-
Notifications
You must be signed in to change notification settings - Fork 689
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
AkhtarAmir
authored and
AkhtarAmir
committed
Nov 5, 2024
1 parent
c0514e5
commit 3a927f1
Showing
5 changed files
with
354 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
56 changes: 56 additions & 0 deletions
56
plugins/azure/virtualmachines/diskByokEncryptionEnabled.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| var async = require('async'); | ||
|
|
||
| var helpers = require('../../../helpers/azure'); | ||
|
|
||
| module.exports = { | ||
| title: 'Attached Disk Volumes BYOK Encryption Enabled', | ||
| category: 'Virtual Machines', | ||
| domain: 'Compute', | ||
| severity: 'High', | ||
| description: 'Ensures that attached Azure virtual machine disks have BYOK (Customer-Managed Key) encryption enabled.', | ||
| more_info: 'Encrypting virtual machine disk volumes helps protect and safeguard your data to meet organizational security and compliance commitments.', | ||
| recommended_action: 'Ensure that virtual machine disks are created using BYOK encryption', | ||
| link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault', | ||
| apis: ['disks:list'], | ||
| realtime_triggers: ['microsoftcompute:disks:write', 'microsoftcompute:disks:delete'], | ||
|
|
||
| run: function(cache, settings, callback) { | ||
| var results = []; | ||
| var source = {}; | ||
| var locations = helpers.locations(settings.govcloud); | ||
|
|
||
| async.each(locations.disks, function(location, rcb) { | ||
|
|
||
| var disks = helpers.addSource(cache, source, ['disks', 'list', location]); | ||
|
|
||
| if (!disks) return rcb(); | ||
|
|
||
| if (disks.err || !disks.data) { | ||
| helpers.addResult(results, 3, 'Unable to query for virtual machine disk volumes: ' + helpers.addError(disks), location); | ||
| return rcb(); | ||
| } | ||
| if (!disks.data.length) { | ||
| helpers.addResult(results, 0, 'No existing disk volumes found', location); | ||
| return rcb(); | ||
| } | ||
|
|
||
| async.each(disks.data, function(disk, scb) { | ||
| if (disk.diskState && disk.diskState.toLowerCase() === 'attached') { | ||
| if (disk.encryption && disk.encryption.type && | ||
| (disk.encryption.type === 'EncryptionAtRestWithCustomerKey' || | ||
| disk.encryption.type === 'EncryptionAtRestWithPlatformAndCustomerKeys')) { | ||
| helpers.addResult(results, 0, 'Disk volume has BYOK encryption enabled', location, disk.id); | ||
| } else { | ||
| helpers.addResult(results, 2, 'Disk volume has BYOK encryption disabled', location, disk.id); | ||
| } | ||
| } | ||
| scb(); | ||
| }, function() { | ||
| rcb(); | ||
| }); | ||
| }, function() { | ||
| // Global checking goes here | ||
| callback(null, results, source); | ||
| }); | ||
| } | ||
| }; |
120 changes: 120 additions & 0 deletions
120
plugins/azure/virtualmachines/diskByokEncryptionEnabled.spec.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,120 @@ | ||
| var expect = require('chai').expect; | ||
| var diskByokEncryptionEnabled = require('./diskByokEncryptionEnabled'); | ||
|
|
||
| const disks = [ | ||
| { | ||
| 'name': 'test', | ||
| 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/disks/test', | ||
| 'type': 'Microsoft.Compute/disks', | ||
| 'location': 'eastus', | ||
| 'diskState': 'Attached', | ||
| 'encryption': { | ||
| 'type': 'EncryptionAtRestWithPlatformKey' | ||
| } | ||
| }, | ||
| { | ||
| 'name': 'test', | ||
| 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/disks/test', | ||
| 'type': 'Microsoft.Compute/daisks', | ||
| 'location': 'eastus', | ||
| 'diskState': 'Attached', | ||
| 'encryption': { | ||
| 'type': 'EncryptionAtRestWithCustomerKey', | ||
| 'diskEncryptionSetId': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/diskEncryptionSets/test-encrypt-set' | ||
| } | ||
| }, | ||
| { | ||
| 'name': 'test', | ||
| 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/disks/test', | ||
| 'type': 'Microsoft.Compute/disks', | ||
| 'location': 'eastus', | ||
| 'diskState': 'Attached', | ||
| 'encryption': { | ||
| 'type': 'EncryptionAtRestWithPlatformAndCustomerKeys', | ||
| 'diskEncryptionSetId': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/diskEncryptionSets/test-encrypt-set' | ||
| } | ||
| }, | ||
| { | ||
| 'name': 'test', | ||
| 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/disks/test', | ||
| 'type': 'Microsoft.Compute/disks', | ||
| 'location': 'eastus', | ||
| 'diskState': 'Unattached', | ||
| 'encryption': { | ||
| 'type': 'EncryptionAtRestWithPlatformKey' | ||
| } | ||
| } | ||
| ]; | ||
|
|
||
| const createCache = (disks) => { | ||
| const disk = {}; | ||
| if (disks) { | ||
| disk['data'] = disks; | ||
| } | ||
| return { | ||
| disks: { | ||
| list: { | ||
| 'eastus': disk | ||
| } | ||
| } | ||
| }; | ||
| }; | ||
|
|
||
| describe('diskByokEncryptionEnabled', function() { | ||
| describe('run', function() { | ||
| it('should give passing result if no disk volumes found', function(done) { | ||
| const cache = createCache([]); | ||
| diskByokEncryptionEnabled.run(cache, {}, (err, results) => { | ||
| expect(results.length).to.equal(1); | ||
| expect(results[0].status).to.equal(0); | ||
| expect(results[0].message).to.include('No existing disk volumes found'); | ||
| expect(results[0].region).to.equal('eastus'); | ||
| done(); | ||
| }); | ||
| }); | ||
|
|
||
| it('should give unknown result if unable to query for disk volumes', function(done) { | ||
| const cache = createCache(); | ||
| diskByokEncryptionEnabled.run(cache, {}, (err, results) => { | ||
| expect(results.length).to.equal(1); | ||
| expect(results[0].status).to.equal(3); | ||
| expect(results[0].message).to.include('Unable to query for virtual machine disk volumes'); | ||
| expect(results[0].region).to.equal('eastus'); | ||
| done(); | ||
| }); | ||
| }); | ||
|
|
||
| it('should give passing result if Disk volume has BYOK encryption enabled only', function(done) { | ||
| const cache = createCache([disks[1]]); | ||
| diskByokEncryptionEnabled.run(cache, {}, (err, results) => { | ||
| expect(results.length).to.equal(1); | ||
| expect(results[0].status).to.equal(0); | ||
| expect(results[0].message).to.include('Disk volume has BYOK encryption enabled'); | ||
| expect(results[0].region).to.equal('eastus'); | ||
| done(); | ||
| }); | ||
| }); | ||
|
|
||
| it('should give passing result if Disk volume has BYOK encryption enabled along with platform key ', function(done) { | ||
| const cache = createCache([disks[2]]); | ||
| diskByokEncryptionEnabled.run(cache, {}, (err, results) => { | ||
| expect(results.length).to.equal(1); | ||
| expect(results[0].status).to.equal(0); | ||
| expect(results[0].message).to.include('Disk volume has BYOK encryption enabled'); | ||
| expect(results[0].region).to.equal('eastus'); | ||
| done(); | ||
| }); | ||
| }); | ||
|
|
||
| it('should give failing result if Disk volume has BYOK encryption disabled', function(done) { | ||
| const cache = createCache([disks[0]]); | ||
| diskByokEncryptionEnabled.run(cache, {}, (err, results) => { | ||
| expect(results.length).to.equal(1); | ||
| expect(results[0].status).to.equal(2); | ||
| expect(results[0].message).to.include('Disk volume has BYOK encryption disabled'); | ||
| expect(results[0].region).to.equal('eastus'); | ||
| done(); | ||
| }); | ||
| }); | ||
| }); | ||
| }); |
56 changes: 56 additions & 0 deletions
56
plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| var async = require('async'); | ||
|
|
||
| var helpers = require('../../../helpers/azure'); | ||
|
|
||
| module.exports = { | ||
| title: 'Unattached Disk Volumes BYOK Encryption Enabled', | ||
| category: 'Virtual Machines', | ||
| domain: 'Compute', | ||
| severity: 'High', | ||
| description: 'Ensures that unattached Azure virtual machine disks have BYOK (Customer-Managed Key) encryption enabled.', | ||
| more_info: 'Encrypting unattached virtual machine disk volumes helps protect and safeguard your data to meet organizational security and compliance commitments.', | ||
| recommended_action: 'Ensure that unattached virtual machine disks are created using BYOK encryption', | ||
| link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault', | ||
| apis: ['disks:list'], | ||
| realtime_triggers: ['microsoftcompute:disks:write', 'microsoftcompute:disks:delete'], | ||
|
|
||
| run: function(cache, settings, callback) { | ||
| var results = []; | ||
| var source = {}; | ||
| var locations = helpers.locations(settings.govcloud); | ||
|
|
||
| async.each(locations.disks, function(location, rcb) { | ||
|
|
||
| var disks = helpers.addSource(cache, source, ['disks', 'list', location]); | ||
|
|
||
| if (!disks) return rcb(); | ||
|
|
||
| if (disks.err || !disks.data) { | ||
| helpers.addResult(results, 3, 'Unable to query for virtual machine disk volumes: ' + helpers.addError(disks), location); | ||
| return rcb(); | ||
| } | ||
| if (!disks.data.length) { | ||
| helpers.addResult(results, 0, 'No existing disk volumes found', location); | ||
| return rcb(); | ||
| } | ||
|
|
||
| async.each(disks.data, function(disk, scb) { | ||
| if (disk.diskState && disk.diskState.toLowerCase() === 'unattached') { | ||
| if (disk.encryption && disk.encryption.type && | ||
| (disk.encryption.type === 'EncryptionAtRestWithCustomerKey' || | ||
| disk.encryption.type === 'EncryptionAtRestWithPlatformAndCustomerKeys')) { | ||
| helpers.addResult(results, 0, 'Unattached disk volume has BYOK encryption enabled', location, disk.id); | ||
| } else { | ||
| helpers.addResult(results, 2, 'Unattached disk volume has BYOK encryption disabled', location, disk.id); | ||
| } | ||
| } | ||
| scb(); | ||
| }, function() { | ||
| rcb(); | ||
| }); | ||
| }, function() { | ||
| // Global checking goes here | ||
| callback(null, results, source); | ||
| }); | ||
| } | ||
| }; |
120 changes: 120 additions & 0 deletions
120
plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.spec.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,120 @@ | ||
| var expect = require('chai').expect; | ||
| var unAttachedDiskByokEncryptionEnabled = require('./UnAttachedDiskByokEncryptionEnabled'); | ||
|
|
||
| const disks = [ | ||
| { | ||
| 'name': 'test', | ||
| 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/disks/test', | ||
| 'type': 'Microsoft.Compute/disks', | ||
| 'location': 'eastus', | ||
| 'diskState': 'Unattached', | ||
| 'encryption': { | ||
| 'type': 'EncryptionAtRestWithPlatformKey' | ||
| } | ||
| }, | ||
| { | ||
| 'name': 'test', | ||
| 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/disks/test', | ||
| 'type': 'Microsoft.Compute/daisks', | ||
| 'location': 'eastus', | ||
| 'diskState': 'Unattached', | ||
| 'encryption': { | ||
| 'type': 'EncryptionAtRestWithCustomerKey', | ||
| 'diskEncryptionSetId': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/diskEncryptionSets/test-encrypt-set' | ||
| } | ||
| }, | ||
| { | ||
| 'name': 'test', | ||
| 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/disks/test', | ||
| 'type': 'Microsoft.Compute/disks', | ||
| 'location': 'eastus', | ||
| 'diskState': 'Unattached', | ||
| 'encryption': { | ||
| 'type': 'EncryptionAtRestWithPlatformAndCustomerKeys', | ||
| 'diskEncryptionSetId': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/diskEncryptionSets/test-encrypt-set' | ||
| } | ||
| }, | ||
| { | ||
| 'name': 'test', | ||
| 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/disks/test', | ||
| 'type': 'Microsoft.Compute/disks', | ||
| 'location': 'eastus', | ||
| 'diskState': 'Attached', | ||
| 'encryption': { | ||
| 'type': 'EncryptionAtRestWithPlatformKey' | ||
| } | ||
| } | ||
| ]; | ||
|
|
||
| const createCache = (disks) => { | ||
| const disk = {}; | ||
| if (disks) { | ||
| disk['data'] = disks; | ||
| } | ||
| return { | ||
| disks: { | ||
| list: { | ||
| 'eastus': disk | ||
| } | ||
| } | ||
| }; | ||
| }; | ||
|
|
||
| describe('unAttachedDiskByokEncryptionEnabled', function() { | ||
| describe('run', function() { | ||
| it('should give passing result if no disk volumes found', function(done) { | ||
| const cache = createCache([]); | ||
| unAttachedDiskByokEncryptionEnabled.run(cache, {}, (err, results) => { | ||
| expect(results.length).to.equal(1); | ||
| expect(results[0].status).to.equal(0); | ||
| expect(results[0].message).to.include('No existing disk volumes found'); | ||
| expect(results[0].region).to.equal('eastus'); | ||
| done(); | ||
| }); | ||
| }); | ||
|
|
||
| it('should give unknown result if unable to query for disk volumes', function(done) { | ||
| const cache = createCache(); | ||
| unAttachedDiskByokEncryptionEnabled.run(cache, {}, (err, results) => { | ||
| expect(results.length).to.equal(1); | ||
| expect(results[0].status).to.equal(3); | ||
| expect(results[0].message).to.include('Unable to query for virtual machine disk volumes'); | ||
| expect(results[0].region).to.equal('eastus'); | ||
| done(); | ||
| }); | ||
| }); | ||
|
|
||
| it('should give passing result if Disk volume has BYOK encryption enabled only', function(done) { | ||
| const cache = createCache([disks[1]]); | ||
| unAttachedDiskByokEncryptionEnabled.run(cache, {}, (err, results) => { | ||
| expect(results.length).to.equal(1); | ||
| expect(results[0].status).to.equal(0); | ||
| expect(results[0].message).to.include('Unattached disk volume has BYOK encryption enabled'); | ||
| expect(results[0].region).to.equal('eastus'); | ||
| done(); | ||
| }); | ||
| }); | ||
|
|
||
| it('should give passing result if Disk volume has BYOK encryption enabled along with platform key ', function(done) { | ||
| const cache = createCache([disks[2]]); | ||
| unAttachedDiskByokEncryptionEnabled.run(cache, {}, (err, results) => { | ||
| expect(results.length).to.equal(1); | ||
| expect(results[0].status).to.equal(0); | ||
| expect(results[0].message).to.include('Unattached disk volume has BYOK encryption enabled'); | ||
| expect(results[0].region).to.equal('eastus'); | ||
| done(); | ||
| }); | ||
| }); | ||
|
|
||
| it('should give failing result if Disk volume has BYOK encryption disabled', function(done) { | ||
| const cache = createCache([disks[0]]); | ||
| unAttachedDiskByokEncryptionEnabled.run(cache, {}, (err, results) => { | ||
| expect(results.length).to.equal(1); | ||
| expect(results[0].status).to.equal(2); | ||
| expect(results[0].message).to.include('Unattached disk volume has BYOK encryption disabled'); | ||
| expect(results[0].region).to.equal('eastus'); | ||
| done(); | ||
| }); | ||
| }); | ||
| }); | ||
| }); |