feature/AKD-118: Added Azure 'DDoS Standard Protection Enabled' plugi…

…n and test cases (#588) * feature/AKD-118: Added Azure 'DDoS Standard Protection Enabled' plugin and test cases * feature/AKD-118: Added Azure 'DDoS Standard Protection Enabled' plugin and test cases * feature/AKD-118: Added Azure 'DDoS Standard Protection Enabled' plugin and test cases * feature/AKD-118: Added Azure 'DDoS Standard Protection Enabled' plugin and test cases * feature/AKD-118: Added Azure 'DDoS Standard Protection Enabled' plugin and test cases * feature/AKD-118: Added Azure 'DDoS Standard Protection Enabled' plugin and test cases * Update plugins/azure/virtualnetworks/ddosStandardProtectionEnabled.js Co-authored-by: Gio Rodriguez <gioroddev@gmail.com>
aquasecurity · Mar 26, 2021 · d12a487 · d12a487
1 parent d16af08
commit d12a487
Show file tree

Hide file tree

Showing 3 changed files with 144 additions and 0 deletions.
diff --git a/exports.js b/exports.js
@@ -364,6 +364,7 @@ module.exports = {
         'queueServiceAllAccessAcl'      : require(__dirname + '/plugins/azure/queueservice/queueServiceAllAccessAcl.js'),
 
         'multipleSubnets'               : require(__dirname + '/plugins/azure/virtualnetworks/multipleSubnets.js'),
+        'ddosStandardProtectionEnabled' : require(__dirname + '/plugins/azure/virtualnetworks/ddosStandardProtectionEnabled.js'),
 
         'vmInstanceLimit'               : require(__dirname + '/plugins/azure/virtualmachines/vmInstanceLimit.js'),
         'classicInstances'              : require(__dirname + '/plugins/azure/virtualmachines/classicInstances.js'),

diff --git a/plugins/azure/virtualnetworks/ddosStandardProtectionEnabled.js b/plugins/azure/virtualnetworks/ddosStandardProtectionEnabled.js
@@ -0,0 +1,50 @@
+const async = require('async');
+const helpers = require('../../../helpers/azure');
+
+module.exports = {
+    title: 'DDoS Standard Protection Enabled',
+    category: 'Virtual Networks',
+    description: 'Ensures that DDoS Standard Protection is enabled for Microsoft Azure Virtual Networks',
+    more_info: 'DDoS Protection Standard offers enhanced Distributed Denial-of-Service (DDoS) mitigation capabilities via adaptive tuning, attack alert notifications, and telemetry to protect against the impacts of large DDoS attacks for all the protected resources available within your Azure Virtual Networks.',
+    recommended_action: 'Enable DDoS protection for virtual networks',
+    link: 'https://azure.microsoft.com/en-us/blog/azure-ddos-protection-for-virtual-networks-generally-available/',
+    apis: ['virtualNetworks:listAll'],
+
+    run: function(cache, settings, callback) {
+        const results = [];
+        const source = {};
+        const locations = helpers.locations(settings.govcloud);
+
+        async.each(locations.virtualNetworks, (location, rcb) => {
+            var virtualNetworks = helpers.addSource(cache, source, 
+                ['virtualNetworks', 'listAll', location]);
+
+            if (!virtualNetworks) return rcb();
+
+            if (virtualNetworks.err || !virtualNetworks.data) {
+                helpers.addResult(results, 3, 'Unable to query for Virtual Networks: ' + helpers.addError(virtualNetworks), location);
+                return rcb();
+            }
+
+            if (!virtualNetworks.data.length) {
+                helpers.addResult(results, 0, 'No existing Virtual Networks found', location);
+                return rcb();
+            }
+
+            virtualNetworks.data.forEach(virtualNetwork => {
+                if (virtualNetwork.enableDdosProtection) {
+                    helpers.addResult(results, 0,
+                        'DDoS Standard Protection is enabled for Microsoft Azure Virtual Network', location, virtualNetwork.id);
+                } else {
+                    helpers.addResult(results, 2,
+                        'DDoS Standard Protection is not enabled for Microsoft Azure Virtual Network', location, virtualNetwork.id);
+                }
+            });
+
+            rcb();
+        }, function() {
+            // Global checking goes here
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/azure/virtualnetworks/ddosStandardProtectionEnabled.spec.js b/plugins/azure/virtualnetworks/ddosStandardProtectionEnabled.spec.js
@@ -0,0 +1,93 @@
+var expect = require('chai').expect;
+var ddosStandardProtectionEnabled = require('./ddosStandardProtectionEnabled');
+
+const virtualNetworks = [
+    {
+        "name": 'test-vnet',
+        "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Network/virtualNetworks/test-vnet',
+        "type": 'Microsoft.Network/virtualNetworks',
+        "location": 'eastus',
+        "provisioningState": 'Succeeded',
+        "virtualNetworkPeerings": [],
+        "enableDdosProtection": true
+    },
+    {
+        "name": 'test-vnet',
+        "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Network/virtualNetworks/test-vnet',
+        "type": 'Microsoft.Network/virtualNetworks',
+        "location": 'eastus',
+        "provisioningState": 'Succeeded',
+        "virtualNetworkPeerings": [],
+        "enableDdosProtection": false
+    }
+];
+
+const createCache = (virtualNetworks) => {
+    return {
+        virtualNetworks: {
+            listAll: {
+                'eastus': {
+                    data: virtualNetworks
+                }
+            }
+        }
+    };
+};
+
+const createErrorCache = () => {
+    return {
+        virtualNetworks: {
+            listAll: {
+                'eastus': {}
+            }
+        }
+    };
+};
+
+describe('ddosStandardProtectionEnabled', function() {
+    describe('run', function() {
+        it('should give passing result if no virtual networks', function(done) {
+            const cache = createCache([]);
+            ddosStandardProtectionEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No existing Virtual Networks found');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give failing result if DDoS standard protection is not enabled for virtual network', function(done) {
+            const cache = createCache([virtualNetworks[1]]);
+            ddosStandardProtectionEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('DDoS Standard Protection is not enabled for Microsoft Azure Virtual Network');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give unknown result if Unable to query for Virtual Networks', function(done) {
+            const cache = createErrorCache();
+            ddosStandardProtectionEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to query for Virtual Networks:');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give passing result if DDoS standard protection is enabled for virtual network', function(done) {
+            const cache = createCache([virtualNetworks[0]]);
+            ddosStandardProtectionEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('DDoS Standard Protection is enabled for Microsoft Azure Virtual Network');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+    });
+});