-
Notifications
You must be signed in to change notification settings - Fork 691
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
158 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| const async = require('async'); | ||
| const helpers = require('../../../helpers/azure'); | ||
|
|
||
| module.exports = { | ||
| title: 'Front Door WAF Detection Mode', | ||
| category: 'Front Door', | ||
| domain: 'Content Delivery', | ||
| description: 'Ensure that WAF policy for Azure Front Door is set to Detection mode.', | ||
| more_info: 'Azure Web Application Firewall (WAF) on Azure Front Door provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. It monitors and logs the request and its matched WAF rule to WAF logs.', | ||
| recommended_action: 'Modify Front Door WAF policy and enable prevention mode.', | ||
| link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview', | ||
| apis: ['afdWafPolicies:listAll'], | ||
|
|
||
| run: function(cache, settings, callback) { | ||
| const results = []; | ||
| const source = {}; | ||
| const locations = helpers.locations(settings.govcloud); | ||
| async.each(locations.afdWafPolicies, (location, rcb) => { | ||
| var afdWafPolicies = helpers.addSource(cache, source, | ||
| ['afdWafPolicies', 'listAll', location]); | ||
|
|
||
| if (!afdWafPolicies) return rcb(); | ||
|
|
||
| if (afdWafPolicies.err || !afdWafPolicies.data) { | ||
| helpers.addResult(results, 3, 'Unable to query for Front Door WAF policies: ' + helpers.addError(afdWafPolicies), location); | ||
| return rcb(); | ||
| } | ||
| if (!afdWafPolicies.data.length) { | ||
| helpers.addResult(results, 0, 'No existing Front Door WAF policies found', location); | ||
| return rcb(); | ||
| } | ||
|
|
||
| for (let policy of afdWafPolicies.data) { | ||
| if (!policy.id) continue; | ||
|
|
||
| if (policy.policySettings && policy.policySettings.mode && policy.policySettings.mode.toLowerCase() == 'detection') { | ||
| helpers.addResult(results, 0, 'Detection mode enabled for Front Door WAF policy', location, policy.id); | ||
| } else { | ||
| helpers.addResult(results, 2, 'Detection mode not enabled for Front Door WAF policy', location, policy.id); | ||
| } | ||
| } | ||
| rcb(); | ||
| }, function() { | ||
| callback(null, results, source); | ||
| }); | ||
| } | ||
| }; |
108 changes: 108 additions & 0 deletions
108
plugins/azure/frontdoor/frontDoorWafDetectionMode.spec.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,108 @@ | ||
| var expect = require('chai').expect; | ||
| var frontDoorWafDetectionMode = require('./frontDoorWafDetectionMode.js'); | ||
|
|
||
| const afdWafPolicies = [ | ||
| { | ||
| "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", | ||
| "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", | ||
| "name": "testpolicy2", | ||
| "sku": { | ||
| "name": "Premium_AzureFrontDoor" | ||
| }, | ||
| "policySettings": { | ||
| "enabledState": "Enabled", | ||
| "mode": "Prevention", | ||
| "redirectUrl": null, | ||
| "customBlockResponseStatusCode": 403, | ||
| "customBlockResponseBody": null, | ||
| "requestBodyCheck": "Disabled" | ||
| }, | ||
| }, | ||
| { | ||
| "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", | ||
| "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", | ||
| "name": "testpolicy1", | ||
| "sku": { | ||
| "name": "Premium_AzureFrontDoor" | ||
| }, | ||
| "policySettings": { | ||
| "enabledState": "Enabled", | ||
| "mode": "Detection", | ||
| "redirectUrl": null, | ||
| "customBlockResponseStatusCode": 403, | ||
| "customBlockResponseBody": null, | ||
| "requestBodyCheck": "Disabled" | ||
| }, | ||
| }, | ||
| ]; | ||
|
|
||
| const createCache = (afdWafPolicies) => { | ||
| return { | ||
| afdWafPolicies: { | ||
| listAll: { | ||
| 'global': { | ||
| data: afdWafPolicies | ||
| } | ||
| } | ||
| } | ||
| }; | ||
| }; | ||
|
|
||
| const createErrorCache = () => { | ||
| return { | ||
| afdWafPolicies: { | ||
| listAll: { | ||
| 'global': {} | ||
| } | ||
| } | ||
| }; | ||
| }; | ||
| describe('frontDoorWafDetectionMode', function () { | ||
| describe('run', function () { | ||
|
|
||
| it('should give pass result if detection mode is enabled for front door waf policy', function (done) { | ||
| const cache = createCache([afdWafPolicies[1]]); | ||
| frontDoorWafDetectionMode.run(cache, {}, (err, results) => { | ||
| expect(results.length).to.equal(1); | ||
| expect(results[0].status).to.equal(0); | ||
| expect(results[0].message).to.include('Detection mode enabled for Front Door WAF policy'); | ||
| expect(results[0].region).to.equal('global'); | ||
| done(); | ||
| }); | ||
| }); | ||
|
|
||
| it('should give unknown result if unable to query for Front Door WAF policies', function (done) { | ||
| const cache = createErrorCache(); | ||
| frontDoorWafDetectionMode.run(cache, {}, (err, results) => { | ||
| expect(results.length).to.equal(1); | ||
| expect(results[0].status).to.equal(3); | ||
| expect(results[0].message).to.include('Unable to query for Front Door WAF policies'); | ||
| expect(results[0].region).to.equal('global'); | ||
| done(); | ||
| }); | ||
| }); | ||
|
|
||
| it('should give pass result if no existing front door waf policies found', function (done) { | ||
| const cache = createCache([]); | ||
| frontDoorWafDetectionMode.run(cache, {}, (err, results) => { | ||
| expect(results.length).to.equal(1); | ||
| expect(results[0].status).to.equal(0); | ||
| expect(results[0].message).to.include('No existing Front Door WAF policies found'); | ||
| expect(results[0].region).to.equal('global'); | ||
| done(); | ||
| }); | ||
| }); | ||
|
|
||
| it('should give fail result if detection mode is not enabled for front door waf policy', function (done) { | ||
| const cache = createCache([afdWafPolicies[0]]); | ||
| frontDoorWafDetectionMode.run(cache, {}, (err, results) => { | ||
| expect(results.length).to.equal(1); | ||
| expect(results[0].status).to.equal(2); | ||
| expect(results[0].message).to.include('Detection mode not enabled for Front Door WAF policy'); | ||
| expect(results[0].region).to.equal('global'); | ||
| done(); | ||
| }); | ||
| }); | ||
|
|
||
| }); | ||
| }); |