From c1883ed5d1bd88d88d85877084aaec3c9adcb0ab Mon Sep 17 00:00:00 2001 From: mehakseedat63 Date: Sun, 17 Jul 2022 20:08:45 +0500 Subject: [PATCH] OCI - Cloud Guard Enabled Plugin --- collectors/oracle/collector.js | 9 ++ exports.js | 3 + helpers/oracle/regions.js | 3 +- other_modules/oci/services.json | 10 ++ .../oracle/cloudguard/cloudguardEnabled.js | 40 +++++++ .../cloudguard/cloudguardEnabled.spec.js | 104 ++++++++++++++++++ 6 files changed, 168 insertions(+), 1 deletion(-) create mode 100644 plugins/oracle/cloudguard/cloudguardEnabled.js create mode 100644 plugins/oracle/cloudguard/cloudguardEnabled.spec.js diff --git a/collectors/oracle/collector.js b/collectors/oracle/collector.js index 4c3a0df0d3..7c62170ab3 100644 --- a/collectors/oracle/collector.js +++ b/collectors/oracle/collector.js @@ -99,6 +99,14 @@ var calls = { filterConfig: [true] } }, + cloudguardConfiguration: { + get: { + api: 'cloudguard', + filterKey: ['compartmentId'], + filterValue: ['compartmentId'], + restVersion: '/20200131', + } + }, group: { list: { api: 'iam', @@ -379,6 +387,7 @@ var postcalls = { limit: 900 } }, + waasPolicy: { get: { api: 'waas', diff --git a/exports.js b/exports.js index c7d33a4f9f..c7881cdc06 100644 --- a/exports.js +++ b/exports.js @@ -910,6 +910,9 @@ module.exports = { 'okePrivateEndpoint' : require(__dirname + '/plugins/oracle/oke/okePrivateEndpoint.js'), 'okeSecretsEncrypted' : require(__dirname + '/plugins/oracle/oke/okeSecretsEncrypted.js'), 'okeSecurityGroups' : require(__dirname + '/plugins/oracle/oke/okeSecurityGroups.js'), + + 'cloudguardEnabled' : require(__dirname + '/plugins/oracle/cloudguard/cloudguardEnabled.js'), + }, google: { 'excessiveFirewallRules' : require(__dirname + '/plugins/google/vpcnetwork/excessiveFirewallRules.js'), diff --git a/helpers/oracle/regions.js b/helpers/oracle/regions.js index 4e10c3b37b..7c09824701 100644 --- a/helpers/oracle/regions.js +++ b/helpers/oracle/regions.js @@ -83,5 +83,6 @@ module.exports = { customerSecretKey: ['default'], vault: regions, keys: regions, - cluster: regions + cluster: regions, + cloudguardConfiguration: ['default'] }; \ No newline at end of file diff --git a/other_modules/oci/services.json b/other_modules/oci/services.json index f578bb7c6d..7e27472fee 100644 --- a/other_modules/oci/services.json +++ b/other_modules/oci/services.json @@ -23,6 +23,16 @@ } } }, + "cloudguard": { + "cloudguardConfiguration": { + "get": { + "allowedQueryStrings": ["compartmentId"], + "method": "GET", + "path": "configuration", + "endpoint": "cloudguard-cp-api.{{region}}.oci.oraclecloud.com" + } + } + }, "oke": { "cluster": { "list": { diff --git a/plugins/oracle/cloudguard/cloudguardEnabled.js b/plugins/oracle/cloudguard/cloudguardEnabled.js new file mode 100644 index 0000000000..0ab883ecc4 --- /dev/null +++ b/plugins/oracle/cloudguard/cloudguardEnabled.js @@ -0,0 +1,40 @@ +var helpers = require('../../../helpers/oracle'); + +module.exports = { + title: 'Cloud Guard Enabled', + category: 'Cloud Guard', + domain: 'Management and Governance', + description: 'Ensure Cloud Guard is enabled in the root compartment of the tenancy.', + more_info: 'Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard can suggest, assist, or take corrective actions to mitigate these issues.', + recommended_action: 'Cloud Guard should be enabled in the root compartment of your tenancy.', + link: 'https://docs.oracle.com/en-us/iaas/cloud-guard/using/index.htm', + apis: ['cloudguardConfiguration:get'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var region = helpers.objectFirstKey(cache['regionSubscription']['list']); + + if (helpers.checkRegionSubscription(cache, source, results, region)) { + + var config = helpers.addSource(cache, source, + ['cloudguardConfiguration', 'get', region]); + + if (!config) return callback(null, results, source); + + if (config.err) { + helpers.addResult(results, 3, + 'Unable to query for cloud guard configuration: ' + helpers.addError(config), region); + return callback(null, results, source); + } + if (config.data && Object.keys(config.data).length && config.data.status && config.data.status === 'ENABLED') { + helpers.addResult(results, 0, + 'Cloud Guard is enabled in the root compartment of the tenancy.', region); + } else { + helpers.addResult(results, 2, + 'Cloud Guard is not enabled in the root compartment of the tenancy.', region); + } + } + callback(null, results, source); + } +}; \ No newline at end of file diff --git a/plugins/oracle/cloudguard/cloudguardEnabled.spec.js b/plugins/oracle/cloudguard/cloudguardEnabled.spec.js new file mode 100644 index 0000000000..76d12bd2c6 --- /dev/null +++ b/plugins/oracle/cloudguard/cloudguardEnabled.spec.js @@ -0,0 +1,104 @@ +var expect = require('chai').expect; +var plugin = require('./cloudguardEnabled'); + +const createCache = (err, data) => { + return { + regionSubscription: { + "list": { + "us-ashburn-1": { + "data": [ + { + "regionKey": "IAD", + "regionName": "us-ashburn-1", + "status": "READY", + "isHomeRegion": true + }, + { + "regionKey": "LHR", + "regionName": "uk-london-1", + "status": "READY", + "isHomeRegion": false + }, + { + "regionKey": "PHX", + "regionName": "us-phoenix-1", + "status": "READY", + "isHomeRegion": false + } + ] + } + } + }, + + cloudguardConfiguration: { + get: { + 'us-ashburn-1': { + err: err, + data: data + } + } + } + } +}; + +describe('cloudguardEnabled', function () { + describe('run', function () { + it('should give unknown result if a configuration error is passed or no data is present', function (done) { + const callback = (err, results) => { + expect(results.length).to.be.above(0) + expect(results[0].status).to.equal(3) + expect(results[0].message).to.include('Unable to query for cloud guard configuration') + expect(results[0].region).to.equal('us-ashburn-1') + done() + }; + + const cache = createCache( + ['error'], + null, + ); + + plugin.run(cache, {}, callback); + }) + + it('should give passing result cloud guard is enabled in the root compartment of the tenancy', function (done) { + const callback = (err, results) => { + expect(results.length).to.be.above(0) + expect(results[0].status).to.equal(0) + expect(results[0].message).to.include('is enabled') + expect(results[0].region).to.equal('us-ashburn-1') + done() + }; + + const cache = createCache( + null, + { + reportingRegion: 'us-ashburn-1', + status: 'ENABLED', + selfManageResources: false + } + ); + + plugin.run(cache, {}, callback); + }) + it('should give failing result if cloud guard is not enabled in the root compartment of the tenancy', function (done) { + const callback = (err, results) => { + expect(results.length).to.be.above(0) + expect(results[0].status).to.equal(2) + expect(results[0].message).to.include('is not enabled') + expect(results[0].region).to.equal('us-ashburn-1') + done() + }; + + const cache = createCache( + null, + { + reportingRegion: 'us-ashburn-1', + status: 'DISABLED', + selfManageResources: false + } + ); + + plugin.run(cache, {}, callback); + }) + }) +}) \ No newline at end of file