aquasecurity · giorod3 · Mar 26, 2021 · Mar 14, 2021 · Mar 14, 2021 · Mar 14, 2021
diff --git a/exports.js b/exports.js
@@ -344,6 +344,7 @@ module.exports = {
         'queueServiceAllAccessAcl'      : require(__dirname + '/plugins/azure/queueservice/queueServiceAllAccessAcl.js'),
 
         'multipleSubnets'               : require(__dirname + '/plugins/azure/virtualnetworks/multipleSubnets.js'),
+        'ddosStandardProtectionEnabled' : require(__dirname + '/plugins/azure/virtualnetworks/ddosStandardProtectionEnabled.js'),
 
         'vmInstanceLimit'               : require(__dirname + '/plugins/azure/virtualmachines/vmInstanceLimit.js'),
         'classicInstances'              : require(__dirname + '/plugins/azure/virtualmachines/classicInstances.js'),

diff --git a/plugins/azure/virtualnetworks/ddosStandardProtectionEnabled.js b/plugins/azure/virtualnetworks/ddosStandardProtectionEnabled.js
@@ -0,0 +1,49 @@
+const async = require('async');
+const helpers = require('../../../helpers/azure');
+
+module.exports = {
+    title: 'DDoS Standard Protection Enabled',
+    category: 'Virtual Networks',
+    description: 'Ensures that DDoS Standard Protection is enabled for Microsoft Azure Virtual Networks',
+    more_info: 'DDoS Protection Standard offers enhanced Distributed Denial-of-Service (DDoS) mitigation capabilities via adaptive tuning, attack alert notifications, and telemetry to protect against the impacts of large DDoS attacks for all the protected resources available within your Azure Virtual Networks.',
+    recommended_action: 'Enable DDoS protection for virtual networks',
+    link: 'https://azure.microsoft.com/en-us/blog/azure-ddos-protection-for-virtual-networks-generally-available/',
+    apis: ['virtualNetworks:listAll'],
+
+    run: function(cache, settings, callback) {
+        const results = [];
+        const source = {};
+        const locations = helpers.locations(settings.govcloud);
+
+        async.each(locations.virtualNetworks, (location, rcb) => {
+            var virtualNetworks = helpers.addSource(cache, source, 
+                ['virtualNetworks', 'listAll', location]);
+
+            if (!virtualNetworks) return rcb();
+
+            if (virtualNetworks.err || !virtualNetworks.data) {
+                helpers.addResult(results, 3, 'Unable to query for Virtual Networks: ' + helpers.addError(virtualNetworks), location);
+                return rcb();
+            }
+
+            if (!virtualNetworks.data.length) {
+                helpers.addResult(results, 0, 'No existing Virtual Networks found', location);
+            }
+
+            virtualNetworks.data.forEach(virtualNetwork => {
+                if (virtualNetwork.enableDdosProtection) {
+                    helpers.addResult(results, 0,
+                        'DDoS Standard Protection is enabled for Microsoft Azure Virtual Network', location, virtualNetwork.id);
+                } else {
+                    helpers.addResult(results, 2,
+                        'DDoS Standard Protection is not enabled for Microsoft Azure Virtual Network', location, virtualNetwork.id);
+                }
+            });
+
+            rcb();
+        }, function() {
+            // Global checking goes here
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/azure/virtualnetworks/ddosStandardProtectionEnabled.spec.js b/plugins/azure/virtualnetworks/ddosStandardProtectionEnabled.spec.js
@@ -0,0 +1,93 @@
+var expect = require('chai').expect;
+var ddosStandardProtectionEnabled = require('./ddosStandardProtectionEnabled');
+
+const virtualNetworks = [
+    {
+        "name": 'test-vnet',
+        "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Network/virtualNetworks/test-vnet',
+        "type": 'Microsoft.Network/virtualNetworks',
+        "location": 'eastus',
+        "provisioningState": 'Succeeded',
+        "virtualNetworkPeerings": [],
+        "enableDdosProtection": true
+    },
+    {
+        "name": 'test-vnet',
+        "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Network/virtualNetworks/test-vnet',
+        "type": 'Microsoft.Network/virtualNetworks',
+        "location": 'eastus',
+        "provisioningState": 'Succeeded',
+        "virtualNetworkPeerings": [],
+        "enableDdosProtection": false
+    }
+];
+
+const createCache = (virtualNetworks) => {
+    return {
+        virtualNetworks: {
+            listAll: {
+                'eastus': {
+                    data: virtualNetworks
+                }
+            }
+        }
+    };
+};
+
+const createErrorCache = () => {
+    return {
+        virtualNetworks: {
+            listAll: {
+                'eastus': {}
+            }
+        }
+    };
+};
+
+describe('ddosStandardProtectionEnabled', function() {
+    describe('run', function() {
+        it('should give passing result if no virtual networks', function(done) {
+            const cache = createCache([]);
+            ddosStandardProtectionEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No existing Virtual Networks found');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give failing result if DDoS standard protection is not enabled for virtual network', function(done) {
+            const cache = createCache([virtualNetworks[1]]);
+            ddosStandardProtectionEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('DDoS Standard Protection is not enabled for Microsoft Azure Virtual Network');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give unknown result if Unable to query for Virtual Networks', function(done) {
+            const cache = createErrorCache();
+            ddosStandardProtectionEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to query for Virtual Networks:');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give passing result if DDoS standard protection is enabled for virtual network', function(done) {
+            const cache = createCache([virtualNetworks[0]]);
+            ddosStandardProtectionEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('DDoS Standard Protection is enabled for Microsoft Azure Virtual Network');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+    });
+});