New Plugins: Azure and Oracle

dictcp · Aug 12, 2019 · d42d352 · d42d352
1 parent d67ce7e
commit d42d352
Show file tree

Hide file tree

Showing 45 changed files with 1,105 additions and 220 deletions.
diff --git a/.gitignore b/.gitignore
@@ -6,3 +6,4 @@ plugins_*
 output.json
 vscode/*
 .vscode/
+.idea
diff --git a/collectors/azure/collector.js b/collectors/azure/collector.js
@@ -347,6 +347,16 @@ var finalcalls = {
             module: true
         }
     },
+    diagnosticSettingsOperations: {
+        list: {
+            api: "MonitorManagementClient",
+            reliesOnService: ['endpoints'],
+            reliesOnCall: ['listByProfile'],
+            filterKey: ['id'],
+            filterValue: ['id'],
+            arm: true
+        }
+    },
     serverSecurityAlertPolicies: {
         listByServer: {
             api: "SQLManagementClient",
@@ -591,13 +601,13 @@ function errorHandling(err, data, collectionObject, locations) {
             } else if (err.body && err.body.error && err.body.error.message) {
                 collectionObject[locations[l]].err = err.body.error.message;
             } else if (data && data.length && data.length>0 && err.length && err.length>0) {
-                var errorsReturned;
+                var errorsReturned = '';
                 for (e in err){
                     if (![404, 403, 400].includes(err[e].statusCode)){
                         errorsReturned += err[e].message + '; ';
                     }
                 }
-                if (errorsReturned) {
+                if (errorsReturned.length) {
                     collectionObject[locations[l]].err = errorsReturned;
                 }
             } else {

diff --git a/collectors/oracle/collector.js b/collectors/oracle/collector.js
@@ -89,6 +89,14 @@ var calls = {
             filterValue: ['compartmentId'],
         }
     },
+    exportSummary: {
+        list: {
+            api: "fileStorage",
+            filterKey: ['compartmentId'],
+            filterValue: ['compartmentId'],
+            restVersion: "/20171215",
+        }
+    },
     // Do not use compartment:get in Plugins
     // It will be loaded automatically by the
     // Oracle Collector
@@ -99,6 +107,21 @@ var calls = {
             filterValue: ['compartmentId'],
         }
     },
+    waasPolicy: {
+        list: {
+            api: "waas",
+            restVersion: "/20181116",
+            filterKey: ['compartmentId'],
+            filterValue: ['compartmentId'],
+        }
+    },
+    policy: {
+        list: {
+            api: "iam",
+            filterKey: ['compartmentId'],
+            filterValue: ['compartmentId'],
+        }
+    }
 };
 
 // Important Note: All relies must be passed in an array format []
@@ -152,6 +175,17 @@ var postcalls = {
             filterConfig: [true, false],
         }
     },
+    waasPolicy: {
+        get: {
+            api: "waas",
+            restVersion: "/20181116",
+            reliesOnService: ['waasPolicy'],
+            reliesOnCall: ['list'],
+            filterKey: ['compartmentId', 'waasPolicyId'],
+            filterValue: ['compartmentId', 'id'],
+            filterConfig: [true, false],
+        }
+    }
 };
 
 // Important Note: All relies must be passed in an array format []
@@ -165,6 +199,17 @@ var finalcalls = {
             filterValue: ['namespace', 'name'],
         }
     },
+    exprt: {
+        get: {
+            api: "fileStorage",
+            reliesOnService: ['exportSummary'],
+            reliesOnCall: ['list'],
+            filterKey: ['compartmentId', 'exportId'],
+            filterValue: ['compartmentId', 'id'],
+            filterConfig: [true, false],
+            restVersion: "/20171215",
+        }
+    },
 };
 
 

diff --git a/exports.js b/exports.js
@@ -160,7 +160,7 @@ module.exports = {
 
         'keyExpirationEnabled'          : require(__dirname + '/plugins/azure/keyvaults/keyExpirationEnabled.js'),
 
-        'blobContainersPrivateAccess'   : require(__dirname + '/plugins/azure/blobservice/blobContainersPrivateAccess.js'),	
+        'blobContainersPrivateAccess'   : require(__dirname + '/plugins/azure/blobservice/blobContainersPrivateAccess.js'),
         'blobServiceImmutable'          : require(__dirname + '/plugins/azure/blobservice/blobServiceImmutable.js'),
 
         'fileServiceAllAccessAcl'       : require(__dirname + '/plugins/azure/fileservice/fileServiceAllAccessAcl.js'),
@@ -173,13 +173,13 @@ module.exports = {
         'vmEndpointProtection'          : require(__dirname + '/plugins/azure/virtualmachines/vmEndpointProtection.js'),
         'vmAutoUpdateEnabled'           : require(__dirname + '/plugins/azure/virtualmachines/vmAutoUpdateEnabled.js'),
 
-        'autoscaleEnabled'              : require(__dirname + '/plugins/azure/monitor/autoscaleEnabled.js'),
         'nsgLogAnalyticsEnabled'        : require(__dirname + '/plugins/azure/monitor/nsgLogAnalyticsEnabled.js'),
         'logProfileArchiveData'         : require(__dirname + '/plugins/azure/monitor/logProfileArchiveData.js'),
 
         'sqlServerFirewallRuleEnabled'  : require(__dirname + '/plugins/azure/logalerts/sqlServerFirewallRuleEnabled.js'),
         'virtualNetworkRuleEnabled'     : require(__dirname + '/plugins/azure/logalerts/virtualNetworkRuleEnabled.js'),
 
+        'monitorEndpointProtection'     : require(__dirname + '/plugins/azure/securitycenter/monitorEndpointProtection.js'),
         'monitorBlobEncryption'         : require(__dirname + '/plugins/azure/securitycenter/monitorBlobEncryption.js'),
         'monitorVMVulnerability'        : require(__dirname + '/plugins/azure/securitycenter/monitorVMVulnerability.js'),
         'monitorSQLEncryption'          : require(__dirname + '/plugins/azure/securitycenter/monitorSqlEncryption.js'),
@@ -216,7 +216,7 @@ module.exports = {
         'openSQLServer'                 : require(__dirname + '/plugins/azure/networksecuritygroups/openSQLServer.js'),
 
         'tdeProtectorEncrypted'         : require(__dirname + '/plugins/azure/sqlserver/tdeProtectorEncrypted.js'),
-  
+
         'pythonVersion'                 : require(__dirname + '/plugins/azure/appservice/pythonVersion.js'),
         'clientCertEnabled'             : require(__dirname + '/plugins/azure/appservice/clientCertEnabled.js'),
         'netFrameworkVersion'           : require(__dirname + '/plugins/azure/appservice/netFrameworkVersion.js'),
@@ -226,8 +226,9 @@ module.exports = {
         'httpsOnlyEnabled'              : require(__dirname + '/plugins/azure/appservice/httpsOnlyEnabled.js'),
 
         'rbacEnabled'                   : require(__dirname + '/plugins/azure/kubernetesservice/rbacEnabled.js'),
-
-        'detectInsecureCustomOrigin'    : require(__dirname + '/plugins/azure/cdn/detectInsecureCustomOrigin.js'),
+
+        'endpointLoggingEnabled'        : require(__dirname + '/plugins/azure/cdnprofiles/endpointLoggingEnabled.js'),
+        'detectInsecureCustomOrigin'    : require(__dirname + '/plugins/azure/cdnprofiles/detectInsecureCustomOrigin.js'),
     },
     github: {
         'publicKeysRotated'             : require(__dirname + '/plugins/github/users/publicKeysRotated.js'),
@@ -271,17 +272,24 @@ module.exports = {
         'passwordRequiresUppercase'     : require(__dirname + '/plugins/oracle/identity/passwordRequiresUppercase.js'),
         'minPasswordLength'             : require(__dirname + '/plugins/oracle/identity/minPasswordLength.js'),
         'emptyGroups'                   : require(__dirname + '/plugins/oracle/identity/emptyGroups.js'),
+        'excessivePolicies'             : require(__dirname + '/plugins/oracle/identity/excessivePolicies.js'),
+        'excessivePolicyStatements'     : require(__dirname + '/plugins/oracle/identity/excessivePolicyStatements.js'),
 
         'defaultSecurityList'           : require(__dirname + '/plugins/oracle/networking/defaultSecurityList.js'),
         'lbHttpsOnly'                   : require(__dirname + '/plugins/oracle/networking/lbHttpsOnly.js'),
         'lbNoInstances'                 : require(__dirname + '/plugins/oracle/networking/lbNoInstances.js'),
+        'wafPublicIpEnabled'            : require(__dirname + '/plugins/oracle/networking/wafPublicIpEnabled.js'),
 
         'bucketPublicAccessType'        : require(__dirname + '/plugins/oracle/objectstore/bucketPublicAccessType.js'),
+
+        'nfsPublicAccess'               : require(__dirname + '/plugins/oracle/filestorage/nfsPublicAccess.js'),
     },
     google: {
+        'excessiveFirewallRules'        : require(__dirname + '/plugins/google/vpcnetwork/excessiveFirewallRules.js'),
         'openDNS'                       : require(__dirname + '/plugins/google/vpcnetwork/openDNS.js'),
         'openSSH'                       : require(__dirname + '/plugins/google/vpcnetwork/openSSH.js'),
         'openCIFS'                      : require(__dirname + '/plugins/google/vpcnetwork/openCIFS.js'),
+        'openAllPorts'                  : require(__dirname + '/plugins/google/vpcnetwork/openAllPorts.js'),
         'openFTP'                       : require(__dirname + '/plugins/google/vpcnetwork/openFTP.js'),
         'openHadoopNameNode'            : require(__dirname + '/plugins/google/vpcnetwork/openHadoopNameNode.js'),
         'openHadoopNameNodeWebUI'       : require(__dirname + '/plugins/google/vpcnetwork/openHadoopNameNodeWebUI.js'),
@@ -316,5 +324,6 @@ module.exports = {
         'bucketLogging'                 : require(__dirname + '/plugins/google/storage/bucketLogging.js'),
 
         'clbHttpsOnly'                  : require(__dirname + '/plugins/google/clb/clbHttpsOnly.js'),
+        'clbNoInstances'                : require(__dirname + '/plugins/google/clb/clbNoInstances.js'),
     }
 };
diff --git a/helpers/azure/functions.js b/helpers/azure/functions.js
@@ -26,7 +26,7 @@ function findOpenPorts(ngs, protocols, service, location, results) {
                                 let portRange = securityRule['destinationPortRange'].split("-");
                                 let startPort = portRange[0];
                                 let endPort = portRange[1];
-                                if (parseInt(startPort) === port || parseInt(endPort) === port) {
+                                if (parseInt(startPort) < port && parseInt(endPort) > port) {
                                     var string = `Security Rule "` + securityRule['name'] + `": ` + (protocol == '*' ? `All protocols` : protocol.toUpperCase()) +
                                         ` port ` + ports + ` open to ` + sourcefilter; strings.push(string);
                             if (strings.indexOf(string) === -1) strings.push(string);

diff --git a/helpers/google/functions.js b/helpers/google/functions.js
@@ -69,8 +69,70 @@ function findOpenPorts(ngs, protocols, service, location, results) {
 
     return;
 }
+function findOpenAllPorts(ngs, location, results) {
+    let found = false;
+    let protocols = {'tcp': '*', 'udp' : '*'}
+    for (let sgroups of ngs) {
+        let strings = [];
+        let resource = sgroups.id;
+        if (sgroups.allowed) {
+            let firewallRules = sgroups.allowed;
+            let sourceAddressPrefix = sgroups.sourceRanges;
+            for (let firewallRule of firewallRules) {
+                for (let protocol in protocols) {
+                    let ports = protocols[protocol];
+
+                    if (sgroups['direction'] === 'INGRESS' && 
+                    firewallRule['IPProtocol'] === protocol && 
+                    sgroups['disabled'] === false &&
+                    (sourceAddressPrefix.includes('*') || sourceAddressPrefix.includes('') || sourceAddressPrefix.includes('0.0.0.0/0') || sourceAddressPrefix.includes('<nw>/0') || sourceAddressPrefix.includes('/0') || sourceAddressPrefix.includes('internet'))) {
+                        sourcefilter = (sourceAddressPrefix == '0.0.0.0/0' ? 'any IP' : sourceAddressPrefix);
+                        if (firewallRule['ports']) {
+                            firewallRule['ports'].forEach((portRange) => {
+                                if (portRange.includes("-")) {
+                                    portRange = portRange.split("-");
+                                    let startPort = portRange[0];
+                                    let endPort = portRange[1];
+                                    if (parseInt(startPort) == 0 && parseInt(endPort) == 65535) {
+                                        var string = 'all ports open to the public';
+                                        if (strings.indexOf(string) === -1) strings.push(string);
+                                        found = true;
+                                    }
+                                } else if (portRange == 'all') {
+                                    var string = 'all ports open to the public';
+                                    if (strings.indexOf(string) === -1) strings.push(string);
+                                    found = true;
+                                }
+                            })
+                        }
+                    } else if (sgroups['direction'] === 'INGRESS' && 
+                        firewallRule['IPProtocol'] == 'all' &&
+                        sgroups['disabled'] === false &&
+                        (sourceAddressPrefix.includes('*') || sourceAddressPrefix.includes('') || sourceAddressPrefix.includes('0.0.0.0/0') || sourceAddressPrefix.includes('<nw>/0') || sourceAddressPrefix.includes('/0') || sourceAddressPrefix.includes('internet'))) {
+                        var string = 'all ports open to the public';
+                        if (strings.indexOf(string) === -1) strings.push(string);
+                        found = true;
 
+                    }
+                }
+            }
+        }
+        if (strings.length) {
+            shared.addResult(results, 2,
+                'Firewall Rule:(' + sgroups.name +
+                ') has ' + strings.join(' and '), location,
+                resource);
+        }
+    }
+
+    if (!found) {
+        shared.addResult(results, 0, 'No public open ports found', location);
+    }
+
+    return;
+}
 module.exports = {
     addResult: addResult,
     findOpenPorts: findOpenPorts,
+    findOpenAllPorts: findOpenAllPorts
 };
diff --git a/helpers/oracle/regions.js b/helpers/oracle/regions.js
@@ -22,6 +22,10 @@ module.exports = {
     user: regions,
     userGroupMembership: regions,
     authenticationPolicy: regions,
+    exprt: regions,
+    exportSummary: regions,
     compartment: regions,
     bucket: regions,
+    waasPolicy: regions,
+    policy: regions,
 };
diff --git a/other_modules/oracle/configs/endpoints.js b/other_modules/oracle/configs/endpoints.js
@@ -150,6 +150,16 @@ var service =
             'ap-mumbai-1': 'objectstorage.ap-mumbai-1.oraclecloud.com',
             'ap-seoul-1': 'objectstorage.ap-seoul-1.oraclecloud.com',
             'ap-tokyo-1': 'objectstorage.ap-tokyo-1.oraclecloud.com'
+        },
+        waas: {
+            'us-phoenix-1': 'waas.us-phoenix-1.oraclecloud.com',
+            'us-ashburn-1': 'waas.us-ashburn-1.oraclecloud.com',
+            'eu-frankfurt-1': 'waas.eu-frankfurt-1.oraclecloud.com',
+            'uk-london-1': 'waas.uk-london-1.oraclecloud.com',
+            'ca-toronto-1': 'waas.ca-toronto-1.oraclecloud.com',
+            'ap-mumbai-1': 'waas.ap-mumbai-1.oraclecloud.com',
+            'ap-seoul-1': 'waas.ap-seoul-1.oraclecloud.com',
+            'ap-tokyo-1': 'waas.ap-tokyo-1.oraclecloud.com'
         }
     };
 

diff --git a/other_modules/oracle/oci.js b/other_modules/oracle/oci.js
@@ -12,7 +12,8 @@ var kms = require( './services/kms.js' );
 var loadBalance = require( './services/loadBalance.js' );
 var search = require( './services/search.js' );
 var containerEngine = require( './services/containerEngine.js' );
-var myServices = require( './services/myServices.js')
+var myServices = require( './services/myServices.js');
+var waas = require( './services/waas.js');
 
 module.exports = {
     amazon: amazon,
@@ -29,5 +30,6 @@ module.exports = {
     kms: kms,
     loadBalance: loadBalance,
     search: search,
-    containerEngine: containerEngine
+    containerEngine: containerEngine,
+    waas: waas
 }
diff --git a/other_modules/oracle/services/iam/policy.js b/other_modules/oracle/services/iam/policy.js
@@ -43,8 +43,7 @@ function list( auth, parameters, callback ) {
   var headers = ocirest.buildHeaders( possibleHeaders, parameters );
   var queryString = ocirest.buildQueryString( possibleQueryStrings, parameters );
     ocirest.process( auth, 
-                     { path : auth.RESTversion + '/policies/' + encodeURIComponent(parameters.policyId) + 
-                              queryString,
+                     { path : auth.RESTversion + '/policies' + queryString,
                        host : endpoint.service.iam[auth.region],
                        headers : headers,
                        method : 'GET' }, 

diff --git a/other_modules/oracle/services/waas.js b/other_modules/oracle/services/waas.js
@@ -0,0 +1,6 @@
+var waasPolicy = require( './waas/waasPolicy.js' );
+
+
+module.exports = {
+    waasPolicy: waasPolicy,
+}
diff --git a/other_modules/oracle/services/waas/waasPolicy.js b/other_modules/oracle/services/waas/waasPolicy.js
@@ -0,0 +1,33 @@
+var ocirest = require('../../utils/ocirest.js');
+var endpoint = require('../../configs/endpoints.js');
+
+function get( auth, parameters, callback ) {
+    var possibleHeaders = ['opc-request-id'];
+    var headers = ocirest.buildHeaders( possibleHeaders, parameters );
+    ocirest.process( auth,
+        { path : auth.RESTversion +
+                '/waasPolicies/' + encodeURIComponent(parameters.waasPolicyId),
+            host : endpoint.service.waas[auth.region],
+            headers : headers,
+            method : 'GET' },
+        callback );
+};
+
+function list( auth, parameters, callback ) {
+  var possibleHeaders = ['opc-request-id'];
+  var possibleQueryStrings = ['compartmentId', 'limit', 'page', 'sortBy', 'sortOrder', 'id','timeCreatedGreaterThanOrEqualTo','timeCreatedLessThan', 'displayName', 'lifecycleState'];
+  var headers = ocirest.buildHeaders( possibleHeaders, parameters );
+  var queryString = ocirest.buildQueryString( possibleQueryStrings, parameters );
+
+    ocirest.process( auth,
+                   { path : auth.RESTversion + '/waasPolicies' + queryString,
+                     host : endpoint.service.waas[auth.region],
+                     headers : headers,
+                     method : 'GET' },
+                    callback );
+};
+
+module.exports = {
+    list: list,
+    get: get
+};
diff --git a/plugins/aws/ecr/ecrRepositoryPolicy.js b/plugins/aws/ecr/ecrRepositoryPolicy.js
@@ -42,6 +42,13 @@ module.exports = {
                 var getRepositoryPolicy = helpers.addSource(cache, source,
                     ['ecr', 'getRepositoryPolicy', region, name]);
 
+                if (getRepositoryPolicy && getRepositoryPolicy.err &&
+                    getRepositoryPolicy.err.code &&
+                    getRepositoryPolicy.err.code == 'RepositoryPolicyNotFoundException') {
+                    helpers.addResult(results, 0, 'ECR registry does not have a custom policy', region, arn);
+                    continue;
+                }
+
                 if (!getRepositoryPolicy || getRepositoryPolicy.err ||
                     !getRepositoryPolicy.data || !getRepositoryPolicy.data.policyText) {
                     helpers.addResult(

diff --git a/plugins/aws/iam/iamUserAdmins.js b/plugins/aws/iam/iamUserAdmins.js
@@ -131,6 +131,7 @@ module.exports = {
 
                             if (statement.Effect === 'Allow' &&
                                 statement.Action.indexOf('*') > -1 &&
+                                statement.Resource &&
                                 statement.Resource.indexOf('*') > -1) {
                                 userAdmins.push({name: user.UserName, arn: user.Arn});
                                 return cb();