null, + metrics: [ [Object] ], + logs: [ + ], + logAnalyticsDestinationType: null + + } ] const createCache = (redisCaches, diagnostics) => { @@ -220,7 +239,7 @@ describe('redisCacheDiagnosticLogs', function () { }); }); - it('should give passing result if redis cache has diagnostic logs enabled with audit', function (done) { + it('should give passing result if redis cache has diagnostic logs enabled with all Logs', function (done) { const cache = createCache([redisCaches[0]], [diagnosticSettings[0]]); redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); @@ -234,6 +253,39 @@ describe('redisCacheDiagnosticLogs', function () { it('should give failing result if Redis Cache does not have diagnostic logs enabled', function (done) { const cache = createCache([redisCaches[1]], [diagnosticSettings[1]]); redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled for following:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if Redis Cache does not have diagnostic logs enabled with settings', function (done) { + const cache = createCache([redisCaches[1]], [diagnosticSettings[1]]); + redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: 'testsetting'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled for following:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if Redis Cache has diagnostic logs enabled with * setting', function (done) { + const cache = createCache([redisCaches[1]], [diagnosticSettings[1]]); + redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: '*'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Redis Cache has diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if Redis Cache has diagnostic logs enabled with * setting but there are not logs', function (done) { + const cache = createCache([redisCaches[1]], [diagnosticSettings[4]]); + redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: '*'}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled'); diff --git a/plugins/azure/redisCache/redisCacheScheduledUpdates.spec.js b/plugins/azure/redisCache/redisCacheScheduledUpdates.spec.js index bb76557867..63c3363e9b 100644 --- a/plugins/azure/redisCache/redisCacheScheduledUpdates.spec.js +++ b/plugins/azure/redisCache/redisCacheScheduledUpdates.spec.js @@ -19,7 +19,7 @@ const redisCaches = [ ]; const patchSchedules = { - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/cloudsploit-dev/providers/Microsoft.Cache/Redis/omerredistest/patchSchedules/default", + "id": "/subscriptions/123/resourceGroups/cloudsploit-dev/providers/Microsoft.Cache/Redis/omerredistest/patchSchedules/default", "location": "East US", "name": "omerredistest/default", "type": "Microsoft.Cache/Redis/PatchSchedules", From 69f7500af6b97123fc5dcffd554a09fc7a4f6226 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 29 Dec 2023 00:35:27 +0500 Subject: [PATCH 431/498] Added setting --- exports.js | 2 +- ...ogs.js => automationAcctDiagnosticLogs.js} | 53 +++++++++++------ ...s => automationAcctDiagnosticLogs.spec.js} | 59 +++++++++++++++---- 3 files changed, 86 insertions(+), 28 deletions(-) rename plugins/azure/automationAccounts/{automationAccountDiagnosticLogs.js => automationAcctDiagnosticLogs.js} (58%) rename plugins/azure/automationAccounts/{automationAccountDiagnosticLogs.spec.js => automationAcctDiagnosticLogs.spec.js} (73%) diff --git a/exports.js b/exports.js index 2b5b1e175e..656fced00b 100644 --- a/exports.js +++ b/exports.js @@ -1040,7 +1040,7 @@ module.exports = { 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), - 'automationAccountDiagnosticLogs': require(__dirname + '/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js'), + 'automationAcctDiagnosticLogs' : require(__dirname + '/plugins/azure/automationAccounts/automationAcctDiagnosticLogs.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js b/plugins/azure/automationAccounts/automationAcctDiagnosticLogs.js similarity index 58% rename from plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js rename to plugins/azure/automationAccounts/automationAcctDiagnosticLogs.js index fff1996af9..b9e6a5916c 100644 --- a/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js +++ b/plugins/azure/automationAccounts/automationAcctDiagnosticLogs.js @@ -9,13 +9,23 @@ module.exports = { more_info: 'Azure Automation can send runbook job status and job streams to get insights, alert emails and correlate jobs across automation accounts. It also allows you to get the audit logs related to Automation accounts, runbooks, and other asset create, modify and delete operations.', recommended_action: 'Enable diagnostic logging for all Automation accounts.', link: 'https://learn.microsoft.com/en-us/azure/automation/automation-manage-send-joblogs-log-analytics#azure-automation-diagnostic-settings', - apis: ['automationAccounts:list','diagnosticSettings:listByAutomationAccounts'], - - run: function(cache, settings, callback) { + apis: ['automationAccounts:list', 'diagnosticSettings:listByAutomationAccounts'], + settings: { + diagnostic_logs: { + name: 'Diagnostic Logs Enabled', + description: 'Comma separated list of diagnostic logs that should be enabled at minimum i.e. JobLogs, JobStreams etc. If you have enabled allLogs, then resource produces pass result. If you only want to check if logging is enabled or not, irrespecitve of log type, then add * in setting.', + regex: '^.*$', + default: 'JobLogs, JobStreams, DscNodeStatus, AuditEvent' + }, + }, + run: function (cache, settings, callback) { const results = []; const source = {}; const locations = helpers.locations(settings.govcloud); - + + var config = { + diagnostic_logs: settings.diagnostic_logs || this.settings.diagnostic_logs.default, + }; async.each(locations.automationAccounts, (location, rcb) => { const automationAccounts = helpers.addSource(cache, source, @@ -37,32 +47,41 @@ module.exports = { for (let account of automationAccounts.data) { if (!account.id) continue; - var diagnosticSettings = helpers.addSource(cache, source, + var diagnosticSettings = helpers.addSource(cache, source, ['diagnosticSettings', 'listByAutomationAccounts', location, account.id]); - + if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { helpers.addResult(results, 3, `Unable to query Automation account diagnostic settings: ${helpers.addError(diagnosticSettings)}`, location, account.id); continue; } - var missingLogs = ['JobLogs', 'JobStreams', 'DscNodeStatus', 'AuditEvent']; - diagnosticSettings.data.forEach(settings => { - const logs = settings.logs; - missingLogs = missingLogs.filter(requiredCategory => - !logs.some(log => (log.category === requiredCategory && log.enabled) || log.categoryGroup === 'allLogs' && log.enabled) - ); - }); - - if (missingLogs.length) { - helpers.addResult(results, 2, `Automation account does not have diagnostic logs enabled. Missing logs: ${missingLogs}`, location, account.id); + var found = true; + var missingLogs = []; + if (config.diagnostic_logs == '*') { + found = diagnosticSettings.data.some(ds => ds.logs && ds.logs.length); } else { + config.diagnostic_logs = config.diagnostic_logs.replace(/\s/g, ''); + missingLogs = config.diagnostic_logs.toLowerCase().split(','); + diagnosticSettings.data.forEach(settings => { + const logs = settings.logs; + missingLogs = missingLogs.filter(requiredCategory => + !logs.some(log => (log.category && log.category.toLowerCase() === requiredCategory && log.enabled) || log.categoryGroup === 'allLogs' && log.enabled) + ); + }); + + } + + if (!missingLogs.length && found) { helpers.addResult(results, 0, 'Automation account has diagnostic logs enabled', location, account.id); + + } else { + helpers.addResult(results, 2, `Automation account does not have diagnostic logs enabled ${missingLogs.length ? `for following: ${missingLogs}` : ''}`, location, account.id); } } rcb(); - }, function() { + }, function () { callback(null, results, source); }); } diff --git a/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.spec.js b/plugins/azure/automationAccounts/automationAcctDiagnosticLogs.spec.js similarity index 73% rename from plugins/azure/automationAccounts/automationAccountDiagnosticLogs.spec.js rename to plugins/azure/automationAccounts/automationAcctDiagnosticLogs.spec.js index f395d07d34..a6dab31764 100644 --- a/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.spec.js +++ b/plugins/azure/automationAccounts/automationAcctDiagnosticLogs.spec.js @@ -1,11 +1,11 @@ var expect = require('chai').expect; -var automationAccountDiagnosticLogs = require('./automationAccountDiagnosticLogs.js'); +var automationAccountDiagnosticLogs = require('./automationAcctDiagnosticLogs.js'); const automationAccounts = [ { - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/DefaultResourceGroup-EUS/providers/Microsoft.Automation/automationAccounts/Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-EUS2", + "id": "/subscriptions/12345/resourceGroups/DefaultResourceGroup-EUS/providers/Microsoft.Automation/automationAccounts/Automate-12345-EUS2", "location": "EastUS2", - "name": "Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-EUS2", + "name": "Automate-12345-EUS2", "type": "Microsoft.Automation/AutomationAccounts", "tags": {}, "properties": { @@ -14,9 +14,9 @@ const automationAccounts = [ } }, { - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/DefaultResourceGroup-CUS/providers/Microsoft.Automation/automationAccounts/Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-CUS", + "id": "/subscriptions/12345/resourceGroups/DefaultResourceGroup-CUS/providers/Microsoft.Automation/automationAccounts/Automate-12345-CUS", "location": "centralus", - "name": "Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-CUS", + "name": "Automate-12345-CUS", "type": "Microsoft.Automation/AutomationAccounts", "tags": {}, "properties": { @@ -28,7 +28,7 @@ const automationAccounts = [ const diagnosticSettings = [ { - id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/automationAccounts/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', + id: '/subscriptions/12345/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/automationAccounts/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', type: 'Microsoft.Insights/diagnosticSettings', name: 'testaccesslogs', location: 'global', @@ -46,7 +46,7 @@ const diagnosticSettings = [ "logAnalyticsDestinationType": null }, { - id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/automationAccounts/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', + id: '/subscriptions/12345/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/automationAccounts/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', type: 'Microsoft.Insights/diagnosticSettings', name: 'testwaflogs', location: 'global', @@ -93,7 +93,7 @@ const diagnosticSettings = [ }, {}, { - id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/automationAccounts/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', + id: '/subscriptions/12345/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/automationAccounts/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', type: 'Microsoft.Insights/diagnosticSettings', name: 'testwaflogs', location: 'global', @@ -110,6 +110,24 @@ const diagnosticSettings = [ ], "logAnalyticsDestinationType": null }, + { + id: '/subscriptions/12345/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/automationAccounts/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'testwaflogs', + location: 'global', + logs: [ + { + "category": "DummyCategory", + "categoryGroup": "", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logAnalyticsDestinationType": null + }, ] const createCache = (automationAccounts, diagnostics) => { @@ -245,13 +263,12 @@ describe('automationAccountDiagnosticLogs', function () { automationAccountDiagnosticLogs.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Automation account does not have diagnostic logs enabled. Missing'); + expect(results[0].message).to.include('Automation account does not have diagnostic logs enabled for following'); expect(results[0].region).to.equal('eastus'); done(); }); }); - it('should give pass result if automation account have allLogs Enabled', function(done) { const cache = createCache([automationAccounts[1]], [diagnosticSettings[3]]); automationAccountDiagnosticLogs.run(cache, {}, (err, results) => { @@ -262,5 +279,27 @@ describe('automationAccountDiagnosticLogs', function () { done(); }); }); + + it('should give passing result with * setting', function (done) { + const cache = createCache([automationAccounts[1]], [diagnosticSettings[4]]); + automationAccountDiagnosticLogs.run(cache, {diagnostic_logs: '*'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Automation account has diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if Automation Account does not have diagnostic logs enabled with settings', function (done) { + const cache = createCache([automationAccounts[1]], [diagnosticSettings[1]]); + automationAccountDiagnosticLogs.run(cache, {diagnostic_logs: 'testsetting'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Automation account does not have diagnostic logs enabled for following:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); }); }); \ No newline at end of file From 694ca820a745675bbcd81d27bafa0b9457fd66e7 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 29 Dec 2023 00:36:22 +0500 Subject: [PATCH 432/498] Linting --- .../azure/automationAccounts/automationAcctDiagnosticLogs.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/automationAccounts/automationAcctDiagnosticLogs.js b/plugins/azure/automationAccounts/automationAcctDiagnosticLogs.js index b9e6a5916c..6903c0ed32 100644 --- a/plugins/azure/automationAccounts/automationAcctDiagnosticLogs.js +++ b/plugins/azure/automationAccounts/automationAcctDiagnosticLogs.js @@ -18,7 +18,7 @@ module.exports = { default: 'JobLogs, JobStreams, DscNodeStatus, AuditEvent' }, }, - run: function (cache, settings, callback) { + run: function(cache, settings, callback) { const results = []; const source = {}; const locations = helpers.locations(settings.govcloud); @@ -81,7 +81,7 @@ module.exports = { } rcb(); - }, function () { + }, function() { callback(null, results, source); }); } From 80a1b9c6e3370a772725928daf4baf671dc2ce54 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 29 Dec 2023 00:37:12 +0500 Subject: [PATCH 433/498] Uncommented --- .../redisCacheDiagnosticLogs.spec.js | 160 +++++++++--------- 1 file changed, 80 insertions(+), 80 deletions(-) diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js index e8354db4a0..f89dfdf273 100644 --- a/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.spec.js @@ -195,38 +195,38 @@ const createErrorCache = (key) => { describe('redisCacheDiagnosticLogs', function () { describe('run', function () { - // it('should give pass result if No existing Redis Caches found', function (done) { - // const cache = createErrorCache('nocache'); - // redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { - // expect(results.length).to.equal(1); - // expect(results[0].status).to.equal(0); - // expect(results[0].message).to.include('No existing Redis Caches found'); - // expect(results[0].region).to.equal('eastus'); - // done(); - // }); - // }); + it('should give pass result if No existing Redis Caches found', function (done) { + const cache = createErrorCache('nocache'); + redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Redis Caches found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); - // it('should give unknown result if Unable to query Redis Caches:', function (done) { - // const cache = createErrorCache('redisCache'); - // redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { - // expect(results.length).to.equal(1); - // expect(results[0].status).to.equal(3); - // expect(results[0].message).to.include('Unable to query Redis Caches:'); - // expect(results[0].region).to.equal('eastus'); - // done(); - // }); - // }); + it('should give unknown result if Unable to query Redis Caches:', function (done) { + const cache = createErrorCache('redisCache'); + redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Redis Caches:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); - // it('should give unknown result if Unable to query diagnostics settings', function (done) { - // const cache = createErrorCache('settings'); - // redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { - // expect(results.length).to.equal(1); - // expect(results[0].status).to.equal(3); - // expect(results[0].message).to.include('Unable to query Redis Cache diagnostics settings'); - // expect(results[0].region).to.equal('eastus'); - // done(); - // }); - // }); + it('should give unknown result if Unable to query diagnostics settings', function (done) { + const cache = createErrorCache('settings'); + redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Redis Cache diagnostics settings'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); it('should give passing result if redis cache has diagnostic logs enabled', function (done) { const cache = createCache([redisCaches[0]], [diagnosticSettings[2]]); @@ -239,59 +239,59 @@ describe('redisCacheDiagnosticLogs', function () { }); }); - // it('should give passing result if redis cache has diagnostic logs enabled with all Logs', function (done) { - // const cache = createCache([redisCaches[0]], [diagnosticSettings[0]]); - // redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { - // expect(results.length).to.equal(1); - // expect(results[0].status).to.equal(0); - // expect(results[0].message).to.include('Redis Cache has diagnostic logs enabled'); - // expect(results[0].region).to.equal('eastus'); - // done(); - // }); - // }); + it('should give passing result if redis cache has diagnostic logs enabled with all Logs', function (done) { + const cache = createCache([redisCaches[0]], [diagnosticSettings[0]]); + redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Redis Cache has diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); - // it('should give failing result if Redis Cache does not have diagnostic logs enabled', function (done) { - // const cache = createCache([redisCaches[1]], [diagnosticSettings[1]]); - // redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { - // expect(results.length).to.equal(1); - // expect(results[0].status).to.equal(2); - // expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled for following:'); - // expect(results[0].region).to.equal('eastus'); - // done(); - // }); - // }); + it('should give failing result if Redis Cache does not have diagnostic logs enabled', function (done) { + const cache = createCache([redisCaches[1]], [diagnosticSettings[1]]); + redisCacheDiagnosticLogs.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled for following:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); - // it('should give failing result if Redis Cache does not have diagnostic logs enabled with settings', function (done) { - // const cache = createCache([redisCaches[1]], [diagnosticSettings[1]]); - // redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: 'testsetting'}, (err, results) => { - // expect(results.length).to.equal(1); - // expect(results[0].status).to.equal(2); - // expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled for following:'); - // expect(results[0].region).to.equal('eastus'); - // done(); - // }); - // }); + it('should give failing result if Redis Cache does not have diagnostic logs enabled with settings', function (done) { + const cache = createCache([redisCaches[1]], [diagnosticSettings[1]]); + redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: 'testsetting'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled for following:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); - // it('should give passing result if Redis Cache has diagnostic logs enabled with * setting', function (done) { - // const cache = createCache([redisCaches[1]], [diagnosticSettings[1]]); - // redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: '*'}, (err, results) => { - // expect(results.length).to.equal(1); - // expect(results[0].status).to.equal(0); - // expect(results[0].message).to.include('Redis Cache has diagnostic logs enabled'); - // expect(results[0].region).to.equal('eastus'); - // done(); - // }); - // }); + it('should give passing result if Redis Cache has diagnostic logs enabled with * setting', function (done) { + const cache = createCache([redisCaches[1]], [diagnosticSettings[1]]); + redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: '*'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Redis Cache has diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); - // it('should give failing result if Redis Cache has diagnostic logs enabled with * setting but there are not logs', function (done) { - // const cache = createCache([redisCaches[1]], [diagnosticSettings[4]]); - // redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: '*'}, (err, results) => { - // expect(results.length).to.equal(1); - // expect(results[0].status).to.equal(2); - // expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled'); - // expect(results[0].region).to.equal('eastus'); - // done(); - // }); - // }); + it('should give failing result if Redis Cache has diagnostic logs enabled with * setting but there are not logs', function (done) { + const cache = createCache([redisCaches[1]], [diagnosticSettings[4]]); + redisCacheDiagnosticLogs.run(cache, {diagnostic_logs: '*'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Redis Cache does not have diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); }); }); \ No newline at end of file From c87fd7861112004d7db06bad08c0a6e949201a0c Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 29 Dec 2023 00:46:00 +0500 Subject: [PATCH 434/498] Requested-changes --- ...ogs.js => automationAcctDiagnosticLogs.js} | 52 ++++++++++------ ...s => automationAcctDiagnosticLogs.spec.js} | 59 +++++++++++++++---- ...ty.js => automationAcctManagedIdentity.js} | 5 +- ... => automationAcctManagedIdentity.spec.js} | 16 ++--- 4 files changed, 94 insertions(+), 38 deletions(-) rename plugins/azure/automationAccounts/{automationAccountDiagnosticLogs.js => automationAcctDiagnosticLogs.js} (60%) rename plugins/azure/automationAccounts/{automationAccountDiagnosticLogs.spec.js => automationAcctDiagnosticLogs.spec.js} (73%) rename plugins/azure/automationAccounts/{automationAccountManagedIdentity.js => automationAcctManagedIdentity.js} (87%) rename plugins/azure/automationAccounts/{automationAccountManagedIdentity.spec.js => automationAcctManagedIdentity.spec.js} (78%) diff --git a/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js b/plugins/azure/automationAccounts/automationAcctDiagnosticLogs.js similarity index 60% rename from plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js rename to plugins/azure/automationAccounts/automationAcctDiagnosticLogs.js index fff1996af9..4eaf5b00c3 100644 --- a/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js +++ b/plugins/azure/automationAccounts/automationAcctDiagnosticLogs.js @@ -9,13 +9,23 @@ module.exports = { more_info: 'Azure Automation can send runbook job status and job streams to get insights, alert emails and correlate jobs across automation accounts. It also allows you to get the audit logs related to Automation accounts, runbooks, and other asset create, modify and delete operations.', recommended_action: 'Enable diagnostic logging for all Automation accounts.', link: 'https://learn.microsoft.com/en-us/azure/automation/automation-manage-send-joblogs-log-analytics#azure-automation-diagnostic-settings', - apis: ['automationAccounts:list','diagnosticSettings:listByAutomationAccounts'], - + apis: ['automationAccounts:list', 'diagnosticSettings:listByAutomationAccounts'], + settings: { + diagnostic_logs: { + name: 'Diagnostic Logs Enabled', + description: 'Comma separated list of diagnostic logs that should be enabled at minimum i.e. JobLogs, JobStreams etc. If you have enabled allLogs, then resource produces pass result. If you only want to check if logging is enabled or not, irrespecitve of log type, then add * in setting.', + regex: '^.*$', + default: 'JobLogs, JobStreams, DscNodeStatus, AuditEvent' + }, + }, run: function(cache, settings, callback) { const results = []; const source = {}; const locations = helpers.locations(settings.govcloud); - + + var config = { + diagnostic_logs: settings.diagnostic_logs || this.settings.diagnostic_logs.default, + }; async.each(locations.automationAccounts, (location, rcb) => { const automationAccounts = helpers.addSource(cache, source, @@ -37,27 +47,36 @@ module.exports = { for (let account of automationAccounts.data) { if (!account.id) continue; - var diagnosticSettings = helpers.addSource(cache, source, + var diagnosticSettings = helpers.addSource(cache, source, ['diagnosticSettings', 'listByAutomationAccounts', location, account.id]); - + if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { helpers.addResult(results, 3, `Unable to query Automation account diagnostic settings: ${helpers.addError(diagnosticSettings)}`, location, account.id); continue; } - var missingLogs = ['JobLogs', 'JobStreams', 'DscNodeStatus', 'AuditEvent']; - diagnosticSettings.data.forEach(settings => { - const logs = settings.logs; - missingLogs = missingLogs.filter(requiredCategory => - !logs.some(log => (log.category === requiredCategory && log.enabled) || log.categoryGroup === 'allLogs' && log.enabled) - ); - }); - - if (missingLogs.length) { - helpers.addResult(results, 2, `Automation account does not have diagnostic logs enabled. Missing logs: ${missingLogs}`, location, account.id); + var found = true; + var missingLogs = []; + if (config.diagnostic_logs == '*') { + found = diagnosticSettings.data.some(ds => ds.logs && ds.logs.length); } else { + config.diagnostic_logs = config.diagnostic_logs.replace(/\s/g, ''); + missingLogs = config.diagnostic_logs.toLowerCase().split(','); + diagnosticSettings.data.forEach(settings => { + const logs = settings.logs; + missingLogs = missingLogs.filter(requiredCategory => + !logs.some(log => (log.category && log.category.toLowerCase() === requiredCategory && log.enabled) || log.categoryGroup === 'allLogs' && log.enabled) + ); + }); + + } + + if (!missingLogs.length && found) { helpers.addResult(results, 0, 'Automation account has diagnostic logs enabled', location, account.id); + + } else { + helpers.addResult(results, 2, `Automation account does not have diagnostic logs enabled ${missingLogs.length ? `for following: ${missingLogs}` : ''}`, location, account.id); } } @@ -66,5 +85,4 @@ module.exports = { callback(null, results, source); }); } -}; - +}; \ No newline at end of file diff --git a/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.spec.js b/plugins/azure/automationAccounts/automationAcctDiagnosticLogs.spec.js similarity index 73% rename from plugins/azure/automationAccounts/automationAccountDiagnosticLogs.spec.js rename to plugins/azure/automationAccounts/automationAcctDiagnosticLogs.spec.js index f395d07d34..a6dab31764 100644 --- a/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.spec.js +++ b/plugins/azure/automationAccounts/automationAcctDiagnosticLogs.spec.js @@ -1,11 +1,11 @@ var expect = require('chai').expect; -var automationAccountDiagnosticLogs = require('./automationAccountDiagnosticLogs.js'); +var automationAccountDiagnosticLogs = require('./automationAcctDiagnosticLogs.js'); const automationAccounts = [ { - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/DefaultResourceGroup-EUS/providers/Microsoft.Automation/automationAccounts/Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-EUS2", + "id": "/subscriptions/12345/resourceGroups/DefaultResourceGroup-EUS/providers/Microsoft.Automation/automationAccounts/Automate-12345-EUS2", "location": "EastUS2", - "name": "Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-EUS2", + "name": "Automate-12345-EUS2", "type": "Microsoft.Automation/AutomationAccounts", "tags": {}, "properties": { @@ -14,9 +14,9 @@ const automationAccounts = [ } }, { - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/DefaultResourceGroup-CUS/providers/Microsoft.Automation/automationAccounts/Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-CUS", + "id": "/subscriptions/12345/resourceGroups/DefaultResourceGroup-CUS/providers/Microsoft.Automation/automationAccounts/Automate-12345-CUS", "location": "centralus", - "name": "Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-CUS", + "name": "Automate-12345-CUS", "type": "Microsoft.Automation/AutomationAccounts", "tags": {}, "properties": { @@ -28,7 +28,7 @@ const automationAccounts = [ const diagnosticSettings = [ { - id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/automationAccounts/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', + id: '/subscriptions/12345/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/automationAccounts/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', type: 'Microsoft.Insights/diagnosticSettings', name: 'testaccesslogs', location: 'global', @@ -46,7 +46,7 @@ const diagnosticSettings = [ "logAnalyticsDestinationType": null }, { - id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/automationAccounts/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', + id: '/subscriptions/12345/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/automationAccounts/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', type: 'Microsoft.Insights/diagnosticSettings', name: 'testwaflogs', location: 'global', @@ -93,7 +93,7 @@ const diagnosticSettings = [ }, {}, { - id: '/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/automationAccounts/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', + id: '/subscriptions/12345/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/automationAccounts/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', type: 'Microsoft.Insights/diagnosticSettings', name: 'testwaflogs', location: 'global', @@ -110,6 +110,24 @@ const diagnosticSettings = [ ], "logAnalyticsDestinationType": null }, + { + id: '/subscriptions/12345/resourcegroups/cloudsploit-dev/providers/microsoft.cdn/automationAccounts/omer-cdn-profile-test/providers/microsoft.insights/diagnosticSettings/testaccesslogs', + type: 'Microsoft.Insights/diagnosticSettings', + name: 'testwaflogs', + location: 'global', + logs: [ + { + "category": "DummyCategory", + "categoryGroup": "", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logAnalyticsDestinationType": null + }, ] const createCache = (automationAccounts, diagnostics) => { @@ -245,13 +263,12 @@ describe('automationAccountDiagnosticLogs', function () { automationAccountDiagnosticLogs.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Automation account does not have diagnostic logs enabled. Missing'); + expect(results[0].message).to.include('Automation account does not have diagnostic logs enabled for following'); expect(results[0].region).to.equal('eastus'); done(); }); }); - it('should give pass result if automation account have allLogs Enabled', function(done) { const cache = createCache([automationAccounts[1]], [diagnosticSettings[3]]); automationAccountDiagnosticLogs.run(cache, {}, (err, results) => { @@ -262,5 +279,27 @@ describe('automationAccountDiagnosticLogs', function () { done(); }); }); + + it('should give passing result with * setting', function (done) { + const cache = createCache([automationAccounts[1]], [diagnosticSettings[4]]); + automationAccountDiagnosticLogs.run(cache, {diagnostic_logs: '*'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Automation account has diagnostic logs enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if Automation Account does not have diagnostic logs enabled with settings', function (done) { + const cache = createCache([automationAccounts[1]], [diagnosticSettings[1]]); + automationAccountDiagnosticLogs.run(cache, {diagnostic_logs: 'testsetting'}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Automation account does not have diagnostic logs enabled for following:'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); }); }); \ No newline at end of file diff --git a/plugins/azure/automationAccounts/automationAccountManagedIdentity.js b/plugins/azure/automationAccounts/automationAcctManagedIdentity.js similarity index 87% rename from plugins/azure/automationAccounts/automationAccountManagedIdentity.js rename to plugins/azure/automationAccounts/automationAcctManagedIdentity.js index 72b450b3f1..6a97358da0 100644 --- a/plugins/azure/automationAccounts/automationAccountManagedIdentity.js +++ b/plugins/azure/automationAccounts/automationAcctManagedIdentity.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Management and Governance', description: 'Ensure that Azure Automation accounts have managed identity enabled.', more_info: 'Enabling managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.', - recommended_action: 'Modify automation account and enabled managed identity.', + recommended_action: 'Modify automation account and enable managed identity.', link: 'https://learn.microsoft.com/en-us/azure/automation/quickstarts/enable-managed-identity', apis: ['automationAccounts:list'], @@ -35,9 +35,8 @@ module.exports = { for (var account of automationAccounts.data) { if (!account.id) continue; - var identityType = account.identity && account.identity.type? account.identity.type : null; - if (identityType && (identityType.includes('systemassigned') || identityType.includes('userassigned'))) { + if (account.identity && account.identity.type) { helpers.addResult(results, 0, 'Automation account has managed identity enabled', location, account.id); } else { helpers.addResult(results, 2, 'Automation account does not have managed identity enabled', location, account.id); diff --git a/plugins/azure/automationAccounts/automationAccountManagedIdentity.spec.js b/plugins/azure/automationAccounts/automationAcctManagedIdentity.spec.js similarity index 78% rename from plugins/azure/automationAccounts/automationAccountManagedIdentity.spec.js rename to plugins/azure/automationAccounts/automationAcctManagedIdentity.spec.js index 82f76af6c9..34cd94d7fc 100644 --- a/plugins/azure/automationAccounts/automationAccountManagedIdentity.spec.js +++ b/plugins/azure/automationAccounts/automationAcctManagedIdentity.spec.js @@ -1,11 +1,11 @@ var expect = require('chai').expect; -var automationAccountManagedIdentity = require('./automationAccountManagedIdentity.js'); +var automationAccountManagedIdentity = require('./automationAcctManagedIdentity.js'); const automationAccounts = [ { - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/DefaultResourceGroup-EUS/providers/Microsoft.Automation/automationAccounts/Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-EUS2", + "id": "/subscriptions/12345/resourceGroups/DefaultResourceGroup-EUS/providers/Microsoft.Automation/automationAccounts/Automate-12345-EUS2", "location": "EastUS2", - "name": "Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-EUS2", + "name": "Automate-12345-EUS2", "type": "Microsoft.Automation/AutomationAccounts", "tags": {}, "properties": { @@ -17,17 +17,17 @@ const automationAccounts = [ "principalId": "dc03d47d-e6df-491f-aebe-50a93412a890", "tenantId": "d207c7bd-fcb1-4dd3-855a-cfd2f9b651e8", "userAssignedIdentities": { - "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": { - "PrincipalId": "1d34c2cd-bd53-487d-b3a9-6064465497c9", - "ClientId": "2071caa1-3668-4de3-babc-155cfe3e38e5" + "/subscriptions/12345/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": { + "PrincipalId": "123455", + "ClientId": "1234554" } } } }, { - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/DefaultResourceGroup-CUS/providers/Microsoft.Automation/automationAccounts/Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-CUS", + "id": "/subscriptions/12345/resourceGroups/DefaultResourceGroup-CUS/providers/Microsoft.Automation/automationAccounts/Automate-12345-CUS", "location": "centralus", - "name": "Automate-26a1a07e-06dd-4892-92c9-e4996b0fc546-CUS", + "name": "Automate-12345-CUS", "type": "Microsoft.Automation/AutomationAccounts", "tags": {}, "properties": { From 2c490b3e8d103a691d72b937b3c7a4a728b2ee73 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 29 Dec 2023 00:48:06 +0500 Subject: [PATCH 435/498] Update plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- .../azure/appConfigurations/appConfigurationDiagnosticLogs.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js b/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js index 3be62e56c8..7828d2fee9 100644 --- a/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js +++ b/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js @@ -6,7 +6,7 @@ module.exports = { category: 'App Configuration', domain: 'Developer Tools', description: 'Ensures that Azure App Configuration have diagnostic logs enabled.', - more_info: 'Enabling diagnostic logging for for App Configuration helps with performance monitoring, troubleshooting, and security optimization.', + more_info: 'Enabling diagnostic logging for App Configuration helps with performance monitoring, troubleshooting, and security optimization.', recommended_action: 'Enable diagnostic logging for all App Configuration.', link: 'https://learn.microsoft.com/en-us/azure/azure-app-configuration/monitor-app-configuration?tabs=portal#monitoringdata', apis: ['appConfigurations:list','diagnosticSettings:listByAppConfigurations'], From d2dd3b6b99e8f28989733289392e0271908c92f4 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 29 Dec 2023 00:48:28 +0500 Subject: [PATCH 436/498] Update plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js Co-authored-by: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> --- .../azure/appConfigurations/appConfigurationDiagnosticLogs.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js b/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js index 7828d2fee9..2d7c798d45 100644 --- a/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js +++ b/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Developer Tools', description: 'Ensures that Azure App Configuration have diagnostic logs enabled.', more_info: 'Enabling diagnostic logging for App Configuration helps with performance monitoring, troubleshooting, and security optimization.', - recommended_action: 'Enable diagnostic logging for all App Configuration.', + recommended_action: 'Enable diagnostic logging for all App Configurations.', link: 'https://learn.microsoft.com/en-us/azure/azure-app-configuration/monitor-app-configuration?tabs=portal#monitoringdata', apis: ['appConfigurations:list','diagnosticSettings:listByAppConfigurations'], From 4d4e0834156e8144c60baa01a154e0f72c6fe4af Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 29 Dec 2023 00:49:34 +0500 Subject: [PATCH 437/498] file-names --- exports.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/exports.js b/exports.js index 6e7d662519..4c7f8912c3 100644 --- a/exports.js +++ b/exports.js @@ -1040,8 +1040,8 @@ module.exports = { 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), - 'automationAccountDiagnosticLogs': require(__dirname + '/plugins/azure/automationAccounts/automationAccountDiagnosticLogs.js'), - 'automationAccountManagedIdentity': require(__dirname + '/plugins/azure/automationAccounts/automationAccountManagedIdentity.js'), + 'automationAcctDiagnosticLogs' : require(__dirname + '/plugins/azure/automationAccounts/automationAcctDiagnosticLogs.js'), + 'automationAcctManagedIdentity' : require(__dirname + '/plugins/azure/automationAccounts/automationAccttManagedIdentity.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), From e0663b2e56ca7fa21c8fff84ccfa5e08de4d3b2f Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 29 Dec 2023 00:52:51 +0500 Subject: [PATCH 438/498] Suggested-changes --- exports.js | 2 +- ...dentity.js => appConfigManagedIdentity.js} | 7 ++--- ...ec.js => appConfigManagedIdentity.spec.js} | 30 +++++++++---------- 3 files changed, 19 insertions(+), 20 deletions(-) rename plugins/azure/appConfigurations/{appConfigurationManagedIdentity.js => appConfigManagedIdentity.js} (84%) rename plugins/azure/appConfigurations/{appConfigurationManagedIdentity.spec.js => appConfigManagedIdentity.spec.js} (72%) diff --git a/exports.js b/exports.js index 73c88ae4b0..84ca074b0c 100644 --- a/exports.js +++ b/exports.js @@ -1040,7 +1040,7 @@ module.exports = { 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), - 'appConfigurationManagedIdentity': require(__dirname + '/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js'), + 'appConfigManagedIdentity' : require(__dirname + '/plugins/azure/appConfigurations/appConfigManagedIdentity.js'), 'appConfigurationDiagnosticLogs': require(__dirname + '/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js'), }, diff --git a/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js b/plugins/azure/appConfigurations/appConfigManagedIdentity.js similarity index 84% rename from plugins/azure/appConfigurations/appConfigurationManagedIdentity.js rename to plugins/azure/appConfigurations/appConfigManagedIdentity.js index e3e717a14b..3193e9b6b0 100644 --- a/plugins/azure/appConfigurations/appConfigurationManagedIdentity.js +++ b/plugins/azure/appConfigurations/appConfigManagedIdentity.js @@ -4,10 +4,10 @@ var helpers = require('../../../helpers/azure'); module.exports = { title: 'App Configurations Managed Identity', category: 'App Configuration', - domain: 'Content Delivery', + domain: 'Developer Tools', description: 'Ensures that Azure App Configurations have managed identity enabled.', more_info: 'Enabling managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.', - link: 'https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity?tabs=core6x&pivots=framework-dotnet', + link: 'https://learn.microsoft.com/en-us/azure/azure-app-configuration/overview-managed-identity', recommended_action: 'Modify App Configuration store and add managed identity.', apis: ['appConfigurations:list'], @@ -34,9 +34,8 @@ module.exports = { for (let appConfiguration of appConfigurations.data) { if (!appConfiguration.id) continue; - var identityType = appConfiguration.identity && appConfiguration.identity.type? appConfiguration.identity.type : null; - if (identityType && (identityType.includes('systemassigned') || identityType.includes('userassigned'))) { + if (appConfiguration.identity) { helpers.addResult(results, 0, 'App Configuration has managed identity enabled', location, appConfiguration.id); } else { helpers.addResult(results, 2, 'App Configuration does not have managed identity enabled', location, appConfiguration.id); diff --git a/plugins/azure/appConfigurations/appConfigurationManagedIdentity.spec.js b/plugins/azure/appConfigurations/appConfigManagedIdentity.spec.js similarity index 72% rename from plugins/azure/appConfigurations/appConfigurationManagedIdentity.spec.js rename to plugins/azure/appConfigurations/appConfigManagedIdentity.spec.js index c3ab1d0c76..47c4c96aad 100644 --- a/plugins/azure/appConfigurations/appConfigurationManagedIdentity.spec.js +++ b/plugins/azure/appConfigurations/appConfigManagedIdentity.spec.js @@ -1,5 +1,5 @@ var expect = require('chai').expect; -var appConfigurationManagedIdentity = require('./appConfigurationManagedIdentity.js'); +var appConfigManagedIdentity = require('./appConfigManagedIdentity.js'); const appConfigurations = [ { @@ -8,7 +8,7 @@ const appConfigurations = [ "properties": { "provisioningState": "Succeeded", "creationDate": "2023-12-27T09:26:54+00:00", - "endpoint": "https://meerab-test-rg.azconfig.io", + "endpoint": "https://dummy-test-rg.azconfig.io", "encryption": { "keyVaultProperties": null }, @@ -18,7 +18,7 @@ const appConfigurations = [ "softDeleteRetentionInDays": 0, "enablePurgeProtection": false }, - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/meerab-rg/providers/Microsoft.AppConfiguration/configurationStores/meerab-test-rg", + "id": "/subscriptions/123/resourceGroups/meerab-rg/providers/Microsoft.AppConfiguration/configurationStores/meerab-test-rg", "name": "meerab-test-rg", "tags": {} }, @@ -28,7 +28,7 @@ const appConfigurations = [ "properties": { "provisioningState": "Succeeded", "creationDate": "2023-12-27T09:26:54+00:00", - "endpoint": "https://meerab-test-rg.azconfig.io", + "endpoint": "https://dummy-test-rg.azconfig.io", "encryption": { "keyVaultProperties": null }, @@ -38,17 +38,17 @@ const appConfigurations = [ "softDeleteRetentionInDays": 0, "enablePurgeProtection": false }, - "id": "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourceGroups/meerab-rg/providers/Microsoft.AppConfiguration/configurationStores/meerab-test-rg", + "id": "/subscriptions/123/resourceGroups/meerab-rg/providers/Microsoft.AppConfiguration/configurationStores/meerab-test-rg", "name": "meerab-test-rg", "tags": {}, "identity": { "type": "systemassigned,userassigned", - "principalId": "dc03d47d-e6df-491f-aebe-50a93412a890", - "tenantId": "d207c7bd-fcb1-4dd3-855a-cfd2f9b651e8", + "principalId": "12345", + "tenantId": "123456", "userAssignedIdentities": { - "/subscriptions/26a1a07e-06dd-4892-92c9-e4996b0fc546/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": { - "PrincipalId": "1d34c2cd-bd53-487d-b3a9-6064465497c9", - "ClientId": "2071caa1-3668-4de3-babc-155cfe3e38e5" + "/subscriptions/123/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": { + "PrincipalId": "1234567", + "ClientId": "123456789" } } } @@ -68,12 +68,12 @@ const createCache = (appConfigurations,err) => { } }; -describe('appConfigurationManagedIdentity', function () { +describe('appConfigManagedIdentity', function () { describe('run', function () { it('should give pass result if No existing app configurations found', function (done) { const cache = createCache([]); - appConfigurationManagedIdentity.run(cache, {}, (err, results) => { + appConfigManagedIdentity.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('No existing App Configurations found'); @@ -84,7 +84,7 @@ describe('appConfigurationManagedIdentity', function () { it('should give unknown result if Unable to query app configurations:', function (done) { const cache = createCache(null, 'Error'); - appConfigurationManagedIdentity.run(cache, {}, (err, results) => { + appConfigManagedIdentity.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].message).to.include('Unable to query App Configuration:'); @@ -95,7 +95,7 @@ describe('appConfigurationManagedIdentity', function () { it('should give passing result if App Configuration has managed identity enabled', function (done) { const cache = createCache([appConfigurations[1]]); - appConfigurationManagedIdentity.run(cache, {}, (err, results) => { + appConfigManagedIdentity.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('App Configuration has managed identity enabled'); @@ -106,7 +106,7 @@ describe('appConfigurationManagedIdentity', function () { it('should give failing result if App Configuration does not have managed identity enabled', function (done) { const cache = createCache([appConfigurations[0]]); - appConfigurationManagedIdentity.run(cache, {}, (err, results) => { + appConfigManagedIdentity.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); expect(results[0].message).to.include('App Configuration does not have managed identity enabled'); From c8261aa21499b86c1da8f0681fe7aebc2e36c61a Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Fri, 29 Dec 2023 12:51:33 +0500 Subject: [PATCH 439/498] updated-file-name --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index 4c7f8912c3..2c59990cef 100644 --- a/exports.js +++ b/exports.js @@ -1041,7 +1041,7 @@ module.exports = { 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), 'automationAcctDiagnosticLogs' : require(__dirname + '/plugins/azure/automationAccounts/automationAcctDiagnosticLogs.js'), - 'automationAcctManagedIdentity' : require(__dirname + '/plugins/azure/automationAccounts/automationAccttManagedIdentity.js'), + 'automationAcctManagedIdentity' : require(__dirname + '/plugins/azure/automationAccounts/automationAcctManagedIdentity.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), From a2f71d697e794da7d52ac843027b5fd2d9805791 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Fri, 29 Dec 2023 13:08:19 +0500 Subject: [PATCH 440/498] Update exports.js Co-authored-by: alphadev4 <113519745+alphadev4@users.noreply.github.com> --- exports.js | 1 - 1 file changed, 1 deletion(-) diff --git a/exports.js b/exports.js index f3d99398e2..6f0eb1bb8a 100644 --- a/exports.js +++ b/exports.js @@ -999,7 +999,6 @@ module.exports = { 'enableEndpointIntegration' : require(__dirname + '/plugins/azure/defender/enableEndpointIntegration.js'), 'enableDefenderForDNS' : require(__dirname + '/plugins/azure/defender/enableDefenderForDNS.js'), 'enableDefenderForKeyVaults' : require(__dirname + '/plugins/azure/defender/enableDefenderForKeyVaults.js'), - 'agWafEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agWafEnabled'), 'agSecurityLoggingEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js'), 'agSslPolicy' : require(__dirname + '/plugins/azure/applicationGateway/agSslPolicy'), From d24b02f7cf3e620f3eb7c43df9f3f4edb6461a7c Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Fri, 29 Dec 2023 13:09:07 +0500 Subject: [PATCH 441/498] Update exports.js --- exports.js | 1 + 1 file changed, 1 insertion(+) diff --git a/exports.js b/exports.js index 6f0eb1bb8a..f3d99398e2 100644 --- a/exports.js +++ b/exports.js @@ -999,6 +999,7 @@ module.exports = { 'enableEndpointIntegration' : require(__dirname + '/plugins/azure/defender/enableEndpointIntegration.js'), 'enableDefenderForDNS' : require(__dirname + '/plugins/azure/defender/enableDefenderForDNS.js'), 'enableDefenderForKeyVaults' : require(__dirname + '/plugins/azure/defender/enableDefenderForKeyVaults.js'), + 'agWafEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agWafEnabled'), 'agSecurityLoggingEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js'), 'agSslPolicy' : require(__dirname + '/plugins/azure/applicationGateway/agSslPolicy'), From 8873148700d57e4535951a581acfb469346f6c57 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Fri, 29 Dec 2023 13:11:16 +0500 Subject: [PATCH 442/498] resolveIssue --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index f3d99398e2..7d193aac5c 100644 --- a/exports.js +++ b/exports.js @@ -999,7 +999,7 @@ module.exports = { 'enableEndpointIntegration' : require(__dirname + '/plugins/azure/defender/enableEndpointIntegration.js'), 'enableDefenderForDNS' : require(__dirname + '/plugins/azure/defender/enableDefenderForDNS.js'), 'enableDefenderForKeyVaults' : require(__dirname + '/plugins/azure/defender/enableDefenderForKeyVaults.js'), - + 'agWafEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agWafEnabled'), 'agSecurityLoggingEnabled' : require(__dirname + '/plugins/azure/applicationGateway/agSecurityLoggingEnabled.js'), 'agSslPolicy' : require(__dirname + '/plugins/azure/applicationGateway/agSslPolicy'), From 53a063324540c9789cdf2a3a5f8b7a0beb7a001e Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 29 Dec 2023 13:13:05 +0500 Subject: [PATCH 443/498] Apply suggestions from code review --- plugins/azure/postgresqlserver/flexibleServerVersion.js | 4 ++-- plugins/azure/postgresqlserver/flexibleServerVersion.spec.js | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/azure/postgresqlserver/flexibleServerVersion.js b/plugins/azure/postgresqlserver/flexibleServerVersion.js index f760e2b1f9..327e5373be 100644 --- a/plugins/azure/postgresqlserver/flexibleServerVersion.js +++ b/plugins/azure/postgresqlserver/flexibleServerVersion.js @@ -38,10 +38,10 @@ module.exports = { if (version && version >= 13) { helpers.addResult(results, 0, - 'Postgresql flexible server has the latest server version', location, flexibleServer.id); + 'PostgreSQL flexible server has the latest server version', location, flexibleServer.id); } else { helpers.addResult(results, 2, - 'Postgresql flexible server does not the latest server version', location, flexibleServer.id); + 'PostgreSQL flexible server does not the latest server version', location, flexibleServer.id); } } rcb(); diff --git a/plugins/azure/postgresqlserver/flexibleServerVersion.spec.js b/plugins/azure/postgresqlserver/flexibleServerVersion.spec.js index ab0205b57c..264b933e80 100644 --- a/plugins/azure/postgresqlserver/flexibleServerVersion.spec.js +++ b/plugins/azure/postgresqlserver/flexibleServerVersion.spec.js @@ -59,7 +59,7 @@ describe('flexibleServerVersion', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Postgresql flexible server does not the latest server version'); + expect(results[0].message).to.include('PostgreSQL flexible server does not the latest server version'); expect(results[0].region).to.equal('eastus'); done() }; @@ -75,7 +75,7 @@ describe('flexibleServerVersion', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Postgresql flexible server has the latest server version'); + expect(results[0].message).to.include('PostgreSQL flexible server has the latest server version'); expect(results[0].region).to.equal('eastus'); done() }; From aab34c366454e5d5bb347aeccacfada57dbc4833 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 29 Dec 2023 13:14:41 +0500 Subject: [PATCH 444/498] Update plugins/azure/postgresqlserver/flexibleServerVersion.js --- plugins/azure/postgresqlserver/flexibleServerVersion.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/plugins/azure/postgresqlserver/flexibleServerVersion.js b/plugins/azure/postgresqlserver/flexibleServerVersion.js index 327e5373be..ba7c30c2f8 100644 --- a/plugins/azure/postgresqlserver/flexibleServerVersion.js +++ b/plugins/azure/postgresqlserver/flexibleServerVersion.js @@ -34,6 +34,8 @@ module.exports = { } for (var flexibleServer of servers.data) { + If (!flexibleServer.id || !flexibleServer.version) return; + let version = parseFloat(flexibleServer.version); if (version && version >= 13) { From addde215c69edc11b79edb0b29a5fb7eddec2f2b Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 29 Dec 2023 13:17:18 +0500 Subject: [PATCH 445/498] Update plugins/azure/postgresqlserver/flexibleServerVersion.js --- plugins/azure/postgresqlserver/flexibleServerVersion.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/postgresqlserver/flexibleServerVersion.js b/plugins/azure/postgresqlserver/flexibleServerVersion.js index ba7c30c2f8..061e6d2080 100644 --- a/plugins/azure/postgresqlserver/flexibleServerVersion.js +++ b/plugins/azure/postgresqlserver/flexibleServerVersion.js @@ -34,7 +34,7 @@ module.exports = { } for (var flexibleServer of servers.data) { - If (!flexibleServer.id || !flexibleServer.version) return; + if (!flexibleServer.id || !flexibleServer.version) return; let version = parseFloat(flexibleServer.version); From 535842f4dc51fd8340ebf04787cba7a7bfa061fe Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 29 Dec 2023 13:21:16 +0500 Subject: [PATCH 446/498] Update plugins/azure/defender/enableDefenderForOSRD.js --- plugins/azure/defender/enableDefenderForOSRD.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/defender/enableDefenderForOSRD.js b/plugins/azure/defender/enableDefenderForOSRD.js index 1e0e05cdce..f11c3410f4 100644 --- a/plugins/azure/defender/enableDefenderForOSRD.js +++ b/plugins/azure/defender/enableDefenderForOSRD.js @@ -6,7 +6,7 @@ module.exports = { category: 'Defender', domain: 'Management and Governance', description: 'Ensures that Microsoft Defender is enabled for Open Source Relational Databases.', - more_info: 'Enabling Defender for Cloud on Open Source Relational Databases allows detection of unusual database access, query patterns, and suspicious activities, enhancing overall security.', + more_info: 'Enabling Defender for Cloud on Open Source Relational Databases allows detection of unusual database access, query patterns, and suspicious activities, enhancing overall security. This plan brings threat protections for PostgreSQL, MySQL and MariaDB Azure Databases.', recommended_action: 'Enable Microsoft Defender for Open Source Relational Databases in Defender plans for the subscription.', link: 'https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-databases-introduction#what-are-the-benefits-of-microsoft-defender-for-open-source-relational-databases', apis: ['pricings:list'], From 9359487180389562a68a6a07bcdfc0527035fb0b Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 29 Dec 2023 13:30:40 +0500 Subject: [PATCH 447/498] Update plugins/azure/postgresqlserver/flexibleServerVersion.js --- plugins/azure/postgresqlserver/flexibleServerVersion.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/postgresqlserver/flexibleServerVersion.js b/plugins/azure/postgresqlserver/flexibleServerVersion.js index 061e6d2080..81b5d96252 100644 --- a/plugins/azure/postgresqlserver/flexibleServerVersion.js +++ b/plugins/azure/postgresqlserver/flexibleServerVersion.js @@ -34,7 +34,7 @@ module.exports = { } for (var flexibleServer of servers.data) { - if (!flexibleServer.id || !flexibleServer.version) return; + if (!flexibleServer.id || !flexibleServer.version) continue; let version = parseFloat(flexibleServer.version); From c818c202f940896de164e4295966d40d690b6b75 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 29 Dec 2023 13:31:55 +0500 Subject: [PATCH 448/498] Apply suggestions from code review --- .../azure/postgresqlserver/flexibleServerVNetIntegrated.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.js b/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.js index bd29a6d340..5a191bd07c 100644 --- a/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.js +++ b/plugins/azure/postgresqlserver/flexibleServerVNetIntegrated.js @@ -6,8 +6,8 @@ module.exports = { category: 'PostgreSQL Server', domain: 'Databases', description: 'Ensures that PostgreSQL flexible servers have VNet integrated.', - more_info: 'Configuring PostgreSQL flexible server to operate within a Virtual Network (VNet) offers a myriad of benefits for enhanced security and operational control. By integrating with a VNet, you are proactively safeguarding your server against potential security threats and unauthorized access.', - recommended_action: 'Ensures Vnet (private access) is integrated for PostgreSQL flexible server.', + more_info: 'Configuring PostgreSQL flexible server to operate within a Virtual Network (VNet) offers a myriad of benefits for enhanced security and operational control. By integrating with a VNet allows to proactively safeguard your server against potential security threats and unauthorized access.', + recommended_action: 'Ensures VNet (private access) is integrated for PostgreSQL flexible server.', link: 'https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking-private', apis: ['servers:listPostgresFlexibleServer'], From d96aa93f89a6f3a71e5afce841e5abd4b5252a77 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 29 Dec 2023 13:59:22 +0500 Subject: [PATCH 449/498] Apply suggestions from code review --- plugins/azure/defender/enableDefenderForAppService.spec.js | 4 ++-- plugins/azure/defender/enableDefenderForVMs.spec.js | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/azure/defender/enableDefenderForAppService.spec.js b/plugins/azure/defender/enableDefenderForAppService.spec.js index 96d1ca5d76..e1cc5cdb3c 100644 --- a/plugins/azure/defender/enableDefenderForAppService.spec.js +++ b/plugins/azure/defender/enableDefenderForAppService.spec.js @@ -63,7 +63,7 @@ describe('enableDefenderForAppService', function() { null, [ { - "id": "/subscriptions/e79d9a03-3ab3-4481-bdcd-c5db1d55420a/providers/Microsoft.Security/pricings/default", + "id": "/subscriptions/12345/providers/Microsoft.Security/pricings/default", "name": "KubernetesService", "type": "Microsoft.Security/pricings", "pricingTier": "free", @@ -88,7 +88,7 @@ describe('enableDefenderForAppService', function() { null, [ { - "id": "/subscriptions/e79d9a03-3ab3-4481-bdcd-c5db1d55420a/providers/Microsoft.Security/pricings/default", + "id": "/subscriptions/12345/providers/Microsoft.Security/pricings/default", "name": "AppServices", "type": "Microsoft.Security/pricings", "pricingTier": "Standard", diff --git a/plugins/azure/defender/enableDefenderForVMs.spec.js b/plugins/azure/defender/enableDefenderForVMs.spec.js index f211f951c7..1946100fb3 100644 --- a/plugins/azure/defender/enableDefenderForVMs.spec.js +++ b/plugins/azure/defender/enableDefenderForVMs.spec.js @@ -64,7 +64,7 @@ describe('enableDefenderForVMs', function() { null, [ { - "id": "/subscriptions/e79d9a03-3ab3-4481-bdcd-c5db1d55420a/providers/Microsoft.Security/pricings/default", + "id": "/subscriptions/12345/providers/Microsoft.Security/pricings/default", "name": "KubernetesService", "type": "Microsoft.Security/pricings", "pricingTier": "free", @@ -89,7 +89,7 @@ describe('enableDefenderForVMs', function() { null, [ { - "id": "/subscriptions/e79d9a03-3ab3-4481-bdcd-c5db1d55420a/providers/Microsoft.Security/pricings/default", + "id": "/subscriptions/12345/providers/Microsoft.Security/pricings/default", "name": "VirtualMachines", "type": "Microsoft.Security/pricings", "pricingTier": "Standard", From b39feff7ba791f516e5076b326c27874e2038526 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 29 Dec 2023 14:01:46 +0500 Subject: [PATCH 450/498] Apply suggestions from code review --- plugins/azure/virtualmachines/vmEncryptionAtHost.js | 2 +- plugins/azure/virtualmachines/vmEncryptionAtHost.spec.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/virtualmachines/vmEncryptionAtHost.js b/plugins/azure/virtualmachines/vmEncryptionAtHost.js index 1294a18f01..1f07289fd6 100644 --- a/plugins/azure/virtualmachines/vmEncryptionAtHost.js +++ b/plugins/azure/virtualmachines/vmEncryptionAtHost.js @@ -24,7 +24,7 @@ module.exports = { if (!virtualMachines) return rcb(); if (virtualMachines.err || !virtualMachines.data) { - helpers.addResult(results, 3, 'Unable to query for virtualMachines: ' + helpers.addError(virtualMachines), location); + helpers.addResult(results, 3, 'Unable to query for Virtual Machines: ' + helpers.addError(virtualMachines), location); return rcb(); } diff --git a/plugins/azure/virtualmachines/vmEncryptionAtHost.spec.js b/plugins/azure/virtualmachines/vmEncryptionAtHost.spec.js index efc8b3af9c..51d84ebeea 100644 --- a/plugins/azure/virtualmachines/vmEncryptionAtHost.spec.js +++ b/plugins/azure/virtualmachines/vmEncryptionAtHost.spec.js @@ -64,7 +64,7 @@ describe('vmEncryptionAtHost', function() { vmEncryptionAtHost.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); - expect(results[0].message).to.include('Unable to query for virtualMachines'); + expect(results[0].message).to.include('Unable to query for Virtual Machines:'); expect(results[0].region).to.equal('eastus'); done(); }); From c1bff237cd888c399860eeb880a0263ee1de7210 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 29 Dec 2023 14:08:58 +0500 Subject: [PATCH 451/498] Update plugins/azure/virtualmachines/vmEncryptionAtHost.js --- plugins/azure/virtualmachines/vmEncryptionAtHost.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/vmEncryptionAtHost.js b/plugins/azure/virtualmachines/vmEncryptionAtHost.js index 1f07289fd6..55562f7eec 100644 --- a/plugins/azure/virtualmachines/vmEncryptionAtHost.js +++ b/plugins/azure/virtualmachines/vmEncryptionAtHost.js @@ -6,7 +6,7 @@ module.exports = { category: 'Virtual Machines', domain: 'Compute', description: 'Ensures that encryption at host is enabled for Azure Virtual Machine disks.', - more_info: 'The data for your temporary disk and OS/data disk caches is stored on the VM host, enabling encyrption at host for Azure Virtual Machine disks allows that data to be end-to-end encrypted, ensuring compliance and bolstering overall security with Azure Disk Encryption.', + more_info: 'The data for temporary disk and OS/data disk caches is stored on the VM host. Enabling encryption at host for Azure Virtual Machine disks allows the data to be end-to-end encrypted, ensuring compliance and bolstering overall security with Azure Disk Encryption.', recommended_action: 'Ensure that all Azure Virtual Machines have encryption at host enabled for disks.', link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption#encryption-at-host---end-to-end-encryption-for-your-vm-data', apis: ['virtualMachines:listAll'], From 0cd6fe953f6b90583337d7bade950f608d9e0439 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 29 Dec 2023 14:10:42 +0500 Subject: [PATCH 452/498] Update exports.js --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index 12c9d8c167..8bf1037e4b 100644 --- a/exports.js +++ b/exports.js @@ -983,7 +983,7 @@ module.exports = { 'wafPolicyHasTags' : require(__dirname + '/plugins/azure/waf/wafPolicyHasTags.js'), 'recoveryVaultByokEncrypted' : require(__dirname + '/plugins/azure/recoveryService/recoveryVaultByokEncrypted.js'), - 'recoveryVaultLoggingEnabled': require(__dirname + '/plugins/azure/recoveryService/recoveryVaultLoggingEnabled.js'), + 'recoveryVaultLoggingEnabled' : require(__dirname + '/plugins/azure/recoveryService/recoveryVaultLoggingEnabled.js'), 'domainPublicAccessEnabled' : require(__dirname + '/plugins/azure/eventGrid/domainPublicAccess.js'), From e3820977831ba5f4d0546696721ed7238434f0d2 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sat, 30 Dec 2023 14:10:08 +0500 Subject: [PATCH 453/498] pr issues resolved --- .../virtualmachinescaleset/vmssManagedIdentityEnabled.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js index b2fab5d701..758f3de245 100644 --- a/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js +++ b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js @@ -5,10 +5,10 @@ module.exports = { title: 'VM Scale Set Managed Identity Enabled', category: 'Virtual Machines', domain: 'Compute', - description: 'Ensures that Azure Virtual Machine scale sets have managed identity enabled.', - more_info: 'Managed identities for Azure resources provide Azure services with an automatically managed identity in Microsoft Entra ID. You can use this identity to authenticate to any service that supports Microsoft Entra authentication, without having credentials in your code.', + description: 'Ensures that Azure Virtual Machine Scale Sets have managed identity enabled.', + more_info: 'Enabling managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.', link: 'https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/qs-configure-portal-windows-vmss', - recommended_action: 'Modify VM scale set and enable user or system assigned identities.', + recommended_action: 'Modify VM Scale Set and enable managed identity.', apis: ['virtualMachineScaleSets:listAll'], run: function(cache, settings, callback) { From 0053b15f807720e3544fb4ff2e9483b85fe59839 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sat, 30 Dec 2023 14:17:32 +0500 Subject: [PATCH 454/498] PR comments resolved --- .../virtualmachinescaleset/vmssApprovedExtensions.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js b/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js index 33b6dd39aa..ce6cbb3d16 100644 --- a/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js +++ b/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js @@ -2,20 +2,20 @@ const async = require('async'); const helpers = require('../../../helpers/azure'); module.exports = { - title: 'VM Approved Extensions', + title: 'VM Scale Set Approved Extensions', category: 'Virtual Machines', domain: 'Compute', - description: 'Ensures that approved virtual machine extensions are installed.', + description: 'Ensures that approved Virtual Machine Scale Set extensions are installed.', more_info: 'Extensions are small applications that provide post-deployment configuration and automation on Azure VMs. Extensions installed should be approved by the organization to meet the organizational security requirements.', recommended_action: 'Uninstall unapproved virtual machine extensions', - link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/overview', - apis: ['virtualMachines:listAll', 'virtualMachineExtensions:list'], + link: 'https://learn.microsoft.com/en-us/rest/api/compute/virtual-machine-scale-set-extensions/list', + apis: ['virtualMachineScaleSets:listAll'], settings: { vmss_approved_extensions: { name: 'Approved VM extensions', description: 'List of comma separated approved extension names', regex: '^.*$', - default: 'healthRepairExtension' + default: '' } }, From 95a88553344792992e59a27d171c2f822c3a73fa Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sat, 30 Dec 2023 14:20:14 +0500 Subject: [PATCH 455/498] link updated --- plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js b/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js index ce6cbb3d16..e87f45454f 100644 --- a/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js +++ b/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js @@ -8,7 +8,7 @@ module.exports = { description: 'Ensures that approved Virtual Machine Scale Set extensions are installed.', more_info: 'Extensions are small applications that provide post-deployment configuration and automation on Azure VMs. Extensions installed should be approved by the organization to meet the organizational security requirements.', recommended_action: 'Uninstall unapproved virtual machine extensions', - link: 'https://learn.microsoft.com/en-us/rest/api/compute/virtual-machine-scale-set-extensions/list', + link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/overview', apis: ['virtualMachineScaleSets:listAll'], settings: { vmss_approved_extensions: { From 41c8ff8ea3a2853b76eaee415a851d058eeef591 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sat, 30 Dec 2023 14:40:50 +0500 Subject: [PATCH 456/498] PR comments resolved --- exports.js | 5 +++-- .../vmssTrustedLaunchEnabled.js | 6 +++--- .../vmssTrustedLaunchEnabled.spec.js | 0 3 files changed, 6 insertions(+), 5 deletions(-) rename plugins/azure/{virtualmachines => virtualmachinescaleset}/vmssTrustedLaunchEnabled.js (90%) rename plugins/azure/{virtualmachines => virtualmachinescaleset}/vmssTrustedLaunchEnabled.spec.js (100%) diff --git a/exports.js b/exports.js index 9397cd2ad6..d597765f0d 100644 --- a/exports.js +++ b/exports.js @@ -756,7 +756,6 @@ module.exports = { 'vmVTPMEnabled' : require(__dirname + '/plugins/azure/virtualmachines/vmVTPMEnabled.js'), 'vmSecureBootEnabled' : require(__dirname + '/plugins/azure/virtualmachines/vmSecureBootEnabled.js'), 'vmDiskDeleteConfig' : require(__dirname + '/plugins/azure/virtualmachines/vmDiskDeleteConfig.js'), - 'vmssTrustedLaunchEnabled' : require(__dirname + '/plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.js'), 'bastionHostExists' : require(__dirname + '/plugins/azure/bastion/bastionHostExists.js'), @@ -1039,7 +1038,9 @@ module.exports = { 'amsDiagnosticLogsEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js'), 'amsPublicAccessDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsPublicAccessDisabled.js'), 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), - 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js') + 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), + + 'vmssTrustedLaunchEnabled' : require(__dirname + '/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.js b/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js similarity index 90% rename from plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.js rename to plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js index c276495e45..aad6efdcd8 100644 --- a/plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.js +++ b/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js @@ -3,11 +3,11 @@ const helpers = require('../../../helpers/azure'); module.exports = { title: 'Scale Sets Trusted Launch Enabled', - category: 'Virtual Machines', + category: 'Virtual Machine Scale Set', domain: 'Compute', - description: 'Ensures that Trusted launch security option is enabled for virtual machine scale sets.', + description: 'Ensures that trusted launch security option is enabled for Virtual Machine Scale Sets.', more_info: 'Trusted launch protects against advanced and persistent attack techniques. Trusted launch is composed of several, coordinated infrastructure technologies that can be enabled independently. Each technology provides another layer of defense against sophisticated threats.', - recommended_action: 'Modify VMSS configurations and enable trusted launch.', + recommended_action: 'Remove existing Virtual Machine Scale Set and create a new one with trusted launch enabled.', link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch', apis: ['virtualMachineScaleSets:listAll'], diff --git a/plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.spec.js b/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.spec.js similarity index 100% rename from plugins/azure/virtualmachines/vmssTrustedLaunchEnabled.spec.js rename to plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.spec.js From ff4f70d8eb8b08d8d91fbe603645bd8d04d9b2ca Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sat, 30 Dec 2023 14:57:03 +0500 Subject: [PATCH 457/498] PR comments resolved --- exports.js | 5 ++-- .../scaleSetAdAuthEnabled.js} | 18 +++++++------- .../scaleSetAdAuthEnabled.spec.js} | 24 +++++++++---------- 3 files changed, 25 insertions(+), 22 deletions(-) rename plugins/azure/{virtualmachines/scaleSetAdAuthenticationEnabled.js => virtualmachinescaleset/scaleSetAdAuthEnabled.js} (74%) rename plugins/azure/{virtualmachines/scaleSetAdAuthenticationEnabled.spec.js => virtualmachinescaleset/scaleSetAdAuthEnabled.spec.js} (82%) diff --git a/exports.js b/exports.js index 09716ba034..f2428bf6e5 100644 --- a/exports.js +++ b/exports.js @@ -756,7 +756,6 @@ module.exports = { 'vmVTPMEnabled' : require(__dirname + '/plugins/azure/virtualmachines/vmVTPMEnabled.js'), 'vmSecureBootEnabled' : require(__dirname + '/plugins/azure/virtualmachines/vmSecureBootEnabled.js'), 'vmDiskDeleteConfig' : require(__dirname + '/plugins/azure/virtualmachines/vmDiskDeleteConfig.js'), - 'scaleSetAdAuthenticationEnabled': require(__dirname + '/plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.js'), 'bastionHostExists' : require(__dirname + '/plugins/azure/bastion/bastionHostExists.js'), @@ -1039,7 +1038,9 @@ module.exports = { 'amsDiagnosticLogsEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js'), 'amsPublicAccessDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsPublicAccessDisabled.js'), 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), - 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js') + 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), + + 'scaleSetAdAuthEnabled' : require(__dirname + '/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.js b/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js similarity index 74% rename from plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.js rename to plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js index 29b7c85a19..fe88104de3 100644 --- a/plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.js +++ b/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js @@ -2,11 +2,11 @@ const async = require('async'); const helpers = require('../../../helpers/azure'); module.exports = { - title: 'Scale Sets Active Directory Authentication Enabled', - category: 'Virtual Machines', + title: 'Scale Sets AD Authentication', + category: 'Virtual Machine Scale Set', domain: 'Compute', - description: 'Ensures that Azure Active Directory (AD) authentication is enabled for virtual machine scale sets.', - more_info: 'Organizations can now improve the security of virtual machine Scale Sets in Azure by integrating with Azure Active Directory (AD) authentication. Enabling Azure Active Directory (AD) authentication for Azure virtual machine scale set ensures access to VMs from one central point and simplifies access permission management.', + description: 'Ensures that Azure Active Directory (AD) authentication is enabled for Virtual Machine Scale Sets.', + more_info: 'Enabling Azure Active Directory (AD) authentication for VM Scale Sets ensures access from one central point and simplifies access permission management. It allows conditional access by using Role-Based Access Control (RBAC) policies, and enable MFA.', recommended_action: 'Enable Azure Active Directory authentication for Azure virtual machines scale sets.', link: 'https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-linux', apis: ['virtualMachineScaleSets:listAll'], @@ -39,17 +39,19 @@ module.exports = { ? virtualMachineScaleSet.virtualMachineProfile.extensionProfile.extensions : []; const adAuthentication = scaleSetExtensions.length - ? scaleSetExtensions.some((extension) => (extension.properties.type === 'AADLoginForWindows' || - extension.properties.type === 'AADLoginForLinux' || extension.properties.type === 'AADSSHLoginForLinux' + ? scaleSetExtensions.some((extension) => (extension.properties && extension.properties.type && + (extension.properties.type.toLowerCase() === 'aadloginforwindows' || + extension.properties.type.toLowerCase() === 'aadloginforlinux' || + extension.properties.type.toLowerCase() === 'aadsshloginforlinux') )) : false; if (adAuthentication) { helpers.addResult(results, 0, - 'Virtual Machine Scale Set has active directory authentication enabled', location, virtualMachineScaleSet.id); + 'Virtual Machine Scale Set has Active Directory authentication enabled', location, virtualMachineScaleSet.id); } else { helpers.addResult(results, 2, - 'Virtual Machine Scale Set has active directory authentication disabled', location, virtualMachineScaleSet.id); + 'Virtual Machine Scale Set has Active Directory authentication disabled', location, virtualMachineScaleSet.id); } } rcb(); diff --git a/plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.spec.js b/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.spec.js similarity index 82% rename from plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.spec.js rename to plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.spec.js index 3b4b84da15..0348115352 100644 --- a/plugins/azure/virtualmachines/scaleSetAdAuthenticationEnabled.spec.js +++ b/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.spec.js @@ -1,5 +1,5 @@ var expect = require('chai').expect; -var scaleSetAdAuthenticationEnabled = require('./scaleSetAdAuthenticationEnabled'); +var scaleSetAdAuthEnabled = require('./scaleSetAdAuthEnabled'); const virtualMachineScaleSets = [ { @@ -68,11 +68,11 @@ const createCache = (virtualMachineScaleSets) => { }; }; -describe('scaleSetAdAuthenticationEnabled', function() { +describe('scaleSetAdAuthEnabled', function() { describe('run', function() { it('should give passing result if no virtual machine scale sets', function(done) { const cache = createCache([]); - scaleSetAdAuthenticationEnabled.run(cache, {}, (err, results) => { + scaleSetAdAuthEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('No existing Virtual Machine Scale Sets found'); @@ -83,7 +83,7 @@ describe('scaleSetAdAuthenticationEnabled', function() { it('should give unknown result if unable to query for virtual machine scale sets', function(done) { const cache = createCache(); - scaleSetAdAuthenticationEnabled.run(cache, {}, (err, results) => { + scaleSetAdAuthEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].message).to.include('Unable to query for Virtual Machine Scale Sets'); @@ -92,22 +92,22 @@ describe('scaleSetAdAuthenticationEnabled', function() { }); }); - it('should give passing result if Virtual Machine Scale Set has AD authentication enabled', function(done) { + it('should give passing result if linux Virtual Machine Scale Set has AD authentication enabled', function(done) { const cache = createCache([virtualMachineScaleSets[0]]); - scaleSetAdAuthenticationEnabled.run(cache, {}, (err, results) => { + scaleSetAdAuthEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Virtual Machine Scale Set has active directory authentication enabled'); + expect(results[0].message).to.include('Virtual Machine Scale Set has Active Directory authentication enabled'); expect(results[0].region).to.equal('eastus'); done(); }); }); - it('should give passing result if Virtual Machine Scale Set has AD authentication enabled', function(done) { + it('should give passing result if windows Virtual Machine Scale Set has AD authentication enabled', function(done) { const cache = createCache([virtualMachineScaleSets[1]]); - scaleSetAdAuthenticationEnabled.run(cache, {}, (err, results) => { + scaleSetAdAuthEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('Virtual Machine Scale Set has active directory authentication enabled'); + expect(results[0].message).to.include('Virtual Machine Scale Set has Active Directory authentication enabled'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -115,10 +115,10 @@ describe('scaleSetAdAuthenticationEnabled', function() { it('should give failing result if Virtual Machine Scale Set has AD authentication disabled', function(done) { const cache = createCache([virtualMachineScaleSets[2]]); - scaleSetAdAuthenticationEnabled.run(cache, {}, (err, results) => { + scaleSetAdAuthEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('Virtual Machine Scale Set has active directory authentication disabled'); + expect(results[0].message).to.include('Virtual Machine Scale Set has Active Directory authentication disabled'); expect(results[0].region).to.equal('eastus'); done(); }); From 3a55fb74cfcc049eeda609e2484731ba468dc6db Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sat, 30 Dec 2023 15:09:24 +0500 Subject: [PATCH 458/498] resolved --- .../virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js index 5bfa76ccb3..e2e382d88a 100644 --- a/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js +++ b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js @@ -70,7 +70,7 @@ describe('vmssManagedIdentityEnabled', function() { it('should give failing result if VM scale set does not have managed identity enabled', function(done) { const cache = createCache([virtualMachineScaleSets[1]]); - vmssManagedIdentityEnabled.run(cache, { vmss_approved_extensions: 'healthRepairExtension' }, (err, results) => { + vmssManagedIdentityEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); expect(results[0].message).to.include('VM scale set does not have managed identity enabled'); From 020d31f038a2fbf69f14268befcec25d7ae099c8 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sat, 30 Dec 2023 15:10:27 +0500 Subject: [PATCH 459/498] category updated --- .../azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js index 758f3de245..82ce250e0d 100644 --- a/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js +++ b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js @@ -3,7 +3,7 @@ var helpers = require('../../../helpers/azure'); module.exports = { title: 'VM Scale Set Managed Identity Enabled', - category: 'Virtual Machines', + category: 'Virtual Machine Scale Set', domain: 'Compute', description: 'Ensures that Azure Virtual Machine Scale Sets have managed identity enabled.', more_info: 'Enabling managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.', From a61db8742f2b4c54b7544e09a7bafc6d03202de4 Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sat, 30 Dec 2023 15:25:35 +0500 Subject: [PATCH 460/498] category changed --- exports.js | 19 ++++++++++--------- .../autoInstanceRepairsEnabled.js | 2 +- .../autoInstanceRepairsEnabled.spec.js | 0 .../autoOsUpgradesEnabled.js | 2 +- .../autoOsUpgradesEnabled.spec.js | 0 .../autoscaleNotificationsEnabled.js | 2 +- .../autoscaleNotificationsEnabled.spec.js | 0 .../noEmptyScaleSets.js | 4 ++-- .../noEmptyScaleSets.spec.js | 0 .../scaleSetAutoscaleEnabled.js | 2 +- .../scaleSetAutoscaleEnabled.spec.js | 0 .../scaleSetHealthMonitoring.js | 2 +- .../scaleSetHealthMonitoring.spec.js | 0 .../scaleSetMultiAz.js | 2 +- .../scaleSetMultiAz.spec.js | 0 .../vmScaleSetHasTags.js | 2 +- .../vmScaleSetHasTags.spec.js | 0 17 files changed, 19 insertions(+), 18 deletions(-) rename plugins/azure/{virtualmachines => virtualmachinescaleset}/autoInstanceRepairsEnabled.js (98%) rename plugins/azure/{virtualmachines => virtualmachinescaleset}/autoInstanceRepairsEnabled.spec.js (100%) rename plugins/azure/{virtualmachines => virtualmachinescaleset}/autoOsUpgradesEnabled.js (98%) rename plugins/azure/{virtualmachines => virtualmachinescaleset}/autoOsUpgradesEnabled.spec.js (100%) rename plugins/azure/{virtualmachines => virtualmachinescaleset}/autoscaleNotificationsEnabled.js (99%) rename plugins/azure/{virtualmachines => virtualmachinescaleset}/autoscaleNotificationsEnabled.spec.js (100%) rename plugins/azure/{virtualmachines => virtualmachinescaleset}/noEmptyScaleSets.js (96%) rename plugins/azure/{virtualmachines => virtualmachinescaleset}/noEmptyScaleSets.spec.js (100%) rename plugins/azure/{virtualmachines => virtualmachinescaleset}/scaleSetAutoscaleEnabled.js (98%) rename plugins/azure/{virtualmachines => virtualmachinescaleset}/scaleSetAutoscaleEnabled.spec.js (100%) rename plugins/azure/{virtualmachines => virtualmachinescaleset}/scaleSetHealthMonitoring.js (98%) rename plugins/azure/{virtualmachines => virtualmachinescaleset}/scaleSetHealthMonitoring.spec.js (100%) rename plugins/azure/{virtualmachines => virtualmachinescaleset}/scaleSetMultiAz.js (98%) rename plugins/azure/{virtualmachines => virtualmachinescaleset}/scaleSetMultiAz.spec.js (100%) rename plugins/azure/{virtualmachines => virtualmachinescaleset}/vmScaleSetHasTags.js (97%) rename plugins/azure/{virtualmachines => virtualmachinescaleset}/vmScaleSetHasTags.spec.js (100%) diff --git a/exports.js b/exports.js index 0fab601115..550a1112af 100644 --- a/exports.js +++ b/exports.js @@ -717,21 +717,15 @@ module.exports = { 'vmEndpointProtection' : require(__dirname + '/plugins/azure/virtualmachines/vmEndpointProtection.js'), 'vmAutoUpdateEnabled' : require(__dirname + '/plugins/azure/virtualmachines/vmAutoUpdateEnabled.js'), 'vmAvailabilitySetEnabled' : require(__dirname + '/plugins/azure/virtualmachines/vmAvailabilitySetEnabled.js'), - 'scaleSetMultiAz' : require(__dirname + '/plugins/azure/virtualmachines/scaleSetMultiAz.js'), - 'scaleSetAutoscaleEnabled' : require(__dirname + '/plugins/azure/virtualmachines/scaleSetAutoscaleEnabled.js'), 'vmAvailabilitySetLimit' : require(__dirname + '/plugins/azure/virtualmachines/vmAvailabilitySetLimit.js'), 'vmDailyBackupRetention' : require(__dirname + '/plugins/azure/virtualmachines/vmDailyBackupRetention.js'), 'vmBackupsEnabled' : require(__dirname + '/plugins/azure/virtualmachines/vmBackupsEnabled.js'), 'premiumSsdDisabled' : require(__dirname + '/plugins/azure/virtualmachines/premiumSsdDisabled.js'), 'vmManagedDisks' : require(__dirname + '/plugins/azure/virtualmachines/vmManagedDisks.js'), - 'autoInstanceRepairsEnabled' : require(__dirname + '/plugins/azure/virtualmachines/autoInstanceRepairsEnabled.js'), - 'noEmptyScaleSets' : require(__dirname + '/plugins/azure/virtualmachines/noEmptyScaleSets.js'), 'acceleratedNetworkingEnabled' : require(__dirname + '/plugins/azure/virtualmachines/acceleratedNetworkingEnabled.js'), 'passwordAuthDisabled' : require(__dirname + '/plugins/azure/virtualmachines/passwordAuthDisabled.js'), 'approvedVmImage' : require(__dirname + '/plugins/azure/virtualmachines/approvedVmImage.js'), - 'autoOsUpgradesEnabled' : require(__dirname + '/plugins/azure/virtualmachines/autoOsUpgradesEnabled.js'), 'noUnattachedDisks' : require(__dirname + '/plugins/azure/virtualmachines/noUnattachedDisks.js'), - 'autoscaleNotificationsEnabled' : require(__dirname + '/plugins/azure/virtualmachines/autoscaleNotificationsEnabled.js'), 'instantRestoreRetention' : require(__dirname + '/plugins/azure/virtualmachines/instantRestoreRetention.js'), 'desiredSkuSize' : require(__dirname + '/plugins/azure/virtualmachines/desiredSkuSize.js'), 'approvedVmExtension' : require(__dirname + '/plugins/azure/virtualmachines/approvedVmExtension.js'), @@ -740,7 +734,6 @@ module.exports = { 'vmAdAuthenticationEnabled' : require(__dirname + '/plugins/azure/virtualmachines/vmAdAuthenticationEnabled.js'), 'performanceDiagnosticsEnabled' : require(__dirname + '/plugins/azure/virtualmachines/performanceDiagnosticsEnabled.js'), 'vmBootDiagnosticsEnabled' : require(__dirname + '/plugins/azure/virtualmachines/vmBootDiagnosticsEnabled.js'), - 'scaleSetHealthMonitoring' : require(__dirname + '/plugins/azure/virtualmachines/scaleSetHealthMonitoring.js'), 'diskByokEncryptionEnabled' : require(__dirname + '/plugins/azure/virtualmachines/diskByokEncryptionEnabled.js'), 'vmImageHasTags' : require(__dirname + '/plugins/azure/virtualmachines/vmImageHasTags'), 'vmHasTags' : require(__dirname + '/plugins/azure/virtualmachines/vmHasTags.js'), @@ -748,7 +741,6 @@ module.exports = { 'snapshotHasTags' : require(__dirname + '/plugins/azure/virtualmachines/snapshotHasTags.js'), 'unattachedDiskWithDefaultEncryption': require(__dirname + '/plugins/azure/virtualmachines/unattachedDiskWithDefaultEncryption.js'), 'snapshotPublicAccessDisabled' : require(__dirname + '/plugins/azure/virtualmachines/snapshotPublicAccessDisabled.js'), - 'vmScaleSetHasTags' : require(__dirname + '/plugins/azure/virtualmachines/vmScaleSetHasTags.js'), 'snapshotByokEncryptionEnabled' : require(__dirname + '/plugins/azure/virtualmachines/snapshotByokEncryptionEnabled.js'), 'systemAssignedIdentityEnabled' : require(__dirname + '/plugins/azure/virtualmachines/systemAssignedIdentityEnabled.js'), 'vmWindowsAntiMalwareExtension' : require(__dirname + '/plugins/azure/virtualmachines/vmWindowsAntiMalwareExtension.js'), @@ -1038,7 +1030,16 @@ module.exports = { 'amsDiagnosticLogsEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js'), 'amsPublicAccessDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsPublicAccessDisabled.js'), 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), - 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js') + 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), + + 'scaleSetMultiAz' : require(__dirname + '/plugins/azure/virtualmachinescaleset/scaleSetMultiAz.js'), + 'scaleSetAutoscaleEnabled' : require(__dirname + '/plugins/azure/virtualmachinescaleset/scaleSetAutoscaleEnabled.js'), + 'scaleSetHealthMonitoring' : require(__dirname + '/plugins/azure/virtualmachinescaleset/scaleSetHealthMonitoring.js'), + 'vmScaleSetHasTags' : require(__dirname + '/plugins/azure/virtualmachinescaleset/vmScaleSetHasTags.js'), + 'noEmptyScaleSets' : require(__dirname + '/plugins/azure/virtualmachinescaleset/noEmptyScaleSets.js'), + 'autoscaleNotificationsEnabled' : require(__dirname + '/plugins/azure/virtualmachinescaleset/autoscaleNotificationsEnabled.js'), + 'autoOsUpgradesEnabled' : require(__dirname + '/plugins/azure/virtualmachinescaleset/autoOsUpgradesEnabled.js'), + 'autoInstanceRepairsEnabled' : require(__dirname + '/plugins/azure/virtualmachinescaleset/autoInstanceRepairsEnabled.js'), }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/virtualmachines/autoInstanceRepairsEnabled.js b/plugins/azure/virtualmachinescaleset/autoInstanceRepairsEnabled.js similarity index 98% rename from plugins/azure/virtualmachines/autoInstanceRepairsEnabled.js rename to plugins/azure/virtualmachinescaleset/autoInstanceRepairsEnabled.js index 410f3f6d11..bfea9cf440 100644 --- a/plugins/azure/virtualmachines/autoInstanceRepairsEnabled.js +++ b/plugins/azure/virtualmachinescaleset/autoInstanceRepairsEnabled.js @@ -3,7 +3,7 @@ var helpers = require('../../../helpers/azure'); module.exports = { title: 'Automatic Instance Repairs Enabled', - category: 'Virtual Machines', + category: 'Virtual Machine Scale Set', domain: 'Compute', description: 'Ensures that automatic instance repairs is enabled for Azure virtual machine scale sets.', more_info: 'Enabling automatic instance repairs for Azure virtual machine scale sets helps achieve high availability for applications by maintaining a set of healthy instances.', diff --git a/plugins/azure/virtualmachines/autoInstanceRepairsEnabled.spec.js b/plugins/azure/virtualmachinescaleset/autoInstanceRepairsEnabled.spec.js similarity index 100% rename from plugins/azure/virtualmachines/autoInstanceRepairsEnabled.spec.js rename to plugins/azure/virtualmachinescaleset/autoInstanceRepairsEnabled.spec.js diff --git a/plugins/azure/virtualmachines/autoOsUpgradesEnabled.js b/plugins/azure/virtualmachinescaleset/autoOsUpgradesEnabled.js similarity index 98% rename from plugins/azure/virtualmachines/autoOsUpgradesEnabled.js rename to plugins/azure/virtualmachinescaleset/autoOsUpgradesEnabled.js index 79732c1843..fb7c853f07 100644 --- a/plugins/azure/virtualmachines/autoOsUpgradesEnabled.js +++ b/plugins/azure/virtualmachinescaleset/autoOsUpgradesEnabled.js @@ -3,7 +3,7 @@ const helpers = require('../../../helpers/azure'); module.exports = { title: 'Automatic OS Upgrades Enabled', - category: 'Virtual Machines', + category: 'Virtual Machine Scale Set', domain: 'Compute', description: 'Ensure that automatic operating system (OS) upgrades are enabled for Microsoft Azure virtual machine scale sets.', more_info: 'Enabling automatic OS image upgrades on your scale set helps ease update management by safely and automatically upgrading the OS disk for all instances in the scale set.', diff --git a/plugins/azure/virtualmachines/autoOsUpgradesEnabled.spec.js b/plugins/azure/virtualmachinescaleset/autoOsUpgradesEnabled.spec.js similarity index 100% rename from plugins/azure/virtualmachines/autoOsUpgradesEnabled.spec.js rename to plugins/azure/virtualmachinescaleset/autoOsUpgradesEnabled.spec.js diff --git a/plugins/azure/virtualmachines/autoscaleNotificationsEnabled.js b/plugins/azure/virtualmachinescaleset/autoscaleNotificationsEnabled.js similarity index 99% rename from plugins/azure/virtualmachines/autoscaleNotificationsEnabled.js rename to plugins/azure/virtualmachinescaleset/autoscaleNotificationsEnabled.js index 8a055d6610..9533971580 100644 --- a/plugins/azure/virtualmachines/autoscaleNotificationsEnabled.js +++ b/plugins/azure/virtualmachinescaleset/autoscaleNotificationsEnabled.js @@ -3,7 +3,7 @@ const helpers = require('../../../helpers/azure'); module.exports = { title: 'Scale Sets Autoscale Notifications Enabled', - category: 'Virtual Machines', + category: 'Virtual Machine Scale Set', domain: 'Compute', description: 'Ensures that Virtual Machine scale sets have autoscale notifications enabled.', more_info: 'Autoscale automatically creates new instances when certain metrics are surpassed, or can destroy instances that are being underutilized. Autoscale notifications should be enabled to know about the status of autoscale operation.', diff --git a/plugins/azure/virtualmachines/autoscaleNotificationsEnabled.spec.js b/plugins/azure/virtualmachinescaleset/autoscaleNotificationsEnabled.spec.js similarity index 100% rename from plugins/azure/virtualmachines/autoscaleNotificationsEnabled.spec.js rename to plugins/azure/virtualmachinescaleset/autoscaleNotificationsEnabled.spec.js diff --git a/plugins/azure/virtualmachines/noEmptyScaleSets.js b/plugins/azure/virtualmachinescaleset/noEmptyScaleSets.js similarity index 96% rename from plugins/azure/virtualmachines/noEmptyScaleSets.js rename to plugins/azure/virtualmachinescaleset/noEmptyScaleSets.js index b57f0c0337..2f62636adf 100644 --- a/plugins/azure/virtualmachines/noEmptyScaleSets.js +++ b/plugins/azure/virtualmachinescaleset/noEmptyScaleSets.js @@ -1,9 +1,9 @@ var async = require('async'); -var helpers = require('../../../helpers/azure/'); +var helpers = require('../../../helpers/azure'); module.exports = { title: 'No Empty Scale Sets', - category: 'Virtual Machines', + category: 'Virtual Machine Scale Set', domain: 'Compute', description: 'Ensures that virtual machine scale sets have virtual machine instances attached.', more_info: 'Azure virtual machine scale sets let you create and manage a group of load balanced VMs. Scale sets with no vm instances should be deleted to save cost of unused resources', diff --git a/plugins/azure/virtualmachines/noEmptyScaleSets.spec.js b/plugins/azure/virtualmachinescaleset/noEmptyScaleSets.spec.js similarity index 100% rename from plugins/azure/virtualmachines/noEmptyScaleSets.spec.js rename to plugins/azure/virtualmachinescaleset/noEmptyScaleSets.spec.js diff --git a/plugins/azure/virtualmachines/scaleSetAutoscaleEnabled.js b/plugins/azure/virtualmachinescaleset/scaleSetAutoscaleEnabled.js similarity index 98% rename from plugins/azure/virtualmachines/scaleSetAutoscaleEnabled.js rename to plugins/azure/virtualmachinescaleset/scaleSetAutoscaleEnabled.js index 50bd47bc57..8883d52544 100644 --- a/plugins/azure/virtualmachines/scaleSetAutoscaleEnabled.js +++ b/plugins/azure/virtualmachinescaleset/scaleSetAutoscaleEnabled.js @@ -3,7 +3,7 @@ const helpers = require('../../../helpers/azure'); module.exports = { title: 'Scale Sets Autoscale Enabled', - category: 'Virtual Machines', + category: 'Virtual Machine Scale Set', domain: 'Compute', description: 'Ensures that Virtual Machine scale sets have autoscale enabled for high availability', more_info: 'Autoscale automatically creates new instances when certain metrics are surpassed, or can destroy instances that are being underutilized. This creates a highly available scale set.', diff --git a/plugins/azure/virtualmachines/scaleSetAutoscaleEnabled.spec.js b/plugins/azure/virtualmachinescaleset/scaleSetAutoscaleEnabled.spec.js similarity index 100% rename from plugins/azure/virtualmachines/scaleSetAutoscaleEnabled.spec.js rename to plugins/azure/virtualmachinescaleset/scaleSetAutoscaleEnabled.spec.js diff --git a/plugins/azure/virtualmachines/scaleSetHealthMonitoring.js b/plugins/azure/virtualmachinescaleset/scaleSetHealthMonitoring.js similarity index 98% rename from plugins/azure/virtualmachines/scaleSetHealthMonitoring.js rename to plugins/azure/virtualmachinescaleset/scaleSetHealthMonitoring.js index d259fd7aee..da9baa7119 100644 --- a/plugins/azure/virtualmachines/scaleSetHealthMonitoring.js +++ b/plugins/azure/virtualmachinescaleset/scaleSetHealthMonitoring.js @@ -3,7 +3,7 @@ const helpers = require('../../../helpers/azure'); module.exports = { title: 'Scale Sets Health Monitoring Enabled', - category: 'Virtual Machines', + category: 'Virtual Machine Scale Set', domain: 'Compute', description: 'Ensures that health monitoring is enabled for virtual machine scale sets.', more_info: 'Scale set health monitoring feature reports on VM health from inside the scale set instance and can be configured to probe on an application endpoint and update the status of the application on that instance. That instance status is checked by Azure to determine whether an instance is eligible for upgrade operations.', diff --git a/plugins/azure/virtualmachines/scaleSetHealthMonitoring.spec.js b/plugins/azure/virtualmachinescaleset/scaleSetHealthMonitoring.spec.js similarity index 100% rename from plugins/azure/virtualmachines/scaleSetHealthMonitoring.spec.js rename to plugins/azure/virtualmachinescaleset/scaleSetHealthMonitoring.spec.js diff --git a/plugins/azure/virtualmachines/scaleSetMultiAz.js b/plugins/azure/virtualmachinescaleset/scaleSetMultiAz.js similarity index 98% rename from plugins/azure/virtualmachines/scaleSetMultiAz.js rename to plugins/azure/virtualmachinescaleset/scaleSetMultiAz.js index 0f3023fcb3..f672d625b8 100644 --- a/plugins/azure/virtualmachines/scaleSetMultiAz.js +++ b/plugins/azure/virtualmachinescaleset/scaleSetMultiAz.js @@ -3,7 +3,7 @@ const helpers = require('../../../helpers/azure'); module.exports = { title: 'Scale Set Multi Az', - category: 'Virtual Machines', + category: 'Virtual Machine Scale Set', domain: 'Compute', description: 'Ensures that Virtual Machine Scale Sets are created to be cross-AZ for high availability', more_info: 'Having Virtual Machine Scale Sets in multiple zones increases durability and availability. If there is a catastrophic instance in one zone, the scale set will still be available.', diff --git a/plugins/azure/virtualmachines/scaleSetMultiAz.spec.js b/plugins/azure/virtualmachinescaleset/scaleSetMultiAz.spec.js similarity index 100% rename from plugins/azure/virtualmachines/scaleSetMultiAz.spec.js rename to plugins/azure/virtualmachinescaleset/scaleSetMultiAz.spec.js diff --git a/plugins/azure/virtualmachines/vmScaleSetHasTags.js b/plugins/azure/virtualmachinescaleset/vmScaleSetHasTags.js similarity index 97% rename from plugins/azure/virtualmachines/vmScaleSetHasTags.js rename to plugins/azure/virtualmachinescaleset/vmScaleSetHasTags.js index 2c1d3c1f7d..eac11f8f47 100644 --- a/plugins/azure/virtualmachines/vmScaleSetHasTags.js +++ b/plugins/azure/virtualmachinescaleset/vmScaleSetHasTags.js @@ -5,7 +5,7 @@ var helpers = require('../../../helpers/azure'); module.exports = { title: 'VM Scale Set Has Tags', - category: 'Virtual Machines', + category: 'Virtual Machine Scale Set', domain: 'Compute', description: 'Ensure that Azure Virtual Machine scale sets have tags associated.', more_info: 'Tags help you to group resources together that are related to or associated with each other. It is a best practice to tag cloud resources to better organize and gain visibility into their usage.', diff --git a/plugins/azure/virtualmachines/vmScaleSetHasTags.spec.js b/plugins/azure/virtualmachinescaleset/vmScaleSetHasTags.spec.js similarity index 100% rename from plugins/azure/virtualmachines/vmScaleSetHasTags.spec.js rename to plugins/azure/virtualmachinescaleset/vmScaleSetHasTags.spec.js From b7875ceedb867e0cf3df5bc1d59668b968fdfe0b Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sat, 30 Dec 2023 15:29:25 +0500 Subject: [PATCH 461/498] category update --- .../azure/virtualmachinescaleset/scalesetSecureBootEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js b/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js index 2785aebe29..6c84863753 100644 --- a/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js +++ b/plugins/azure/virtualmachinescaleset/scalesetSecureBootEnabled.js @@ -3,7 +3,7 @@ const helpers = require('../../../helpers/azure'); module.exports = { title: 'Scale Sets Secure Boot Enabled', - category: 'Virtual Machines', + category: 'Virtual Machine Scale Set', domain: 'Compute', description: 'Ensures that secure boot is enabled for virtual machine scale sets.', more_info: 'Secure Boot, which is implemented in platform firmware, protects against the installation of malware-based rootkits and boot kits. Secure Boot works to ensure that only signed operating systems and drivers can boot. It establishes a "root of trust" for the software stack on your VMSS.', From c18019fee141497891bdfbca82a2bcbdeb1484da Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Sat, 30 Dec 2023 15:30:15 +0500 Subject: [PATCH 462/498] category update --- plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js b/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js index 54b460af70..0f5ab3889e 100644 --- a/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js +++ b/plugins/azure/virtualmachinescaleset/scalesetVTPMEnabled.js @@ -3,7 +3,7 @@ const helpers = require('../../../helpers/azure'); module.exports = { title: 'Scale Sets vTPM Enabled', - category: 'Virtual Machines', + category: 'Virtual Machine Scale Set', domain: 'Compute', description: 'Ensure that Virtual Trusted Platform Module (vTPM) is enabled for virtual machine scale sets.', more_info: 'vTPM is TPM2.0 compliant and enhances security by validating VM boot integrity and providing a secure storage mechanism for keys and secrets. The vTPM enables attestation by measuring the entire boot chain of your VM (UEFI, OS, system, and drivers).', From 016b6f7ec2e97825657ec862831335ab0e2a827a Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 1 Jan 2024 11:18:55 +0500 Subject: [PATCH 463/498] Update plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js --- plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js b/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js index fe88104de3..4e7aa84661 100644 --- a/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js +++ b/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js @@ -2,7 +2,7 @@ const async = require('async'); const helpers = require('../../../helpers/azure'); module.exports = { - title: 'Scale Sets AD Authentication', + title: 'Scale Sets AD Authentication Enabled', category: 'Virtual Machine Scale Set', domain: 'Compute', description: 'Ensures that Azure Active Directory (AD) authentication is enabled for Virtual Machine Scale Sets.', From 124f3e9229ce3acb75b02442ac7974598589ce32 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 1 Jan 2024 11:22:53 +0500 Subject: [PATCH 464/498] Update plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js --- plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js b/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js index 4e7aa84661..dfc6e0c174 100644 --- a/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js +++ b/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js @@ -34,6 +34,7 @@ module.exports = { } for (let virtualMachineScaleSet of virtualMachineScaleSets.data) { + if(!virtualMachineScaleSet.id) continue; const scaleSetExtensions = virtualMachineScaleSet.virtualMachineProfile && virtualMachineScaleSet.virtualMachineProfile.extensionProfile && virtualMachineScaleSet.virtualMachineProfile.extensionProfile.extensions ? virtualMachineScaleSet.virtualMachineProfile.extensionProfile.extensions From b4714c1923f8485a247d23b2c7de59f3e5c31537 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 1 Jan 2024 11:23:09 +0500 Subject: [PATCH 465/498] Update plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js --- plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js b/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js index dfc6e0c174..3be0b00db4 100644 --- a/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js +++ b/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js @@ -35,6 +35,7 @@ module.exports = { for (let virtualMachineScaleSet of virtualMachineScaleSets.data) { if(!virtualMachineScaleSet.id) continue; + const scaleSetExtensions = virtualMachineScaleSet.virtualMachineProfile && virtualMachineScaleSet.virtualMachineProfile.extensionProfile && virtualMachineScaleSet.virtualMachineProfile.extensionProfile.extensions ? virtualMachineScaleSet.virtualMachineProfile.extensionProfile.extensions From cd0f29bb73073d65c504cc3d46dbba8455b9c5fe Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 1 Jan 2024 11:25:03 +0500 Subject: [PATCH 466/498] Update plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js --- plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js b/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js index 3be0b00db4..2f3f79ef19 100644 --- a/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js +++ b/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js @@ -2,7 +2,7 @@ const async = require('async'); const helpers = require('../../../helpers/azure'); module.exports = { - title: 'Scale Sets AD Authentication Enabled', + title: 'Scale Sets AD Authentication', category: 'Virtual Machine Scale Set', domain: 'Compute', description: 'Ensures that Azure Active Directory (AD) authentication is enabled for Virtual Machine Scale Sets.', From c8ea7ba1c4676ce1061c2579bd7c23e45a81a874 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 1 Jan 2024 11:31:22 +0500 Subject: [PATCH 467/498] Update plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js --- .../azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js b/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js index d7f292b82d..ecdb7e16ad 100644 --- a/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js +++ b/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js @@ -6,7 +6,7 @@ module.exports = { category: 'Virtual Machine Scale Set', domain: 'Compute', description: 'Ensures that trusted launch security option is enabled for Virtual Machine Scale Sets.', - more_info: 'Trusted launch protects against advanced and persistent attack techniques. Trusted launch is composed of several, coordinated infrastructure technologies that can be enabled independently. Each technology provides another layer of defense against sophisticated threats.', + more_info: 'Enabling trusted launch works in seamless way to improve the security of VM scale sets. Trusted launch protects against advanced and persistent attack techniques. It is composed of several, coordinated infrastructure technologies that can be enabled independently, providing another layer of defense against sophisticated threats.', recommended_action: 'Remove existing Virtual Machine Scale Set and create a new one with trusted launch enabled.', link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch', apis: ['virtualMachineScaleSets:listAll'], From 376b82ee7558892e537c7080430414010032ed37 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 1 Jan 2024 11:32:16 +0500 Subject: [PATCH 468/498] Update plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js --- plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js b/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js index ecdb7e16ad..412f9f21e2 100644 --- a/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js +++ b/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js @@ -34,6 +34,7 @@ module.exports = { } for (let virtualMachineScaleSet of virtualMachineScaleSets.data) { + if(!virtualMachineScaleSet.id) continue; if (virtualMachineScaleSet.virtualMachineProfile && virtualMachineScaleSet.virtualMachineProfile.securityProfile && From 6db0fe47bcd581680bd2d9b1ecba82e521329bdc Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 1 Jan 2024 11:34:00 +0500 Subject: [PATCH 469/498] Update plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js --- .../azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js b/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js index 412f9f21e2..219de07f9b 100644 --- a/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js +++ b/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js @@ -34,7 +34,7 @@ module.exports = { } for (let virtualMachineScaleSet of virtualMachineScaleSets.data) { - if(!virtualMachineScaleSet.id) continue; + if (!virtualMachineScaleSet.id) continue; if (virtualMachineScaleSet.virtualMachineProfile && virtualMachineScaleSet.virtualMachineProfile.securityProfile && From e8c9111edcee69fbe499263ca35b29ef8989e8aa Mon Sep 17 00:00:00 2001 From: fatima99s Date: Mon, 1 Jan 2024 12:27:18 +0500 Subject: [PATCH 470/498] updatedEKSVersions --- plugins/aws/eks/eksKubernetesVersion.js | 4 +++- plugins/aws/eks/eksKubernetesVersion.spec.js | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/plugins/aws/eks/eksKubernetesVersion.js b/plugins/aws/eks/eksKubernetesVersion.js index a2b836806a..1ceb60da7b 100644 --- a/plugins/aws/eks/eksKubernetesVersion.js +++ b/plugins/aws/eks/eksKubernetesVersion.js @@ -39,6 +39,7 @@ module.exports = { '1.25': '2024-05-01', '1.26': '2024-06-01', '1.27': '2024-06-01', + '1.28': '2024-09-01' }; var outdatedVersions = { @@ -84,7 +85,8 @@ module.exports = { let versionOutdatedDate = (outdatedVersions[version]) ? outdatedVersions[version] : null; let today = new Date(); let dateToday = (today.getDate() < 10) ? '0' + today.getDate() : today.getDate(); - today = `${today.getFullYear()}-${today.getMonth()+1}-${dateToday}`; + let month = (today.getMonth() < 10) ? '0' + (today.getMonth()+1) : today.getMonth(); + today = `${today.getFullYear()}-${month}-${dateToday}`; if (versionDeprecationDate && today > versionDeprecationDate) { helpers.addResult(results, 2, diff --git a/plugins/aws/eks/eksKubernetesVersion.spec.js b/plugins/aws/eks/eksKubernetesVersion.spec.js index aeb8f9d1c8..b53206f8d2 100644 --- a/plugins/aws/eks/eksKubernetesVersion.spec.js +++ b/plugins/aws/eks/eksKubernetesVersion.spec.js @@ -82,7 +82,7 @@ describe('eksKubernetesVersion', function () { "cluster": { "name": "mycluster", "arn": "arn:aws:eks:us-east-1:012345678911:cluster/mycluster", - "version": "1.24", + "version": "1.27", } } ); From 416c2154e000eb6b859f45f9dbb3a71bc421aedd Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 1 Jan 2024 13:55:26 +0500 Subject: [PATCH 471/498] Update plugins/azure/recoveryService/recoveryVaultLoggingEnabled.js --- plugins/azure/recoveryService/recoveryVaultLoggingEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/recoveryService/recoveryVaultLoggingEnabled.js b/plugins/azure/recoveryService/recoveryVaultLoggingEnabled.js index f7683a6166..cfad498188 100644 --- a/plugins/azure/recoveryService/recoveryVaultLoggingEnabled.js +++ b/plugins/azure/recoveryService/recoveryVaultLoggingEnabled.js @@ -6,7 +6,7 @@ module.exports = { category: 'Recovery Service Vault', domain: 'Backup', description: 'Ensure that Azure Recovery Services Vaults have diagnostic logs enabled.', - more_info: 'Diagnostic logs provide valuable insights into the operation and health of the Recovery Services Vault. By enabling diagnostic logs, you can monitor and troubleshoot issues more effectively.', + more_info: 'Diagnostic logs provide valuable insights into the operation and health of the Recovery Services Vault. By enabling diagnostic logs, you can monitor and analysis the insights which can be used for alerting and reporting.', recommended_action: 'Modify the Recovery Service vault and enable diagnostic logs.', link: 'https://learn.microsoft.com/en-us/azure/backup/backup-azure-diagnostic-events?tabs=recovery-services-vaults', apis: ['diagnosticSettings:listByRecoveryServiceVault', 'recoveryServiceVaults:listBySubscriptionId'], From 533a12f951555bbbcc80494c37b92abca81a9231 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 1 Jan 2024 14:06:17 +0500 Subject: [PATCH 472/498] Update plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js --- plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js b/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js index 2f3f79ef19..ba6f3d3c6b 100644 --- a/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js +++ b/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js @@ -34,7 +34,7 @@ module.exports = { } for (let virtualMachineScaleSet of virtualMachineScaleSets.data) { - if(!virtualMachineScaleSet.id) continue; + if (!virtualMachineScaleSet.id) continue; const scaleSetExtensions = virtualMachineScaleSet.virtualMachineProfile && virtualMachineScaleSet.virtualMachineProfile.extensionProfile && virtualMachineScaleSet.virtualMachineProfile.extensionProfile.extensions From 9b388d61bc09d89a7ffd43536fcdfa40f175c1ff Mon Sep 17 00:00:00 2001 From: abdullahaslam306 Date: Mon, 1 Jan 2024 14:17:52 +0500 Subject: [PATCH 473/498] title changed --- plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js b/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js index fe88104de3..4e7aa84661 100644 --- a/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js +++ b/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js @@ -2,7 +2,7 @@ const async = require('async'); const helpers = require('../../../helpers/azure'); module.exports = { - title: 'Scale Sets AD Authentication', + title: 'Scale Sets AD Authentication Enabled', category: 'Virtual Machine Scale Set', domain: 'Compute', description: 'Ensures that Azure Active Directory (AD) authentication is enabled for Virtual Machine Scale Sets.', From ffcd2380473ddd7f30354ff2c472bc0085035e3c Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 1 Jan 2024 16:39:18 +0500 Subject: [PATCH 474/498] Update plugins/azure/recoveryService/recoveryVaultLoggingEnabled.js --- plugins/azure/recoveryService/recoveryVaultLoggingEnabled.js | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/azure/recoveryService/recoveryVaultLoggingEnabled.js b/plugins/azure/recoveryService/recoveryVaultLoggingEnabled.js index cfad498188..bae79bfedc 100644 --- a/plugins/azure/recoveryService/recoveryVaultLoggingEnabled.js +++ b/plugins/azure/recoveryService/recoveryVaultLoggingEnabled.js @@ -44,6 +44,7 @@ module.exports = { 'Unable to query for Recovery Service Vault diagnostic settings: ' + helpers.addError(diagnosticSettings), location, vault.id); continue; } + var found = diagnosticSettings.data.find(ds => ds.logs && ds.logs.length); if (found) { From 33dd3f986fd3817b6013fb560b8208e8611cd0a2 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 1 Jan 2024 16:42:03 +0500 Subject: [PATCH 475/498] Update plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js --- plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js b/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js index 867d56a441..0e2deb7953 100644 --- a/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js +++ b/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Compute', description: 'Ensures that Azure Active Directory (AD) authentication is enabled for Virtual Machine Scale Sets.', more_info: 'Enabling Azure Active Directory (AD) authentication for VM Scale Sets ensures access from one central point and simplifies access permission management. It allows conditional access by using Role-Based Access Control (RBAC) policies, and enable MFA.', - recommended_action: 'Enable Azure Active Directory authentication for Azure virtual machines scale sets.', + recommended_action: 'Enable Active Directory authentication for all Virtual Machines scale sets.', link: 'https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-linux', apis: ['virtualMachineScaleSets:listAll'], From 600c7ad03aad123706fcd97e6b7b8483b7efa543 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 1 Jan 2024 16:44:50 +0500 Subject: [PATCH 476/498] Update plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js --- .../azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js b/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js index 219de07f9b..56aaf90450 100644 --- a/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js +++ b/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js @@ -5,7 +5,7 @@ module.exports = { title: 'Scale Sets Trusted Launch Enabled', category: 'Virtual Machine Scale Set', domain: 'Compute', - description: 'Ensures that trusted launch security option is enabled for Virtual Machine Scale Sets.', + description: 'Ensures that trusted launch security is enabled for Virtual Machine Scale Set.', more_info: 'Enabling trusted launch works in seamless way to improve the security of VM scale sets. Trusted launch protects against advanced and persistent attack techniques. It is composed of several, coordinated infrastructure technologies that can be enabled independently, providing another layer of defense against sophisticated threats.', recommended_action: 'Remove existing Virtual Machine Scale Set and create a new one with trusted launch enabled.', link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch', From 8bcf95160fb9580ac7215c9ce7c2b95ead6049c1 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 1 Jan 2024 17:07:03 +0500 Subject: [PATCH 477/498] Update plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js --- plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js b/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js index e87f45454f..5552bced9f 100644 --- a/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js +++ b/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js @@ -12,7 +12,7 @@ module.exports = { apis: ['virtualMachineScaleSets:listAll'], settings: { vmss_approved_extensions: { - name: 'Approved VM extensions', + name: 'Approved Virtual Machine Scale set extensions', description: 'List of comma separated approved extension names', regex: '^.*$', default: '' From 505f8b7664310cb7d9dc7055787cdeacf8bfdac2 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 1 Jan 2024 17:07:35 +0500 Subject: [PATCH 478/498] Update plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js --- plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js b/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js index 5552bced9f..39c8a6399b 100644 --- a/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js +++ b/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js @@ -3,7 +3,7 @@ const helpers = require('../../../helpers/azure'); module.exports = { title: 'VM Scale Set Approved Extensions', - category: 'Virtual Machines', + category: 'Virtual Machine Scale Set', domain: 'Compute', description: 'Ensures that approved Virtual Machine Scale Set extensions are installed.', more_info: 'Extensions are small applications that provide post-deployment configuration and automation on Azure VMs. Extensions installed should be approved by the organization to meet the organizational security requirements.', From 6c254b6f57755b8af05af30bd5016b003fb961bd Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 1 Jan 2024 17:09:03 +0500 Subject: [PATCH 479/498] Update plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js --- plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js b/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js index 39c8a6399b..e9e39ce7bd 100644 --- a/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js +++ b/plugins/azure/virtualmachinescaleset/vmssApprovedExtensions.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Compute', description: 'Ensures that approved Virtual Machine Scale Set extensions are installed.', more_info: 'Extensions are small applications that provide post-deployment configuration and automation on Azure VMs. Extensions installed should be approved by the organization to meet the organizational security requirements.', - recommended_action: 'Uninstall unapproved virtual machine extensions', + recommended_action: 'Uninstall unapproved virtual machine scale set extensions', link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/overview', apis: ['virtualMachineScaleSets:listAll'], settings: { From 72b7d389befee797901c3d09e9503e93e9c8729d Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 1 Jan 2024 17:33:08 +0500 Subject: [PATCH 480/498] Apply suggestions from code review --- .../virtualmachinescaleset/vmssManagedIdentityEnabled.js | 4 ++-- .../virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js index 82ce250e0d..e15479a376 100644 --- a/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js +++ b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.js @@ -34,9 +34,9 @@ module.exports = { if (!scaleSet.id) continue; if (scaleSet.identity && scaleSet.identity.type){ - helpers.addResult(results, 0, 'VM scale set has managed identity enabled', location, scaleSet.id); + helpers.addResult(results, 0, 'Virtual Machine Scale Set has managed identity enabled', location, scaleSet.id); } else { - helpers.addResult(results, 2, 'VM scale set does not have managed identity enabled', location, scaleSet.id); + helpers.addResult(results, 2, 'Virtual Machine Scale Set does not have managed identity enabled', location, scaleSet.id); } } rcb(); diff --git a/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js index e2e382d88a..4858da8be7 100644 --- a/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js +++ b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js @@ -62,7 +62,7 @@ describe('vmssManagedIdentityEnabled', function() { vmssManagedIdentityEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('VM scale set has managed identity enabled'); + expect(results[0].message).to.include('Virtual Machine Scale Set has managed identity enabled'); expect(results[0].region).to.equal('eastus'); done(); }); @@ -73,7 +73,7 @@ describe('vmssManagedIdentityEnabled', function() { vmssManagedIdentityEnabled.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('VM scale set does not have managed identity enabled'); + expect(results[0].message).to.include('Virtual Machine Scale Set does not have managed identity enabled'); expect(results[0].region).to.equal('eastus'); done(); }); From dbcf8428043447719b312be3db4911cdfe589c8a Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 1 Jan 2024 17:34:13 +0500 Subject: [PATCH 481/498] Apply suggestions from code review --- .../virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js index 4858da8be7..1321669f9f 100644 --- a/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js +++ b/plugins/azure/virtualmachinescaleset/vmssManagedIdentityEnabled.spec.js @@ -8,8 +8,8 @@ const virtualMachineScaleSets = [ 'type': 'Microsoft.Compute/virtualMachineScaleSets', "identity": { "type": "SystemAssigned", - "principalId": "5db3ed52-909e-4016-a31f-d2fe043952a4", - "tenantId": "d207c7bd-fcb1-4dd3-855a-cfd2f9b651e8" + "principalId": "123454", + "tenantId": "1234548" }, }, { From 8eac1f3e6168e29a59e27c272b6e14da9239769e Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 2 Jan 2024 02:54:37 +0500 Subject: [PATCH 482/498] Update plugins/azure/redisCache/redisCacheDiagnosticLogs.js --- plugins/azure/redisCache/redisCacheDiagnosticLogs.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js index a538645af3..d648598c06 100644 --- a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js @@ -69,7 +69,7 @@ module.exports = { } if (!missingLogs.length && found) { - helpers.addResult(results, 0, 'Redis Cache has diagnostic logs enabled.', location, redisCache.id); + helpers.addResult(results, 0, 'Redis Cache has diagnostic logs enabled', location, redisCache.id); } else { helpers.addResult(results, 2, `Redis Cache does not have diagnostic logs enabled ${missingLogs.length? `for following: ${missingLogs}`: ''}`, location, redisCache.id); } From de5556953256ff891e69da06d66124fe9dbb8b77 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 2 Jan 2024 02:57:15 +0500 Subject: [PATCH 483/498] Update plugins/azure/redisCache/redisCacheDiagnosticLogs.js --- plugins/azure/redisCache/redisCacheDiagnosticLogs.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js index a538645af3..d648598c06 100644 --- a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js @@ -69,7 +69,7 @@ module.exports = { } if (!missingLogs.length && found) { - helpers.addResult(results, 0, 'Redis Cache has diagnostic logs enabled.', location, redisCache.id); + helpers.addResult(results, 0, 'Redis Cache has diagnostic logs enabled', location, redisCache.id); } else { helpers.addResult(results, 2, `Redis Cache does not have diagnostic logs enabled ${missingLogs.length? `for following: ${missingLogs}`: ''}`, location, redisCache.id); } From a1a0c41501bf88b712c00bef0a778dd91f84fe0e Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 2 Jan 2024 02:59:40 +0500 Subject: [PATCH 484/498] Update plugins/azure/redisCache/redisCacheDiagnosticLogs.js --- plugins/azure/redisCache/redisCacheDiagnosticLogs.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js index d648598c06..3bb0a6ab00 100644 --- a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js @@ -71,7 +71,7 @@ module.exports = { if (!missingLogs.length && found) { helpers.addResult(results, 0, 'Redis Cache has diagnostic logs enabled', location, redisCache.id); } else { - helpers.addResult(results, 2, `Redis Cache does not have diagnostic logs enabled ${missingLogs.length? `for following: ${missingLogs}`: ''}`, location, redisCache.id); + helpers.addResult(results, 2, `Redis Cache does not have diagnostic logs enabled${missingLogs.length? ` for following: ${missingLogs}`: ''}`, location, redisCache.id); } } }); From 420da1c92d3250387bae16605e31854562d208bb Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 2 Jan 2024 03:00:45 +0500 Subject: [PATCH 485/498] Update plugins/azure/redisCache/redisCacheDiagnosticLogs.js --- plugins/azure/redisCache/redisCacheDiagnosticLogs.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js index 3bb0a6ab00..d648598c06 100644 --- a/plugins/azure/redisCache/redisCacheDiagnosticLogs.js +++ b/plugins/azure/redisCache/redisCacheDiagnosticLogs.js @@ -71,7 +71,7 @@ module.exports = { if (!missingLogs.length && found) { helpers.addResult(results, 0, 'Redis Cache has diagnostic logs enabled', location, redisCache.id); } else { - helpers.addResult(results, 2, `Redis Cache does not have diagnostic logs enabled${missingLogs.length? ` for following: ${missingLogs}`: ''}`, location, redisCache.id); + helpers.addResult(results, 2, `Redis Cache does not have diagnostic logs enabled ${missingLogs.length? `for following: ${missingLogs}`: ''}`, location, redisCache.id); } } }); From bd4f026b30450aa30e2e7514cc3fc356b7257ed9 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 2 Jan 2024 11:28:09 +0500 Subject: [PATCH 486/498] Update exports.js --- exports.js | 1 - 1 file changed, 1 deletion(-) diff --git a/exports.js b/exports.js index 59c645b78e..d6fe49c6c7 100644 --- a/exports.js +++ b/exports.js @@ -1046,7 +1046,6 @@ module.exports = { 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), 'amsContentKeyPolicy' : require(__dirname + '/plugins/azure/mediaServices/amsContentKeyPolicy.js'), - 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), 'scaleSetAdAuthEnabled' : require(__dirname + '/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js'), From e44e6c17e335ca3572ca935e4fdbdc3e490fe3cd Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 2 Jan 2024 11:32:56 +0500 Subject: [PATCH 487/498] Update exports.js --- exports.js | 1 - 1 file changed, 1 deletion(-) diff --git a/exports.js b/exports.js index 44dfe10e5b..d6666f460f 100644 --- a/exports.js +++ b/exports.js @@ -1046,7 +1046,6 @@ module.exports = { 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), 'amsContentKeyPolicy' : require(__dirname + '/plugins/azure/mediaServices/amsContentKeyPolicy.js'), - 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), 'vmssTrustedLaunchEnabled' : require(__dirname + '/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js'), From 165a6d585a71246f144e583cafc5080bbf34d9bf Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 2 Jan 2024 11:46:33 +0500 Subject: [PATCH 488/498] Update exports.js --- exports.js | 1 - 1 file changed, 1 deletion(-) diff --git a/exports.js b/exports.js index 0ce50ceb23..7dc1491fad 100644 --- a/exports.js +++ b/exports.js @@ -1044,7 +1044,6 @@ module.exports = { 'amsDiagnosticLogsEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsDiagnosticLogsEnabled.js'), 'amsPublicAccessDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsPublicAccessDisabled.js'), 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), - 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), 'amsContentKeyPolicy' : require(__dirname + '/plugins/azure/mediaServices/amsContentKeyPolicy.js'), 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), From 25bcd93983e1bee6d8bfcac7634fad19c7ef35a3 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Tue, 2 Jan 2024 12:04:06 +0500 Subject: [PATCH 489/498] Update functions.js --- helpers/azure/functions.js | 1 + 1 file changed, 1 insertion(+) diff --git a/helpers/azure/functions.js b/helpers/azure/functions.js index f11fdff8e3..57bd261abd 100644 --- a/helpers/azure/functions.js +++ b/helpers/azure/functions.js @@ -357,6 +357,7 @@ function checkServerConfigs(servers, cache, source, location, results, serverTyp } function checkMicrosoftDefender(pricings, serviceName, serviceDisplayName, results, location ) { + let pricingData = pricings.data.find((pricing) => pricing.name.toLowerCase() === serviceName); if (pricingData) { if (pricingData.pricingTier.toLowerCase() === 'standard') { From 38f244abaa43ebf054332c7beadbb29e0ff2c269 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Tue, 2 Jan 2024 12:05:13 +0500 Subject: [PATCH 490/498] Update functions.js --- helpers/azure/functions.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helpers/azure/functions.js b/helpers/azure/functions.js index 57bd261abd..2b0dea6fbd 100644 --- a/helpers/azure/functions.js +++ b/helpers/azure/functions.js @@ -357,7 +357,7 @@ function checkServerConfigs(servers, cache, source, location, results, serverTyp } function checkMicrosoftDefender(pricings, serviceName, serviceDisplayName, results, location ) { - + let pricingData = pricings.data.find((pricing) => pricing.name.toLowerCase() === serviceName); if (pricingData) { if (pricingData.pricingTier.toLowerCase() === 'standard') { From 4baf7182899c7c3b98debe12e8dcda7953e14220 Mon Sep 17 00:00:00 2001 From: Fatima <66124862+fatima99s@users.noreply.github.com> Date: Tue, 2 Jan 2024 12:06:08 +0500 Subject: [PATCH 491/498] Update functions.js --- helpers/azure/functions.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helpers/azure/functions.js b/helpers/azure/functions.js index 2b0dea6fbd..57bd261abd 100644 --- a/helpers/azure/functions.js +++ b/helpers/azure/functions.js @@ -357,7 +357,7 @@ function checkServerConfigs(servers, cache, source, location, results, serverTyp } function checkMicrosoftDefender(pricings, serviceName, serviceDisplayName, results, location ) { - + let pricingData = pricings.data.find((pricing) => pricing.name.toLowerCase() === serviceName); if (pricingData) { if (pricingData.pricingTier.toLowerCase() === 'standard') { From 19fe95ae5eb4a03c7ffc007a588dd3abb9fd2739 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 2 Jan 2024 12:47:38 +0500 Subject: [PATCH 492/498] Azure/Automation-Accounts --- .../containerregistry/acrManagedIdentityEnabled.spec.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/azure/containerregistry/acrManagedIdentityEnabled.spec.js b/plugins/azure/containerregistry/acrManagedIdentityEnabled.spec.js index 7e717b488e..20f9370931 100644 --- a/plugins/azure/containerregistry/acrManagedIdentityEnabled.spec.js +++ b/plugins/azure/containerregistry/acrManagedIdentityEnabled.spec.js @@ -57,13 +57,13 @@ registries = [ "tags": {}, "anonymousPullEnabled": true, "sku": { - "name": "Premium", - "tier": "Premium" + "name": "Basic", + "tier": "Basic" }, "policies": { "trustPolicy": { "type": "Notary", - "status": "disabled" + "status": "enabled" }, }, "identity": { From b86ac69e55784297716c245bece6ab5e5cc31a2a Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 2 Jan 2024 13:02:10 +0500 Subject: [PATCH 493/498] Update exports.js --- exports.js | 1 - 1 file changed, 1 deletion(-) diff --git a/exports.js b/exports.js index d3e7ec7bd4..b5bfdc3f0e 100644 --- a/exports.js +++ b/exports.js @@ -1055,7 +1055,6 @@ module.exports = { 'appConfigManagedIdentity' : require(__dirname + '/plugins/azure/appConfigurations/appConfigManagedIdentity.js'), 'appConfigurationDiagnosticLogs': require(__dirname + '/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js'), - 'appConfigManagedIdentity' : require(__dirname + '/plugins/azure/appConfigurations/appConfigManagedIdentity.js'), 'vmssTrustedLaunchEnabled' : require(__dirname + '/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js'), 'scaleSetAdAuthEnabled' : require(__dirname + '/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js'), From 79f17f957d875ac8e1de69165602877fb70a9a2d Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 2 Jan 2024 13:02:26 +0500 Subject: [PATCH 494/498] Update exports.js --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index b5bfdc3f0e..15947d5946 100644 --- a/exports.js +++ b/exports.js @@ -1051,7 +1051,7 @@ module.exports = { 'amsPublicAccessDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsPublicAccessDisabled.js'), 'amsManagedIdentityEnabled' : require(__dirname + '/plugins/azure/mediaServices/amsManagedIdentityEnabled.js'), 'amsClassicApiDisabled' : require(__dirname + '/plugins/azure/mediaServices/amsClassicApiDisabled.js'), - 'amsContentKeyPolicy' : require(__dirname + '/plugins/azure/mediaServices/amsContentKeyPolicy.js'), + 'amsContentKeyPolicy' : require(__dirname + '/plugins/azure/mediaServices/amsContentKeyPolicy.js'), 'appConfigManagedIdentity' : require(__dirname + '/plugins/azure/appConfigurations/appConfigManagedIdentity.js'), 'appConfigurationDiagnosticLogs': require(__dirname + '/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js'), From c2d1efd3e211b86fdb064d7bb6f20853e2193fcf Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 2 Jan 2024 13:07:26 +0500 Subject: [PATCH 495/498] Update exports.js --- exports.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/exports.js b/exports.js index 3597abcee5..25a31e8d48 100644 --- a/exports.js +++ b/exports.js @@ -1054,7 +1054,8 @@ module.exports = { 'amsContentKeyPolicy' : require(__dirname + '/plugins/azure/mediaServices/amsContentKeyPolicy.js'), 'appConfigManagedIdentity' : require(__dirname + '/plugins/azure/appConfigurations/appConfigManagedIdentity.js'), - 'appConfigurationPublicAccess' : require(__dirname + '/plugins/azure/appConfigurations/appConfigurationPublicAccess.js'), + 'appConfigurationDiagnosticLogs' : require(__dirname + '/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js'), + 'appConfigurationPublicAccess' : require(__dirname + '/plugins/azure/appConfigurations/appConfigurationPublicAccess.js'), 'vmssTrustedLaunchEnabled' : require(__dirname + '/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js'), 'scaleSetAdAuthEnabled' : require(__dirname + '/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js'), From 7fecdab6918ba7df2b29130e9dfbcb0e01c18986 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 2 Jan 2024 13:08:00 +0500 Subject: [PATCH 496/498] Update exports.js --- exports.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/exports.js b/exports.js index 25a31e8d48..f362a28118 100644 --- a/exports.js +++ b/exports.js @@ -1054,8 +1054,8 @@ module.exports = { 'amsContentKeyPolicy' : require(__dirname + '/plugins/azure/mediaServices/amsContentKeyPolicy.js'), 'appConfigManagedIdentity' : require(__dirname + '/plugins/azure/appConfigurations/appConfigManagedIdentity.js'), - 'appConfigurationDiagnosticLogs' : require(__dirname + '/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js'), - 'appConfigurationPublicAccess' : require(__dirname + '/plugins/azure/appConfigurations/appConfigurationPublicAccess.js'), + 'appConfigurationDiagnosticLogs' : require(__dirname + '/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js'), + 'appConfigurationPublicAccess' : require(__dirname + '/plugins/azure/appConfigurations/appConfigurationPublicAccess.js'), 'vmssTrustedLaunchEnabled' : require(__dirname + '/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js'), 'scaleSetAdAuthEnabled' : require(__dirname + '/plugins/azure/virtualmachinescaleset/scaleSetAdAuthEnabled.js'), From 5fa8e56b84f0ac7ca3c8cfb1995d0dc85e795894 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 2 Jan 2024 13:08:21 +0500 Subject: [PATCH 497/498] Update exports.js --- exports.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exports.js b/exports.js index f362a28118..47b67020cb 100644 --- a/exports.js +++ b/exports.js @@ -1054,7 +1054,7 @@ module.exports = { 'amsContentKeyPolicy' : require(__dirname + '/plugins/azure/mediaServices/amsContentKeyPolicy.js'), 'appConfigManagedIdentity' : require(__dirname + '/plugins/azure/appConfigurations/appConfigManagedIdentity.js'), - 'appConfigurationDiagnosticLogs' : require(__dirname + '/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js'), + 'appConfigurationDiagnosticLogs': require(__dirname + '/plugins/azure/appConfigurations/appConfigurationDiagnosticLogs.js'), 'appConfigurationPublicAccess' : require(__dirname + '/plugins/azure/appConfigurations/appConfigurationPublicAccess.js'), 'vmssTrustedLaunchEnabled' : require(__dirname + '/plugins/azure/virtualmachinescaleset/vmssTrustedLaunchEnabled.js'), From 72f9a6a930c4519a1a44972ab485480915231c02 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Tue, 2 Jan 2024 13:11:54 +0500 Subject: [PATCH 498/498] Update helpers/azure/functions.js --- helpers/azure/functions.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helpers/azure/functions.js b/helpers/azure/functions.js index 57bd261abd..66f9274491 100644 --- a/helpers/azure/functions.js +++ b/helpers/azure/functions.js @@ -357,7 +357,7 @@ function checkServerConfigs(servers, cache, source, location, results, serverTyp } function checkMicrosoftDefender(pricings, serviceName, serviceDisplayName, results, location ) { - + let pricingData = pricings.data.find((pricing) => pricing.name.toLowerCase() === serviceName); if (pricingData) { if (pricingData.pricingTier.toLowerCase() === 'standard') {