OCI - Cloud Guard Enabled Plugin

celsogbezerra · Jul 17, 2022 · c1883ed · c1883ed
1 parent 034998e
commit c1883ed
Show file tree

Hide file tree

Showing 6 changed files with 168 additions and 1 deletion.
diff --git a/collectors/oracle/collector.js b/collectors/oracle/collector.js
@@ -99,6 +99,14 @@ var calls = {
             filterConfig: [true]
         }
     },
+    cloudguardConfiguration: {
+        get: {
+            api: 'cloudguard',
+            filterKey: ['compartmentId'],
+            filterValue: ['compartmentId'],
+            restVersion: '/20200131',
+        }
+    },
     group: {
         list: {
             api: 'iam',
@@ -379,6 +387,7 @@ var postcalls = {
             limit: 900
         }
     },
+
     waasPolicy: {
         get: {
             api: 'waas',

diff --git a/exports.js b/exports.js
@@ -910,6 +910,9 @@ module.exports = {
         'okePrivateEndpoint'            : require(__dirname + '/plugins/oracle/oke/okePrivateEndpoint.js'),
         'okeSecretsEncrypted'           : require(__dirname + '/plugins/oracle/oke/okeSecretsEncrypted.js'),
         'okeSecurityGroups'            : require(__dirname + '/plugins/oracle/oke/okeSecurityGroups.js'),
+
+        'cloudguardEnabled'            : require(__dirname + '/plugins/oracle/cloudguard/cloudguardEnabled.js'),
+
     },
     google: {
         'excessiveFirewallRules'        : require(__dirname + '/plugins/google/vpcnetwork/excessiveFirewallRules.js'),

diff --git a/helpers/oracle/regions.js b/helpers/oracle/regions.js
@@ -83,5 +83,6 @@ module.exports = {
     customerSecretKey: ['default'],
     vault: regions,
     keys: regions,
-    cluster: regions
+    cluster: regions,
+    cloudguardConfiguration: ['default']
 };
diff --git a/other_modules/oci/services.json b/other_modules/oci/services.json
@@ -23,6 +23,16 @@
             }
         }
     },
+    "cloudguard": {
+        "cloudguardConfiguration": {
+            "get": {
+                "allowedQueryStrings": ["compartmentId"],
+                "method": "GET",
+                "path": "configuration",
+                "endpoint": "cloudguard-cp-api.{{region}}.oci.oraclecloud.com"
+            }
+        }
+    },
     "oke": {
         "cluster": {
             "list": {

diff --git a/plugins/oracle/cloudguard/cloudguardEnabled.js b/plugins/oracle/cloudguard/cloudguardEnabled.js
@@ -0,0 +1,40 @@
+var helpers = require('../../../helpers/oracle');
+
+module.exports = {
+    title: 'Cloud Guard Enabled',
+    category: 'Cloud Guard',
+    domain: 'Management and Governance',
+    description: 'Ensure Cloud Guard is enabled in the root compartment of the tenancy.',
+    more_info: 'Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard can suggest, assist, or take corrective actions to mitigate these issues.',
+    recommended_action: 'Cloud Guard should be enabled in the root compartment of your tenancy.',
+    link: 'https://docs.oracle.com/en-us/iaas/cloud-guard/using/index.htm',
+    apis: ['cloudguardConfiguration:get'],
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var region = helpers.objectFirstKey(cache['regionSubscription']['list']);
+
+        if (helpers.checkRegionSubscription(cache, source, results, region)) {
+
+            var config = helpers.addSource(cache, source,
+                ['cloudguardConfiguration', 'get', region]);
+
+            if (!config) return callback(null, results, source);
+
+            if (config.err) {
+                helpers.addResult(results, 3,
+                    'Unable to query for cloud guard configuration: ' + helpers.addError(config), region);
+                return callback(null, results, source);
+            }
+            if (config.data && Object.keys(config.data).length && config.data.status && config.data.status === 'ENABLED') {
+                helpers.addResult(results, 0,
+                    'Cloud Guard is enabled in the root compartment of the tenancy.', region);
+            } else {
+                helpers.addResult(results, 2,
+                    'Cloud Guard is not enabled in the root compartment of the tenancy.', region);
+            }
+        }
+        callback(null, results, source);
+    }
+};
diff --git a/plugins/oracle/cloudguard/cloudguardEnabled.spec.js b/plugins/oracle/cloudguard/cloudguardEnabled.spec.js
@@ -0,0 +1,104 @@
+var expect = require('chai').expect;
+var plugin = require('./cloudguardEnabled');
+
+const createCache = (err, data) => {
+    return {
+        regionSubscription: {
+            "list": {
+                "us-ashburn-1": {
+                    "data": [
+                        {
+                            "regionKey": "IAD",
+                            "regionName": "us-ashburn-1",
+                            "status": "READY",
+                            "isHomeRegion": true
+                        },
+                        {
+                            "regionKey": "LHR",
+                            "regionName": "uk-london-1",
+                            "status": "READY",
+                            "isHomeRegion": false
+                        },
+                        {
+                            "regionKey": "PHX",
+                            "regionName": "us-phoenix-1",
+                            "status": "READY",
+                            "isHomeRegion": false
+                        }
+                    ]
+                }
+            }
+        },
+
+        cloudguardConfiguration: {
+            get: {
+                'us-ashburn-1': {
+                    err: err,
+                    data: data
+                }
+            }
+        }
+    }
+};
+
+describe('cloudguardEnabled', function () {
+    describe('run', function () {
+        it('should give unknown result if a configuration error is passed or no data is present', function (done) {
+            const callback = (err, results) => {
+                expect(results.length).to.be.above(0)
+                expect(results[0].status).to.equal(3)
+                expect(results[0].message).to.include('Unable to query for cloud guard configuration')
+                expect(results[0].region).to.equal('us-ashburn-1')
+                done()
+            };
+
+            const cache = createCache(
+                ['error'],
+                null,
+            );
+
+            plugin.run(cache, {}, callback);
+        })
+
+        it('should give passing result cloud guard is enabled in the root compartment of the tenancy', function (done) {
+            const callback = (err, results) => {
+                expect(results.length).to.be.above(0)
+                expect(results[0].status).to.equal(0)
+                expect(results[0].message).to.include('is enabled')
+                expect(results[0].region).to.equal('us-ashburn-1')
+                done()
+            };
+
+            const cache = createCache(
+                null,
+                {
+                    reportingRegion: 'us-ashburn-1',
+                    status: 'ENABLED',
+                    selfManageResources: false
+                }
+            );
+
+            plugin.run(cache, {}, callback);
+        })
+        it('should give failing result if cloud guard is not enabled in the root compartment of the tenancy', function (done) {
+            const callback = (err, results) => {
+                expect(results.length).to.be.above(0)
+                expect(results[0].status).to.equal(2)
+                expect(results[0].message).to.include('is not enabled')
+                expect(results[0].region).to.equal('us-ashburn-1')
+                done()
+            };
+
+            const cache = createCache(
+                null,
+                {
+                    reportingRegion: 'us-ashburn-1',
+                    status: 'DISABLED',
+                    selfManageResources: false
+                }
+            );
+
+            plugin.run(cache, {}, callback);
+        })
+    })
+})