From dc0a5acc3a74dd70d0b18e448124761a8481990d Mon Sep 17 00:00:00 2001 From: Vikramjeet Singh <58273802+vikramsinghvirdi@users.noreply.github.com> Date: Mon, 26 Oct 2020 12:57:38 -0700 Subject: [PATCH 1/9] Release/v1.2.0 (#26) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * PLA-17940 updating constraints and fixing s3_enable_access_logging to… (#3) * PLA-17940 updating constraints and fixing s3_enable_access_logging to not remediate the logging target bucket * PLA-17940 fixing copyright info * Updated readme to have link for reporting issues (#4) Co-authored-by: svikramjeet * S3 access logs permissions (#6) * Update minimum permissions for the job * Add more logs when permission is missing Co-authored-by: Mohammad Zuber Khan * change the way cloudAccountId is parsed from Job Paramaters (#9) Co-authored-by: Mohammad Zuber Khan * PLA-16779: Add remediation job for azure security group port 22 (#10) * PLA-16779: Add remediation job for azure security group port 22 * add test dependencies * update README.md * add deployment info to the README * add rule information Co-authored-by: Mohammad Zuber Khan * Add remediation job for closing port 22 for VM (#11) * PLA-18743: Add remediation job for closing port 22 for VM * add tests for azure_vm_close_port_22 to tox * add deployment details Co-authored-by: Mohammad Zuber Khan * Add remediation jobs for storage and RDP violations (#12) * add remediation job for closing RDP access * Add remediation job for remove public access for blob * Add remediation job to allow only https traffic to storage account * update READMEs to fix broken links Co-authored-by: Mohammad Zuber Khan * fix the parameters passed for remediation (#13) Co-authored-by: Mohammad Zuber Khan * add check for existing permissions before adding new (#15) Co-authored-by: Mohammad Zuber Khan * Fix ports range for network security groups (#19) * handle the case when the security rule port is a range * Add minimum permissions for each remediation jobs * add link to built in roles Co-authored-by: Mohammad Zuber Khan * update the remediation job payload (#21) Co-authored-by: Mohammad Zuber Khan * PLA-20459: Add rule information for the remediation job (#22) * update the remediation job payload (#21) Co-authored-by: Mohammad Zuber Khan * PLA-20459: Add rule information for the remediation job * add another rule remediated by the job Co-authored-by: Mohammad Zuber Khan * Master -> Dev Merge (#23) * Release/v1.0.0 (#7) * PLA-17940 updating constraints and fixing s3_enable_access_logging to… (#3) * PLA-17940 updating constraints and fixing s3_enable_access_logging to not remediate the logging target bucket * PLA-17940 fixing copyright info * Updated readme to have link for reporting issues (#4) Co-authored-by: svikramjeet * S3 access logs permissions (#6) * Update minimum permissions for the job * Add more logs when permission is missing Co-authored-by: Mohammad Zuber Khan Co-authored-by: Paul Allen Co-authored-by: svikramjeet Co-authored-by: Zuber Co-authored-by: Mohammad Zuber Khan * Release/v1.1.0 (#17) * PLA-17940 updating constraints and fixing s3_enable_access_logging to… (#3) * PLA-17940 updating constraints and fixing s3_enable_access_logging to not remediate the logging target bucket * PLA-17940 fixing copyright info * Updated readme to have link for reporting issues (#4) Co-authored-by: svikramjeet * S3 access logs permissions (#6) * Update minimum permissions for the job * Add more logs when permission is missing Co-authored-by: Mohammad Zuber Khan * change the way cloudAccountId is parsed from Job Paramaters (#9) Co-authored-by: Mohammad Zuber Khan * PLA-16779: Add remediation job for azure security group port 22 (#10) * PLA-16779: Add remediation job for azure security group port 22 * add test dependencies * update README.md * add deployment info to the README * add rule information Co-authored-by: Mohammad Zuber Khan * Add remediation job for closing port 22 for VM (#11) * PLA-18743: Add remediation job for closing port 22 for VM * add tests for azure_vm_close_port_22 to tox * add deployment details Co-authored-by: Mohammad Zuber Khan * Add remediation jobs for storage and RDP violations (#12) * add remediation job for closing RDP access * Add remediation job for remove public access for blob * Add remediation job to allow only https traffic to storage account * update READMEs to fix broken links Co-authored-by: Mohammad Zuber Khan * fix the parameters passed for remediation (#13) Co-authored-by: Mohammad Zuber Khan * add check for existing permissions before adding new (#15) Co-authored-by: Mohammad Zuber Khan * Fix ports range for network security groups (#19) (#20) * handle the case when the security rule port is a range * Add minimum permissions for each remediation jobs * add link to built in roles Co-authored-by: Mohammad Zuber Khan Co-authored-by: Zuber Co-authored-by: Mohammad Zuber Khan Co-authored-by: Paul Allen Co-authored-by: svikramjeet Co-authored-by: Zuber Co-authored-by: Mohammad Zuber Khan Co-authored-by: Paul Allen Co-authored-by: svikramjeet Co-authored-by: Zuber Co-authored-by: Mohammad Zuber Khan * Revert "Master -> Dev Merge (#23)" (#24) This reverts commit a875459d0bdca88f8fd62b4464537591f6b99489. Co-authored-by: Paul Allen Co-authored-by: svikramjeet Co-authored-by: Zuber Co-authored-by: Mohammad Zuber Khan --- README.md | 7 +------ .../jobs/ec2_close_port_22/README.md | 8 ++++++++ .../jobs/ec2_close_port_3389/README.md | 8 ++++++++ .../rds_backup_retention_30_days/README.md | 8 ++++++++ .../jobs/s3_enable_access_logging/README.md | 8 ++++++++ .../s3_enable_default_encryption/README.md | 8 ++++++++ .../jobs/s3_remove_public_access/README.md | 18 ++++++++++++++++++ .../jobs/s3_remove_public_admin_acl/README.md | 8 ++++++++ .../security_group_close_port_22/README.md | 8 ++++++++ .../security_group_close_port_3389/README.md | 8 ++++++++ .../security_group_close_port_5432/README.md | 8 ++++++++ 11 files changed, 91 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 9e09942..8393fcb 100644 --- a/README.md +++ b/README.md @@ -43,13 +43,8 @@ The worker executes jobs in a fashion similar to running `python ./s3-remove-pub The finding payload is in the form: ```$json { - "cloudAccount": { - "provider": , - "roleArn": , - "subscriptionId": , - "applicationId": - }, "notificationInfo": { + "CloudAccountID" : , "RuleID": , "RuleName": , "RuleDisplayName": , diff --git a/remediation_worker/jobs/ec2_close_port_22/README.md b/remediation_worker/jobs/ec2_close_port_22/README.md index bdc9436..54c0278 100644 --- a/remediation_worker/jobs/ec2_close_port_22/README.md +++ b/remediation_worker/jobs/ec2_close_port_22/README.md @@ -2,6 +2,14 @@ This job blocks public access to port 22 for both IPv4 and IPv6 for all security groups associated with an EC2 instance. +### Applicable Rule + +##### Rule ID: +5c8c26417a550e1fb6560c3f + +##### Rule Name: +An EC2 instance's SSH port (22) is accessible from the public Internet for any source address + ## Getting Started ### Prerequisites diff --git a/remediation_worker/jobs/ec2_close_port_3389/README.md b/remediation_worker/jobs/ec2_close_port_3389/README.md index 130f5f6..6245d6f 100644 --- a/remediation_worker/jobs/ec2_close_port_3389/README.md +++ b/remediation_worker/jobs/ec2_close_port_3389/README.md @@ -2,6 +2,14 @@ This job blocks public access to port 3389 for both IPv4 and IPv6 for all security groups associated with an EC2 instance. +### Applicable Rule + +##### Rule ID: +5c8c26437a550e1fb6560c42 + +##### Rule Name: +An EC2 instance's Remote Desktop port (3389) is accessible from the public Internet for any source address + ## Getting Started ### Prerequisites diff --git a/remediation_worker/jobs/rds_backup_retention_30_days/README.md b/remediation_worker/jobs/rds_backup_retention_30_days/README.md index f013160..386a614 100644 --- a/remediation_worker/jobs/rds_backup_retention_30_days/README.md +++ b/remediation_worker/jobs/rds_backup_retention_30_days/README.md @@ -4,6 +4,14 @@ This job makes the RDS backup retention period 30 days. It first tries to modify the retention period of the DB instance. If that fails, it will try to set the retention period of the DB cluster that the instance belongs to. +### Applicable Rule + +##### Rule ID: +5c8c264a7a550e1fb6560c4d + +##### Rule Name: +The RDS backup retention period is less than 30 days + ## Getting Started ### Prerequisites diff --git a/remediation_worker/jobs/s3_enable_access_logging/README.md b/remediation_worker/jobs/s3_enable_access_logging/README.md index f8f32b1..6ecd058 100644 --- a/remediation_worker/jobs/s3_enable_access_logging/README.md +++ b/remediation_worker/jobs/s3_enable_access_logging/README.md @@ -2,6 +2,14 @@ This job enables access logging for an S3 bucket. +### Applicable Rule + +##### Rule ID: +5c8c265e7a550e1fb6560c67 + +##### Rule Name: +S3 access logging is not enabled + ## Getting Started ### Prerequisites diff --git a/remediation_worker/jobs/s3_enable_default_encryption/README.md b/remediation_worker/jobs/s3_enable_default_encryption/README.md index e8165db..53adcfd 100644 --- a/remediation_worker/jobs/s3_enable_default_encryption/README.md +++ b/remediation_worker/jobs/s3_enable_default_encryption/README.md @@ -2,6 +2,14 @@ This job enables default encryption for an S3 bucket using AES256. +### Applicable Rule + +##### Rule ID: +1d187035-9fff-48b2-a7c3-ffc56a4da5e6 + +##### Rule Name: +An S3 bucket default encryption is not enabled + ## Getting Started ### Prerequisites diff --git a/remediation_worker/jobs/s3_remove_public_access/README.md b/remediation_worker/jobs/s3_remove_public_access/README.md index 602599a..6d98c45 100644 --- a/remediation_worker/jobs/s3_remove_public_access/README.md +++ b/remediation_worker/jobs/s3_remove_public_access/README.md @@ -2,6 +2,24 @@ This job blocks public access to an S3 bucket. +### Applicable Rule + +##### Rule ID: +* 5c8c26507a550e1fb6560c57 +* 5c8c26517a550e1fb6560c59 +* 5c8c26537a550e1fb6560c5a +* 5c8c26537a550e1fb6560c5b +* 5c8c26547a550e1fb6560c5c +* 5c8c26637a550e1fb6560c6b + +##### Rule Name: +* An S3 bucket is configured so that all users have unrestricted permissions +* Read access to an S3 bucket is unrestricted +* An S3 bucket is configured to allow all users to read permissions +* Write access to an S3 bucket is unrestricted +* An S3 bucket is configured to allow unrestricted access control changes +* The S3 bucket policy allows unrestricted get access + ## Getting Started ### Prerequisites diff --git a/remediation_worker/jobs/s3_remove_public_admin_acl/README.md b/remediation_worker/jobs/s3_remove_public_admin_acl/README.md index 3e46299..ee89274 100644 --- a/remediation_worker/jobs/s3_remove_public_admin_acl/README.md +++ b/remediation_worker/jobs/s3_remove_public_admin_acl/README.md @@ -2,6 +2,14 @@ This job will remove the public "write bucket permissions" permission. All other ACL permissions will be left alone. This means that if "AllUsers" have access to FULL_CONTROL, the permissions will be changed to allow "READ", "WRITE", and "READ_ACP" rather than "FULL_CONTROL" which includes "WRITE_ACP". +### Applicable Rule + +##### Rule ID: +5c8c26617a550e1fb6560c69 + +##### Rule Name: +The S3 bucket policy allows unrestricted access + ## Getting Started ### Prerequisites diff --git a/remediation_worker/jobs/security_group_close_port_22/README.md b/remediation_worker/jobs/security_group_close_port_22/README.md index 671f0bf..112feaa 100644 --- a/remediation_worker/jobs/security_group_close_port_22/README.md +++ b/remediation_worker/jobs/security_group_close_port_22/README.md @@ -2,6 +2,14 @@ This job blocks public access to port 22 for both IPv4 and IPv6. +### Applicable Rule + +##### Rule ID: +5c8c25ec7a550e1fb6560bbe + +##### Rule Name: +A security group's SSH port (22) is accessible through any source address + ## Getting Started ### Prerequisites diff --git a/remediation_worker/jobs/security_group_close_port_3389/README.md b/remediation_worker/jobs/security_group_close_port_3389/README.md index 41d3865..b431123 100644 --- a/remediation_worker/jobs/security_group_close_port_3389/README.md +++ b/remediation_worker/jobs/security_group_close_port_3389/README.md @@ -2,6 +2,14 @@ This job blocks public access to port 3389 for both IPv4 and IPv6. +### Applicable Rule + +##### Rule ID: +5c8c25ef7a550e1fb6560bc4 + +##### Rule Name: +A security group's Remote Desktop port (3389) is accessible through any source address + ## Getting Started ### Prerequisites diff --git a/remediation_worker/jobs/security_group_close_port_5432/README.md b/remediation_worker/jobs/security_group_close_port_5432/README.md index 41c68af..f4682b9 100644 --- a/remediation_worker/jobs/security_group_close_port_5432/README.md +++ b/remediation_worker/jobs/security_group_close_port_5432/README.md @@ -2,6 +2,14 @@ This job blocks public access to port 5432 for both IPv4 and IPv6. +### Applicable Rule + +##### Rule ID: +5c8c25f07a550e1fb6560bc6 + +##### Rule Name: +A security group's PostgreSQL Server port (5432) is accessible through any source address + ## Getting Started ### Prerequisites From 46b489e7aa0113e7701c7772004d06c5f879326b Mon Sep 17 00:00:00 2001 From: Shrutika Kulkarni Date: Mon, 2 Nov 2020 20:36:42 +0530 Subject: [PATCH 2/9] Azure security center enable ddos protection remediation script --- .../.DS_Store | Bin 0 -> 6148 bytes .../README.md | 64 ++++++++ .../__init__.py | 0 ..._security_center_enable_ddos_protection.py | 137 ++++++++++++++++++ .../constraints.txt | 25 ++++ .../minimum_permissions.json | 21 +++ .../requirements-dev.txt | 13 ++ .../requirements.txt | 2 + ..._security_center_enable_ddos_protection.py | 70 +++++++++ 9 files changed, 332 insertions(+) create mode 100644 remediation_worker/jobs/azure_security_center_enable_ddos_protection/.DS_Store create mode 100644 remediation_worker/jobs/azure_security_center_enable_ddos_protection/README.md create mode 100644 remediation_worker/jobs/azure_security_center_enable_ddos_protection/__init__.py create mode 100644 remediation_worker/jobs/azure_security_center_enable_ddos_protection/azure_security_center_enable_ddos_protection.py create mode 100644 remediation_worker/jobs/azure_security_center_enable_ddos_protection/constraints.txt create mode 100644 remediation_worker/jobs/azure_security_center_enable_ddos_protection/minimum_permissions.json create mode 100644 remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements-dev.txt create mode 100644 remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements.txt create mode 100644 test/unit/test_azure_security_center_enable_ddos_protection.py diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/.DS_Store b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..c4e96429b79ac9be7adb8791573cdf92f4de7fc6 GIT binary patch literal 6148 zcmeHKJ5B>J5PgOedjdGJrKU!O{lR5|Mdn3$hYMWYTGl6caT0R4`od zwgF?n82D`r$h*6#?`(=b^6&5Lq&rAj-9d{U@_9I7tG=nw`iL50h6I;vSLjHdVwBsV z=Tk1~kiPerVx-<<>O_08@{I8bNBXoo^k}Mmi59xFnrQPGU`%Vs*@1c`)G6)0eskt( z*46iOt8X#C_>LJhVkNTY340alJ51(kf1Rs+7d?$giBmSIL+X^#F&|%tWV>dM>lE|h zh57b!)vV(T4IHD6Q(}dA+QkU>z=-Eu#5Py!;D)QGYW0*M*}(z1>EQO8o#c5af0<`F z6OXJTAJ4AIpJ#w)w#eG1N7KfDF<=aQG9cfFh)pmKn0eGs2bEp{h$RlI(3YPCiHQQn z0W*)Bp*SB(^r0?XF`N(Qcoh8NfSE@h4i_#TF0Aar4aMo|%pa*cT 0: + resource_id = ddos_plans_list[0].id + logging.info(f" Resource ID of Azure DDos Protection Plan={resource_id}") + else: + logging.error(f" Azure cloud user with subscription ID: {subscription_id} has no active Azure DDos protection plan available") + return 1 + + virtual_network = client.virtual_networks.get( + resource_group_name=resource_group_name, + virtual_network_name=virtual_network_name, + ) + + virtual_network.enable_ddos_protection = True + + updated_SubResource = SubResource() + + updated_SubResource.id = resource_id + + virtual_network.ddos_protection_plan = updated_SubResource + + logging.info("Enabling DDos protection for Virtual Network") + try: + logging.info(" executing client.virtual_networks.begin_create_or_update") + logging.info(f" resource_group_name={resource_group_name}") + logging.info(f" virtual_network_name={virtual_network_name}") + + client.virtual_networks.begin_create_or_update( + resource_group_name=resource_group_name, + virtual_network_name=virtual_network_name, + parameters=virtual_network, + ) + except Exception as e: + logging.error(f"{str(e)}") + raise + return 0 + + def run(self, args): + """Run the remediation job. + :param args: List of arguments provided to the job. + :type args: list. + :returns: int + """ + params = self.parse(args[1]) + + credentials = ClientSecretCredential( + client_id=os.environ.get("AZURE_CLIENT_ID"), + client_secret=os.environ.get("AZURE_CLIENT_SECRET"), + tenant_id=os.environ.get("AZURE_TENANT_ID"), + ) + + client = NetworkManagementClient(credentials, params["subscription_id"]) + return self.remediate( + client, + params["resource_group_name"], + params["virtual_network_name"], + ) + +if __name__ == "__main__": + sys.exit(VirtualNetworkEnableDdosProtection().run(sys.argv)) \ No newline at end of file diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/constraints.txt b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/constraints.txt new file mode 100644 index 0000000..354ff95 --- /dev/null +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/constraints.txt @@ -0,0 +1,25 @@ +adal==1.2.5 +azure-common==1.1.25 +azure-core==1.8.2 +azure-identity==1.4.1 +azure-mgmt-core==1.2.1 +azure-mgmt-network==16.0.0 +certifi==2020.6.20 +cffi==1.14.3 +chardet==3.0.4 +cryptography==3.2.1 +idna==2.10 +isodate==0.6.0 +msal==1.5.1 +msal-extensions==0.2.2 +msrest==0.6.19 +msrestazure==0.6.4 +oauthlib==3.1.0 +portalocker==1.7.1 +pycparser==2.20 +PyJWT==1.7.1 +python-dateutil==2.8.1 +requests==2.24.0 +requests-oauthlib==1.3.0 +six==1.12.0 +urllib3==1.25.11 \ No newline at end of file diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/minimum_permissions.json b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/minimum_permissions.json new file mode 100644 index 0000000..789afd2 --- /dev/null +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/minimum_permissions.json @@ -0,0 +1,21 @@ +{ + "properties": { + "roleName": "remediate_enable_ddos_protection", + "description": "This role has required permissions to make changes to the virtual network", + "assignableScopes": [ + ], + "permissions": [ + { + "actions": [ + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/write", + "Microsoft.Network/ddosProtectionPlans/read", + "Microsoft.Network/ddosProtectionPlans/join/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } +} \ No newline at end of file diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements-dev.txt b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements-dev.txt new file mode 100644 index 0000000..c7db384 --- /dev/null +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements-dev.txt @@ -0,0 +1,13 @@ +-r requirements.txt +-c constraints.txt + +importlib-metadata==2.0.0 +iniconfig==1.1.1 +mock==4.0.2 +packaging==20.4 +pluggy==0.13.1 +py==1.9.0 +pyparsing==2.4.7 +pytest==6.1.2 +toml==0.10.1 +zipp==3.4.0 \ No newline at end of file diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements.txt b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements.txt new file mode 100644 index 0000000..747aad9 --- /dev/null +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements.txt @@ -0,0 +1,2 @@ +azure-identity==1.4.1 +azure-mgmt-network==16.0.0 \ No newline at end of file diff --git a/test/unit/test_azure_security_center_enable_ddos_protection.py b/test/unit/test_azure_security_center_enable_ddos_protection.py new file mode 100644 index 0000000..700129c --- /dev/null +++ b/test/unit/test_azure_security_center_enable_ddos_protection.py @@ -0,0 +1,70 @@ +# Copyright (c) 2020 VMware Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import pytest +from mock import Mock +from typing import List +from azure.mgmt.network.models import DdosProtectionPlanListResult, SubResource +from remediation_worker.jobs.azure_security_center_enable_ddos_protection.azure_security_center_enable_ddos_protection import ( + VirtualNetworkEnableDdosProtection, +) + +@pytest.fixture +def valid_payload(): + return """ +{ + "notificationInfo": { + "RuleId": "5c6cc5e103dcc90f363146cd", + "Service": "Network", + "FindingInfo": { + "FindingId": "d0431afd-b82e-4021-8aa6-ba3cf5c60ef7", + "ObjectId": "vnet_name", + "ObjectChain": "{\\"cloudAccountId\\":\\"subscription_id\\",\\"entityId\\":\\"Azure.Network.d687b1a3-9b78-43b1-a17b-7de297fd1fce.resource_group_name.Network.virtual_network_name\\",\\"entityName\\":\\"virtual_network_name\\",\\"entityType\\":\\"Azure.Network.virtualnetwork\\",\\"lastUpdateTime\\":\\"2020-09-09T00:36:35.000Z\\",\\"partitionKey\\":\\"d687b1a3-9b78-43b1-a17b-7de297fd1fce\\",\\"provider\\":\\"Azure\\",\\"region\\":\\"eastus\\",\\"service\\":\\"Network\\", \\"properties\\":[{\\"name\\":\\"ResourceGroup\\",\\"stringV\\":\\"resource_group_name\\",\\"type\\":\\"string\\"}]}", + "Region": "region" + } + } +} +""" + +class TestBlobRemovePublicAccess(object): + def test_parse_payload(self, valid_payload): + params = VirtualNetworkEnableDdosProtection().parse(valid_payload) + assert params["virtual_network_name"] == "vnet_name" + assert params["resource_group_name"] == "resource_group_name" + assert params["subscription_id"] == "subscription_id" + assert params["region"] == "region" + + def test_remediate_success(self): + client = Mock() + action = VirtualNetworkEnableDdosProtection() + DdosProtectionPlanListResult = Mock() + ddos_plans_list = [] + ddos_plans_list.append(DdosProtectionPlanListResult) + client.ddos_protection_plans.list.return_value = ddos_plans_list + assert ( + action.remediate(client, "resource_group", "virtual_network_name", "subscription_id") + == 0 + ) + assert client.virtual_networks.begin_create_or_update.call_count == 1 + + call_args = client.virtual_networks.begin_create_or_update.call_args + updated_vnet = call_args[1]["parameters"] + assert updated_vnet.enable_ddos_protection == True + + def test_remediate_with_exception(self): + client = Mock() + client.virtual_networks.begin_create_or_update.side_effect = Exception + action = VirtualNetworkEnableDdosProtection() + with pytest.raises(Exception): + assert action.remediate(client, "security_group_id", "resource_group") \ No newline at end of file From c5e1f32186a1432ce339e9e681fa40a9d8350507 Mon Sep 17 00:00:00 2001 From: Shrutika Kulkarni Date: Mon, 2 Nov 2020 20:43:13 +0530 Subject: [PATCH 3/9] Removed .DS_Store file --- .../.DS_Store | Bin 6148 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 remediation_worker/jobs/azure_security_center_enable_ddos_protection/.DS_Store diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/.DS_Store b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/.DS_Store deleted file mode 100644 index c4e96429b79ac9be7adb8791573cdf92f4de7fc6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHKJ5B>J5PgOedjdGJrKU!O{lR5|Mdn3$hYMWYTGl6caT0R4`od zwgF?n82D`r$h*6#?`(=b^6&5Lq&rAj-9d{U@_9I7tG=nw`iL50h6I;vSLjHdVwBsV z=Tk1~kiPerVx-<<>O_08@{I8bNBXoo^k}Mmi59xFnrQPGU`%Vs*@1c`)G6)0eskt( z*46iOt8X#C_>LJhVkNTY340alJ51(kf1Rs+7d?$giBmSIL+X^#F&|%tWV>dM>lE|h zh57b!)vV(T4IHD6Q(}dA+QkU>z=-Eu#5Py!;D)QGYW0*M*}(z1>EQO8o#c5af0<`F z6OXJTAJ4AIpJ#w)w#eG1N7KfDF<=aQG9cfFh)pmKn0eGs2bEp{h$RlI(3YPCiHQQn z0W*)Bp*SB(^r0?XF`N(Qcoh8NfSE@h4i_#TF0Aar4aMo|%pa*cT Date: Thu, 5 Nov 2020 18:40:35 +0530 Subject: [PATCH 4/9] Made changes in README.md --- .../README.md | 31 +++++++++---------- ..._security_center_enable_ddos_protection.py | 4 +-- 2 files changed, 16 insertions(+), 19 deletions(-) diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/README.md b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/README.md index 76f9d99..cea6e30 100644 --- a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/README.md +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/README.md @@ -1,40 +1,38 @@ # Enable DDos protection for Virtual Network -This job enables DDos protection for a virtual network by looking into the available DDos protection plans and assigning any one to the virtual network +This job enables DDos protection for a virtual network by listing all the available DDos protection plans and assigning any one to the virtual network. ### Applicable Rule -**Rule ID:** +##### Rule ID: 5c8c26997a550e1fb6560cd9 -**Rule Name:** +##### Rule Name: DDos protection is enabled for virtual network ## Getting Started ### Prerequisites The provided Azure service principal must have the following permissions: -``` -Microsoft.Network/virtualNetworks/read -Microsoft.Network/virtualNetworks/write -Microsoft.Network/ddosProtectionPlans/read -Microsoft.Network/ddosProtectionPlans/join/action -``` +`Microsoft.Network/virtualNetworks/read` +`Microsoft.Network/virtualNetworks/write` +`Microsoft.Network/ddosProtectionPlans/read` +`Microsoft.Network/ddosProtectionPlans/join/action` -A sample role with requisite permissions can be found [here]() +A sample role with requisite permissions can be found [here](minimum_policy.json) More information about already builtin roles and permissions can be found [here](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) ### Running the script You may run this script using following commands: -``` +```shell script pip install -r requirements.txt python3 azure_security_center_enable_ddos_protection.py ``` ## Running the tests You may run test using following command under vss-remediation-worker-job-code-python directory: -``` +```shell script pip install -r requirements-dev.txt python3 -m pytest test ``` @@ -42,22 +40,23 @@ You may run test using following command under vss-remediation-worker-job-code-p Provision a Virtual Machine Create an EC2 instance to use for the worker. The minimum required specifications are 128 MB memory and 1/2 Core CPU. Setup Docker Install Docker on the newly provisioned EC2 instance. You can refer to the [docs here](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/docker-basics.html) for more information. Deploy the worker image SSH into the EC2 instance and run the command below to deploy the worker image: - ``` + ```shell script docker run --rm -it --name worker \ -e VSS_CLIENT_ID={ENTER CLIENT ID} -e VSS_CLIENT_SECRET={ENTER CLIENT SECRET} \ vmware/vss-remediation-worker:latest-python ``` ## Contributing -The Secure State team welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our [FAQ](https://cla.vmware.com/faq). All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch. +The Secure State team welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our [FAQ](https://cla.vmware.com/faq). -For more detailed information, refer to [CONTRIBUTING.md](https://github.com/vmware-samples/secure-state-remediation-jobs/blob/master/CONTRIBUTING.md). +All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch. +For more detailed information, refer to [CONTRIBUTING.md](../../../CONTRIBUTING.md). ## Versioning We use SemVer for versioning. For the versions available, see the tags on this repository. ## Authors -VMware Secure State - Initial work +* **VMware Secure State** - *Initial work* See also the list of [contributors](https://github.com/vmware-samples/secure-state-remediation-jobs/graphs/contributors) who participated in this project. ## License diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/azure_security_center_enable_ddos_protection.py b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/azure_security_center_enable_ddos_protection.py index c871e2d..3e15442 100644 --- a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/azure_security_center_enable_ddos_protection.py +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/azure_security_center_enable_ddos_protection.py @@ -90,9 +90,7 @@ def remediate(self, client, resource_group_name, virtual_network_name, subscript virtual_network.enable_ddos_protection = True - updated_SubResource = SubResource() - - updated_SubResource.id = resource_id + updated_SubResource = SubResource(id = resource_id) virtual_network.ddos_protection_plan = updated_SubResource From 0dcfd93092fc78480666160ce14fd40d0688cdb2 Mon Sep 17 00:00:00 2001 From: Shrutika Kulkarni Date: Fri, 6 Nov 2020 19:23:42 +0530 Subject: [PATCH 5/9] Addressed the review comments --- .../README.md | 6 +- ..._security_center_enable_ddos_protection.py | 22 ++- .../constraints.txt | 155 +++++++++++++++--- .../requirements-dev.txt | 40 +++-- .../requirements.txt | 7 +- 5 files changed, 182 insertions(+), 48 deletions(-) diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/README.md b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/README.md index cea6e30..66e017b 100644 --- a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/README.md +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/README.md @@ -1,11 +1,11 @@ -# Enable DDos protection for Virtual Network +# Enable DDoS protection for Virtual Network -This job enables DDos protection for a virtual network by listing all the available DDos protection plans and assigning any one to the virtual network. +This job enables DDos protection for a virtual network by listing all the available DDoS protection plans and assigning any one to the virtual network. ### Applicable Rule ##### Rule ID: -5c8c26997a550e1fb6560cd9 +3abf3147-ea53-4302-b237-caab4d764c77 ##### Rule Name: DDos protection is enabled for virtual network diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/azure_security_center_enable_ddos_protection.py b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/azure_security_center_enable_ddos_protection.py index 3e15442..5835284 100644 --- a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/azure_security_center_enable_ddos_protection.py +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/azure_security_center_enable_ddos_protection.py @@ -1,3 +1,17 @@ +# Copyright (c) 2020 VMware Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + import json import os import sys @@ -11,14 +25,6 @@ logging.basicConfig(level=logging.INFO) -def logcall(f, *args, **kwargs): - logging.info( - "%s(%s)", - f.__name__, - ", ".join(list(args) + [f"{k}={repr(v)}" for k, v in kwargs.items()]), - ) - logging.info(f(*args, **kwargs)) - class VirtualNetworkEnableDdosProtection(object): def parse(self, payload): """Parse payload received from Remediation Service. diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/constraints.txt b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/constraints.txt index 354ff95..5c198ec 100644 --- a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/constraints.txt +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/constraints.txt @@ -1,25 +1,130 @@ -adal==1.2.5 -azure-common==1.1.25 -azure-core==1.8.2 -azure-identity==1.4.1 -azure-mgmt-core==1.2.1 -azure-mgmt-network==16.0.0 -certifi==2020.6.20 -cffi==1.14.3 -chardet==3.0.4 -cryptography==3.2.1 -idna==2.10 -isodate==0.6.0 -msal==1.5.1 -msal-extensions==0.2.2 -msrest==0.6.19 -msrestazure==0.6.4 -oauthlib==3.1.0 -portalocker==1.7.1 -pycparser==2.20 -PyJWT==1.7.1 -python-dateutil==2.8.1 -requests==2.24.0 -requests-oauthlib==1.3.0 -six==1.12.0 -urllib3==1.25.11 \ No newline at end of file +adal==1.2.5 \ + --hash=sha256:7492aff8f0ba7dd4e1c477303295c645141540fff34c3ca6de0a0b0e6c1c122a \ + --hash=sha256:8003ba03ef04170195b3eddda8a5ab43649ef2c5f0287023d515affb1ccfcfc3 +azure-common==1.1.25 \ + --hash=sha256:ce0f1013e6d0e9faebaf3188cc069f4892fc60a6ec552e3f817c1a2f92835054 \ + --hash=sha256:fd02e4256dc9cdd2d4422bc795bdca2ef302f7a86148b154fbf4ea1f09da400a +azure-core==1.8.2 \ + --hash=sha256:621b53271f7988b766f8a7d7f7a2c44241e3d2c1d8db13e68089d6da6241748e \ + --hash=sha256:be23d411e19874f375c2ef0327c452be10b1e9a1023ac6afe334598f2920136b +azure-mgmt-core==1.2.1 \ + --hash=sha256:a3906fa77edfedfcc3229dc3b69489d5ed63b107c7eacbc50092e6cbfbfd83f0 \ + --hash=sha256:bd4503a2d81b86780f15936af2e4244c1345062f4c2422f0b377b56cb80d7796 +azure-identity==1.4.1 \ + --hash=sha256:6f95b3505fc134ad16bd16da053456e1933188ac43161704d48ddb4edebf72c9 \ + --hash=sha256:7b071089faf0789059ac24052e311e2b096a002c173d42b96896db09c6e2ba5d +azure-mgmt-network==16.0.0 \ + --hash=sha256:6159a8c44590cc58841690c27c7d4acb0cd9ad0a1e5178c1d35e0f48e3c3c0e9 \ + --hash=sha256:c0e8358e9d530790dbf3efef6b31bce26e664de5096cbd84c62845067da815d1 +certifi==2020.6.20 \ + --hash=sha256:5930595817496dd21bb8dc35dad090f1c2cd0adfaf21204bf6732ca5d8ee34d3 \ + --hash=sha256:8fc0819f1f30ba15bdb34cceffb9ef04d99f420f68eb75d901e9560b8749fc41 +cffi==1.14.3 \ + --hash=sha256:005f2bfe11b6745d726dbb07ace4d53f057de66e336ff92d61b8c7e9c8f4777d \ + --hash=sha256:09e96138280241bd355cd585148dec04dbbedb4f46128f340d696eaafc82dd7b \ + --hash=sha256:0b1ad452cc824665ddc682400b62c9e4f5b64736a2ba99110712fdee5f2505c4 \ + --hash=sha256:0ef488305fdce2580c8b2708f22d7785ae222d9825d3094ab073e22e93dfe51f \ + --hash=sha256:15f351bed09897fbda218e4db5a3d5c06328862f6198d4fb385f3e14e19decb3 \ + --hash=sha256:22399ff4870fb4c7ef19fff6eeb20a8bbf15571913c181c78cb361024d574579 \ + --hash=sha256:23e5d2040367322824605bc29ae8ee9175200b92cb5483ac7d466927a9b3d537 \ + --hash=sha256:2791f68edc5749024b4722500e86303a10d342527e1e3bcac47f35fbd25b764e \ + --hash=sha256:2f9674623ca39c9ebe38afa3da402e9326c245f0f5ceff0623dccdac15023e05 \ + --hash=sha256:3363e77a6176afb8823b6e06db78c46dbc4c7813b00a41300a4873b6ba63b171 \ + --hash=sha256:33c6cdc071ba5cd6d96769c8969a0531be2d08c2628a0143a10a7dcffa9719ca \ + --hash=sha256:3b8eaf915ddc0709779889c472e553f0d3e8b7bdf62dab764c8921b09bf94522 \ + --hash=sha256:3cb3e1b9ec43256c4e0f8d2837267a70b0e1ca8c4f456685508ae6106b1f504c \ + --hash=sha256:3eeeb0405fd145e714f7633a5173318bd88d8bbfc3dd0a5751f8c4f70ae629bc \ + --hash=sha256:44f60519595eaca110f248e5017363d751b12782a6f2bd6a7041cba275215f5d \ + --hash=sha256:4d7c26bfc1ea9f92084a1d75e11999e97b62d63128bcc90c3624d07813c52808 \ + --hash=sha256:529c4ed2e10437c205f38f3691a68be66c39197d01062618c55f74294a4a4828 \ + --hash=sha256:6642f15ad963b5092d65aed022d033c77763515fdc07095208f15d3563003869 \ + --hash=sha256:85ba797e1de5b48aa5a8427b6ba62cf69607c18c5d4eb747604b7302f1ec382d \ + --hash=sha256:8f0f1e499e4000c4c347a124fa6a27d37608ced4fe9f7d45070563b7c4c370c9 \ + --hash=sha256:a624fae282e81ad2e4871bdb767e2c914d0539708c0f078b5b355258293c98b0 \ + --hash=sha256:b0358e6fefc74a16f745afa366acc89f979040e0cbc4eec55ab26ad1f6a9bfbc \ + --hash=sha256:bbd2f4dfee1079f76943767fce837ade3087b578aeb9f69aec7857d5bf25db15 \ + --hash=sha256:bf39a9e19ce7298f1bd6a9758fa99707e9e5b1ebe5e90f2c3913a47bc548747c \ + --hash=sha256:c11579638288e53fc94ad60022ff1b67865363e730ee41ad5e6f0a17188b327a \ + --hash=sha256:c150eaa3dadbb2b5339675b88d4573c1be3cb6f2c33a6c83387e10cc0bf05bd3 \ + --hash=sha256:c53af463f4a40de78c58b8b2710ade243c81cbca641e34debf3396a9640d6ec1 \ + --hash=sha256:cb763ceceae04803adcc4e2d80d611ef201c73da32d8f2722e9d0ab0c7f10768 \ + --hash=sha256:cc75f58cdaf043fe6a7a6c04b3b5a0e694c6a9e24050967747251fb80d7bce0d \ + --hash=sha256:d80998ed59176e8cba74028762fbd9b9153b9afc71ea118e63bbf5d4d0f9552b \ + --hash=sha256:de31b5164d44ef4943db155b3e8e17929707cac1e5bd2f363e67a56e3af4af6e \ + --hash=sha256:e66399cf0fc07de4dce4f588fc25bfe84a6d1285cc544e67987d22663393926d \ + --hash=sha256:f0620511387790860b249b9241c2f13c3a80e21a73e0b861a2df24e9d6f56730 \ + --hash=sha256:f4eae045e6ab2bb54ca279733fe4eb85f1effda392666308250714e01907f394 \ + --hash=sha256:f92cdecb618e5fa4658aeb97d5eb3d2f47aa94ac6477c6daf0f306c5a3b9e6b1 \ + --hash=sha256:f92f789e4f9241cd262ad7a555ca2c648a98178a953af117ef7fad46aa1d5591 +chardet==3.0.4 \ + --hash=sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae \ + --hash=sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691 +cryptography==3.2.1 \ + --hash=sha256:07ca431b788249af92764e3be9a488aa1d39a0bc3be313d826bbec690417e538 \ + --hash=sha256:13b88a0bd044b4eae1ef40e265d006e34dbcde0c2f1e15eb9896501b2d8f6c6f \ + --hash=sha256:32434673d8505b42c0de4de86da8c1620651abd24afe91ae0335597683ed1b77 \ + --hash=sha256:3cd75a683b15576cfc822c7c5742b3276e50b21a06672dc3a800a2d5da4ecd1b \ + --hash=sha256:4e7268a0ca14536fecfdf2b00297d4e407da904718658c1ff1961c713f90fd33 \ + --hash=sha256:545a8550782dda68f8cdc75a6e3bf252017aa8f75f19f5a9ca940772fc0cb56e \ + --hash=sha256:55d0b896631412b6f0c7de56e12eb3e261ac347fbaa5d5e705291a9016e5f8cb \ + --hash=sha256:5849d59358547bf789ee7e0d7a9036b2d29e9a4ddf1ce5e06bb45634f995c53e \ + --hash=sha256:6dc59630ecce8c1f558277ceb212c751d6730bd12c80ea96b4ac65637c4f55e7 \ + --hash=sha256:7117319b44ed1842c617d0a452383a5a052ec6aa726dfbaffa8b94c910444297 \ + --hash=sha256:75e8e6684cf0034f6bf2a97095cb95f81537b12b36a8fedf06e73050bb171c2d \ + --hash=sha256:7b8d9d8d3a9bd240f453342981f765346c87ade811519f98664519696f8e6ab7 \ + --hash=sha256:a035a10686532b0587d58a606004aa20ad895c60c4d029afa245802347fab57b \ + --hash=sha256:a4e27ed0b2504195f855b52052eadcc9795c59909c9d84314c5408687f933fc7 \ + --hash=sha256:a733671100cd26d816eed39507e585c156e4498293a907029969234e5e634bc4 \ + --hash=sha256:a75f306a16d9f9afebfbedc41c8c2351d8e61e818ba6b4c40815e2b5740bb6b8 \ + --hash=sha256:bd717aa029217b8ef94a7d21632a3bb5a4e7218a4513d2521c2a2fd63011e98b \ + --hash=sha256:d25cecbac20713a7c3bc544372d42d8eafa89799f492a43b79e1dfd650484851 \ + --hash=sha256:d26a2557d8f9122f9bf445fc7034242f4375bd4e95ecda007667540270965b13 \ + --hash=sha256:d3545829ab42a66b84a9aaabf216a4dce7f16dbc76eb69be5c302ed6b8f4a29b \ + --hash=sha256:d3d5e10be0cf2a12214ddee45c6bd203dab435e3d83b4560c03066eda600bfe3 \ + --hash=sha256:efe15aca4f64f3a7ea0c09c87826490e50ed166ce67368a68f315ea0807a20df +idna==2.10 \ + --hash=sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6 \ + --hash=sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0 +isodate==0.6.0 \ + --hash=sha256:2e364a3d5759479cdb2d37cce6b9376ea504db2ff90252a2e5b7cc89cc9ff2d8 \ + --hash=sha256:aa4d33c06640f5352aca96e4b81afd8ab3b47337cc12089822d6f322ac772c81 +msal==1.5.1 \ + --hash=sha256:7efb0256c96a7b2eadab49ce29ecdb91352a91440c12a40bed44303724b62fda \ + --hash=sha256:d84074a997e6fb2a47e22815dce376adcc8790838b6b1bf1fcea29378e2bf3eb +msal-extensions==0.2.2 \ + --hash=sha256:31414753c484679bb3b6c6401623eb4c3ccab630af215f2f78c1d5c4f8e1d1a9 \ + --hash=sha256:f092246787145ec96d6c3c9f7bedfb837830fe8a79b56180e531fbf28b8de532 +msrest==0.6.19 \ + --hash=sha256:55f8c3940bc5dc609f8cf9fcd639444716cc212a943606756272e0d0017bbb5b \ + --hash=sha256:87aa64948c3ef3dbf6f6956d2240493e68d714e4621b92b65b3c4d5808297929 +msrestazure==0.6.4 \ + --hash=sha256:3de50f56147ef529b31e099a982496690468ecef33f0544cb0fa0cfe1e1de5b9 \ + --hash=sha256:a06f0dabc9a6f5efe3b6add4bd8fb623aeadacf816b7a35b0f89107e0544d189 +oauthlib==3.1.0 \ + --hash=sha256:bee41cc35fcca6e988463cacc3bcb8a96224f470ca547e697b604cc697b2f889 \ + --hash=sha256:df884cd6cbe20e32633f1db1072e9356f53638e4361bef4e8b03c9127c9328ea +portalocker==1.7.1 \ + --hash=sha256:34cb36c618d88bcd9079beb36dcdc1848a3e3d92ac4eac59055bdeafc39f9d4a \ + --hash=sha256:6d6f5de5a3e68c4dd65a98ec1babb26d28ccc5e770e07b672d65d5a35e4b2d8a +pycparser==2.20 \ + --hash=sha256:2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0 \ + --hash=sha256:7582ad22678f0fcd81102833f60ef8d0e57288b6b5fb00323d101be910e35705 +PyJWT==1.7.1 \ + --hash=sha256:5c6eca3c2940464d106b99ba83b00c6add741c9becaec087fb7ccdefea71350e \ + --hash=sha256:8d59a976fb773f3e6a39c85636357c4f0e242707394cadadd9814f5cbaa20e96 +python-dateutil==2.8.1 \ + --hash=sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c \ + --hash=sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a +requests==2.24.0 \ + --hash=sha256:b3559a131db72c33ee969480840fff4bb6dd111de7dd27c8ee1f820f4f00231b \ + --hash=sha256:fe75cc94a9443b9246fc7049224f75604b113c36acb93f87b80ed42c44cbb898 +requests-oauthlib==1.3.0 \ + --hash=sha256:7f71572defaecd16372f9006f33c2ec8c077c3cfa6f5911a9a90202beb513f3d \ + --hash=sha256:b4261601a71fd721a8bd6d7aa1cc1d6a8a93b4a9f5e96626f8e4d91e8beeaa6a \ + --hash=sha256:fa6c47b933f01060936d87ae9327fead68768b69c6c9ea2109c48be30f2d4dbc +six==1.12.0 \ + --hash=sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c \ + --hash=sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73 +urllib3==1.25.11 \ + --hash=sha256:8d7eaa5a82a1cac232164990f04874c594c9453ec55eef02eab885aa02fc17a2 \ + --hash=sha256:f5321fbe4bf3fefa0efd0bfe7fb14e90909eb62a48ccda331726b4319897dd5e \ No newline at end of file diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements-dev.txt b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements-dev.txt index c7db384..e04c936 100644 --- a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements-dev.txt +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements-dev.txt @@ -1,13 +1,33 @@ -r requirements.txt -c constraints.txt -importlib-metadata==2.0.0 -iniconfig==1.1.1 -mock==4.0.2 -packaging==20.4 -pluggy==0.13.1 -py==1.9.0 -pyparsing==2.4.7 -pytest==6.1.2 -toml==0.10.1 -zipp==3.4.0 \ No newline at end of file +importlib-metadata==2.0.0 \ + --hash=sha256:77a540690e24b0305878c37ffd421785a6f7e53c8b5720d211b211de8d0e95da \ + --hash=sha256:cefa1a2f919b866c5beb7c9f7b0ebb4061f30a8a9bf16d609b000e2dfaceb9c3 +iniconfig==1.1.1 \ + --hash=sha256:011e24c64b7f47f6ebd835bb12a743f2fbe9a26d4cecaa7f53bc4f35ee9da8b3 \ + --hash=sha256:bc3af051d7d14b2ee5ef9969666def0cd1a000e121eaea580d4a313df4b37f32 +mock==4.0.2 \ + --hash=sha256:3f9b2c0196c60d21838f307f5825a7b86b678cedc58ab9e50a8988187b4d81e0 \ + --hash=sha256:dd33eb70232b6118298d516bbcecd26704689c386594f0f3c4f13867b2c56f72 +packaging==20.4 \ + --hash=sha256:4357f74f47b9c12db93624a82154e9b120fa8293699949152b22065d556079f8 \ + --hash=sha256:998416ba6962ae7fbd6596850b80e17859a5753ba17c32284f67bfff33784181 +pluggy==0.13.1 \ + --hash=sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0 \ + --hash=sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d +py==1.9.0 \ + --hash=sha256:366389d1db726cd2fcfc79732e75410e5fe4d31db13692115529d34069a043c2 \ + --hash=sha256:9ca6883ce56b4e8da7e79ac18787889fa5206c79dcc67fb065376cd2fe03f342 +pyparsing==2.4.7 \ + --hash=sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1 \ + --hash=sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b +pytest==6.1.2 \ + --hash=sha256:4288fed0d9153d9646bfcdf0c0428197dba1ecb27a33bb6e031d002fa88653fe \ + --hash=sha256:c0a7e94a8cdbc5422a51ccdad8e6f1024795939cc89159a0ae7f0b316ad3823e +toml==0.10.1 \ + --hash=sha256:926b612be1e5ce0634a2ca03470f95169cf16f939018233a670519cb4ac58b0f \ + --hash=sha256:bda89d5935c2eac546d648028b9901107a595863cb36bae0c73ac804a9b4ce88 +zipp==3.4.0 \ + --hash=sha256:102c24ef8f171fd729d46599845e95c7ab894a4cf45f5de11a44cc7444fb1108 \ + --hash=sha256:ed5eee1974372595f9e416cc7bbeeb12335201d8081ca8a0743c954d4446e5cb \ No newline at end of file diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements.txt b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements.txt index 747aad9..ecacd75 100644 --- a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements.txt +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements.txt @@ -1,2 +1,5 @@ -azure-identity==1.4.1 -azure-mgmt-network==16.0.0 \ No newline at end of file +azure-identity==1.4.1 \ + --hash=sha256:6f95b3505fc134ad16bd16da053456e1933188ac43161704d48ddb4edebf72c9 \ --hash=sha256:7b071089faf0789059ac24052e311e2b096a002c173d42b96896db09c6e2ba5d +azure-mgmt-network==16.0.0 \ + --hash=sha256:6159a8c44590cc58841690c27c7d4acb0cd9ad0a1e5178c1d35e0f48e3c3c0e9 \ + --hash=sha256:c0e8358e9d530790dbf3efef6b31bce26e664de5096cbd84c62845067da815d1 \ No newline at end of file From 2e546d4eef407210aaccbe25cfd7cecf938f1c04 Mon Sep 17 00:00:00 2001 From: Shrutika Kulkarni Date: Tue, 10 Nov 2020 17:06:22 +0530 Subject: [PATCH 6/9] Pre-commit changes added --- .../README.md | 8 +- ..._security_center_enable_ddos_protection.py | 223 +++++++++--------- .../constraints.txt | 2 +- .../minimum_permissions.json | 2 +- .../requirements-dev.txt | 2 +- .../requirements.txt | 5 +- ..._security_center_enable_ddos_protection.py | 30 ++- 7 files changed, 150 insertions(+), 122 deletions(-) diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/README.md b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/README.md index 66e017b..a33f4a1 100644 --- a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/README.md +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/README.md @@ -12,13 +12,13 @@ DDos protection is enabled for virtual network ## Getting Started ### Prerequisites -The provided Azure service principal must have the following permissions: +The provided Azure service principal must have the following permissions: `Microsoft.Network/virtualNetworks/read` `Microsoft.Network/virtualNetworks/write` -`Microsoft.Network/ddosProtectionPlans/read` +`Microsoft.Network/ddosProtectionPlans/read` `Microsoft.Network/ddosProtectionPlans/join/action` -A sample role with requisite permissions can be found [here](minimum_policy.json) +A sample role with requisite permissions can be found [here](minimum_permissions.json) More information about already builtin roles and permissions can be found [here](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) @@ -60,4 +60,4 @@ We use SemVer for versioning. For the versions available, see the tags on this r See also the list of [contributors](https://github.com/vmware-samples/secure-state-remediation-jobs/graphs/contributors) who participated in this project. ## License -This project is licensed under the Apache License - see the [LICENSE](https://github.com/vmware-samples/secure-state-remediation-jobs/blob/master/LICENSE.txt) file for details \ No newline at end of file +This project is licensed under the Apache License - see the [LICENSE](https://github.com/vmware-samples/secure-state-remediation-jobs/blob/master/LICENSE.txt) file for details diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/azure_security_center_enable_ddos_protection.py b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/azure_security_center_enable_ddos_protection.py index 5835284..54fe07e 100644 --- a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/azure_security_center_enable_ddos_protection.py +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/azure_security_center_enable_ddos_protection.py @@ -25,117 +25,130 @@ logging.basicConfig(level=logging.INFO) + class VirtualNetworkEnableDdosProtection(object): - def parse(self, payload): - """Parse payload received from Remediation Service. + def parse(self, payload): + """Parse payload received from Remediation Service. :param payload: JSON string containing parameters received from the remediation service. :type payload: str. :returns: Dictionary of parsed parameters :rtype: dict :raises: KeyError, JSONDecodeError """ - remediation_entry = json.loads(payload) - - object_id = remediation_entry["notificationInfo"]["FindingInfo"]["ObjectId"] - - region = remediation_entry["notificationInfo"]["FindingInfo"]["Region"] - - object_chain = remediation_entry["notificationInfo"]["FindingInfo"]["ObjectChain"] - - object_chain_dict = json.loads(object_chain) - subscription_id = object_chain_dict["cloudAccountId"] - - properties = object_chain_dict["properties"] - resource_group_name = "" - for property in properties: - if property["name"] == "ResourceGroup" and property["type"] == "string": - resource_group_name = property["stringV"] - break - - logging.info("parsed params") - logging.info(f" resource_group_name: {resource_group_name}") - logging.info(f" virtual_network_name: {object_id}") - logging.info(f" subscription_id: {subscription_id}") - logging.info(f" region: {region}") - return { - "resource_group_name": resource_group_name, - "virtual_network_name": object_id, - "subscription_id": subscription_id, - "region": region, - } - - def remediate(self, client, resource_group_name, virtual_network_name, subscription_id): - """Enable DDos protection for a Virtual Network - :param client: Instance of the Azure NetworkManagementClient. - :param resource_group_name: The name of the resource group to which the virtual network belongs - :param virtual_network_name: The name of the Virtual Network. You must specify the vnet name in the request. - :param subscription_id: The Subscription ID of the user. - :type resource_group_name: str. - :type virtual_network_name: str. - :returns: Integer signaling success or failure - :rtype: int - :raises: msrestazure.azure_exceptions.CloudError - """ - - ddos_plans_paged: ItemPaged[DdosProtectionPlanListResult] = client.ddos_protection_plans.list() - ddos_plans_list: List[dict] = list(ddos_plans_paged) - number_of_ddos: int = len(ddos_plans_list) - print(number_of_ddos) - - if number_of_ddos > 0: - resource_id = ddos_plans_list[0].id - logging.info(f" Resource ID of Azure DDos Protection Plan={resource_id}") - else: - logging.error(f" Azure cloud user with subscription ID: {subscription_id} has no active Azure DDos protection plan available") - return 1 - - virtual_network = client.virtual_networks.get( - resource_group_name=resource_group_name, - virtual_network_name=virtual_network_name, - ) - - virtual_network.enable_ddos_protection = True - - updated_SubResource = SubResource(id = resource_id) - - virtual_network.ddos_protection_plan = updated_SubResource - - logging.info("Enabling DDos protection for Virtual Network") - try: - logging.info(" executing client.virtual_networks.begin_create_or_update") - logging.info(f" resource_group_name={resource_group_name}") - logging.info(f" virtual_network_name={virtual_network_name}") - - client.virtual_networks.begin_create_or_update( - resource_group_name=resource_group_name, - virtual_network_name=virtual_network_name, - parameters=virtual_network, - ) - except Exception as e: - logging.error(f"{str(e)}") - raise - return 0 - - def run(self, args): - """Run the remediation job. - :param args: List of arguments provided to the job. - :type args: list. - :returns: int - """ - params = self.parse(args[1]) - - credentials = ClientSecretCredential( - client_id=os.environ.get("AZURE_CLIENT_ID"), - client_secret=os.environ.get("AZURE_CLIENT_SECRET"), - tenant_id=os.environ.get("AZURE_TENANT_ID"), - ) - - client = NetworkManagementClient(credentials, params["subscription_id"]) - return self.remediate( - client, - params["resource_group_name"], - params["virtual_network_name"], - ) + remediation_entry = json.loads(payload) + + object_id = remediation_entry["notificationInfo"]["FindingInfo"]["ObjectId"] + + region = remediation_entry["notificationInfo"]["FindingInfo"]["Region"] + + object_chain = remediation_entry["notificationInfo"]["FindingInfo"][ + "ObjectChain" + ] + + object_chain_dict = json.loads(object_chain) + subscription_id = object_chain_dict["cloudAccountId"] + + properties = object_chain_dict["properties"] + resource_group_name = "" + for property in properties: + if property["name"] == "ResourceGroup" and property["type"] == "string": + resource_group_name = property["stringV"] + break + + logging.info("parsed params") + logging.info(f" resource_group_name: {resource_group_name}") + logging.info(f" virtual_network_name: {object_id}") + logging.info(f" subscription_id: {subscription_id}") + logging.info(f" region: {region}") + return { + "resource_group_name": resource_group_name, + "virtual_network_name": object_id, + "subscription_id": subscription_id, + "region": region, + } + + def remediate( + self, client, resource_group_name, virtual_network_name, subscription_id + ): + """Enable DDos protection for a Virtual Network + :param client: Instance of the Azure NetworkManagementClient. + :param resource_group_name: The name of the resource group to which the virtual network belongs. + :param virtual_network_name: The name of the Virtual Network. + :param subscription_id: The Subscription ID of the user. + :type resource_group_name: str. + :type virtual_network_name: str. + :returns: Integer signaling success or failure + :rtype: int + :raises: msrestazure.azure_exceptions.CloudError + """ + + ddos_plans_paged: ItemPaged[ + DdosProtectionPlanListResult + ] = client.ddos_protection_plans.list() + ddos_plans_list: List[dict] = list(ddos_plans_paged) + number_of_ddos: int = len(ddos_plans_list) + + if number_of_ddos > 0: + resource_id = ddos_plans_list[0].id + logging.info( + f" Resource ID of Azure DDos Protection Plan={resource_id}" + ) + else: + logging.error( + f" Azure cloud user with subscription ID: {subscription_id} has no active Azure DDos protection plan available" + ) + return 1 + + virtual_network = client.virtual_networks.get( + resource_group_name=resource_group_name, + virtual_network_name=virtual_network_name, + ) + + # Enabling DDoS Protection + virtual_network.enable_ddos_protection = True + + updated_SubResource = SubResource(id=resource_id) + + virtual_network.ddos_protection_plan = updated_SubResource + + logging.info("Enabling DDos protection for Virtual Network") + try: + logging.info(" executing client.virtual_networks.begin_create_or_update") + logging.info(f" resource_group_name={resource_group_name}") + logging.info(f" virtual_network_name={virtual_network_name}") + + client.virtual_networks.begin_create_or_update( + resource_group_name=resource_group_name, + virtual_network_name=virtual_network_name, + parameters=virtual_network, + ) + except Exception as e: + logging.error(f"{str(e)}") + raise + return 0 + + def run(self, args): + """Run the remediation job. + :param args: List of arguments provided to the job. + :type args: list. + :returns: int + """ + params = self.parse(args[1]) + + credentials = ClientSecretCredential( + client_id=os.environ.get("AZURE_CLIENT_ID"), + client_secret=os.environ.get("AZURE_CLIENT_SECRET"), + tenant_id=os.environ.get("AZURE_TENANT_ID"), + ) + + client = NetworkManagementClient(credentials, params["subscription_id"]) + return self.remediate( + client, + params["resource_group_name"], + params["virtual_network_name"], + params["subscription_id"], + ) + if __name__ == "__main__": - sys.exit(VirtualNetworkEnableDdosProtection().run(sys.argv)) \ No newline at end of file + sys.exit(VirtualNetworkEnableDdosProtection().run(sys.argv)) diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/constraints.txt b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/constraints.txt index 5c198ec..4ef01d4 100644 --- a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/constraints.txt +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/constraints.txt @@ -127,4 +127,4 @@ six==1.12.0 \ --hash=sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73 urllib3==1.25.11 \ --hash=sha256:8d7eaa5a82a1cac232164990f04874c594c9453ec55eef02eab885aa02fc17a2 \ - --hash=sha256:f5321fbe4bf3fefa0efd0bfe7fb14e90909eb62a48ccda331726b4319897dd5e \ No newline at end of file + --hash=sha256:f5321fbe4bf3fefa0efd0bfe7fb14e90909eb62a48ccda331726b4319897dd5e diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/minimum_permissions.json b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/minimum_permissions.json index 789afd2..783e9b2 100644 --- a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/minimum_permissions.json +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/minimum_permissions.json @@ -18,4 +18,4 @@ } ] } -} \ No newline at end of file +} diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements-dev.txt b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements-dev.txt index e04c936..0c3049a 100644 --- a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements-dev.txt +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements-dev.txt @@ -30,4 +30,4 @@ toml==0.10.1 \ --hash=sha256:bda89d5935c2eac546d648028b9901107a595863cb36bae0c73ac804a9b4ce88 zipp==3.4.0 \ --hash=sha256:102c24ef8f171fd729d46599845e95c7ab894a4cf45f5de11a44cc7444fb1108 \ - --hash=sha256:ed5eee1974372595f9e416cc7bbeeb12335201d8081ca8a0743c954d4446e5cb \ No newline at end of file + --hash=sha256:ed5eee1974372595f9e416cc7bbeeb12335201d8081ca8a0743c954d4446e5cb diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements.txt b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements.txt index ecacd75..842d033 100644 --- a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements.txt +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements.txt @@ -1,5 +1,6 @@ azure-identity==1.4.1 \ - --hash=sha256:6f95b3505fc134ad16bd16da053456e1933188ac43161704d48ddb4edebf72c9 \ --hash=sha256:7b071089faf0789059ac24052e311e2b096a002c173d42b96896db09c6e2ba5d + --hash=sha256:6f95b3505fc134ad16bd16da053456e1933188ac43161704d48ddb4edebf72c9 \ + --hash=sha256:7b071089faf0789059ac24052e311e2b096a002c173d42b96896db09c6e2ba5d azure-mgmt-network==16.0.0 \ --hash=sha256:6159a8c44590cc58841690c27c7d4acb0cd9ad0a1e5178c1d35e0f48e3c3c0e9 \ - --hash=sha256:c0e8358e9d530790dbf3efef6b31bce26e664de5096cbd84c62845067da815d1 \ No newline at end of file + --hash=sha256:c0e8358e9d530790dbf3efef6b31bce26e664de5096cbd84c62845067da815d1 diff --git a/test/unit/test_azure_security_center_enable_ddos_protection.py b/test/unit/test_azure_security_center_enable_ddos_protection.py index 700129c..8645f4e 100644 --- a/test/unit/test_azure_security_center_enable_ddos_protection.py +++ b/test/unit/test_azure_security_center_enable_ddos_protection.py @@ -14,30 +14,30 @@ import pytest from mock import Mock -from typing import List -from azure.mgmt.network.models import DdosProtectionPlanListResult, SubResource from remediation_worker.jobs.azure_security_center_enable_ddos_protection.azure_security_center_enable_ddos_protection import ( VirtualNetworkEnableDdosProtection, ) + @pytest.fixture def valid_payload(): return """ { "notificationInfo": { - "RuleId": "5c6cc5e103dcc90f363146cd", + "RuleId": "3abf3147-ea53-4302-b237-caab4d764c77", "Service": "Network", "FindingInfo": { "FindingId": "d0431afd-b82e-4021-8aa6-ba3cf5c60ef7", "ObjectId": "vnet_name", - "ObjectChain": "{\\"cloudAccountId\\":\\"subscription_id\\",\\"entityId\\":\\"Azure.Network.d687b1a3-9b78-43b1-a17b-7de297fd1fce.resource_group_name.Network.virtual_network_name\\",\\"entityName\\":\\"virtual_network_name\\",\\"entityType\\":\\"Azure.Network.virtualnetwork\\",\\"lastUpdateTime\\":\\"2020-09-09T00:36:35.000Z\\",\\"partitionKey\\":\\"d687b1a3-9b78-43b1-a17b-7de297fd1fce\\",\\"provider\\":\\"Azure\\",\\"region\\":\\"eastus\\",\\"service\\":\\"Network\\", \\"properties\\":[{\\"name\\":\\"ResourceGroup\\",\\"stringV\\":\\"resource_group_name\\",\\"type\\":\\"string\\"}]}", + "ObjectChain": "{\\"cloudAccountId\\":\\"subscription_id\\",\\"entityId\\":\\"Azure.Network.d687b1a3-9b78-43b1-a17b-7de297fd1fce.resource_group_name.network.virtual_network_name\\",\\"entityName\\":\\"virtual_network_name\\",\\"entityType\\":\\"Azure.Network.virtualnetwork\\",\\"lastUpdateTime\\":\\"2020-09-09T00:36:35.000Z\\",\\"partitionKey\\":\\"d687b1a3-9b78-43b1-a17b-7de297fd1fce\\",\\"provider\\":\\"Azure\\",\\"region\\":\\"eastus\\",\\"service\\":\\"Network\\",\\"properties\\":[{\\"name\\":\\"ResourceGroup\\",\\"stringV\\":\\"resource_group_name\\",\\"type\\":\\"string\\"}]}", "Region": "region" } } } """ -class TestBlobRemovePublicAccess(object): + +class TestEnableDdosProtection(object): def test_parse_payload(self, valid_payload): params = VirtualNetworkEnableDdosProtection().parse(valid_payload) assert params["virtual_network_name"] == "vnet_name" @@ -53,18 +53,32 @@ def test_remediate_success(self): ddos_plans_list.append(DdosProtectionPlanListResult) client.ddos_protection_plans.list.return_value = ddos_plans_list assert ( - action.remediate(client, "resource_group", "virtual_network_name", "subscription_id") + action.remediate( + client, "resource_group", "virtual_network_name", "subscription_id" + ) == 0 ) assert client.virtual_networks.begin_create_or_update.call_count == 1 call_args = client.virtual_networks.begin_create_or_update.call_args updated_vnet = call_args[1]["parameters"] - assert updated_vnet.enable_ddos_protection == True + assert updated_vnet.enable_ddos_protection is True + + def test_remediate_failure(self): + client = Mock() + action = VirtualNetworkEnableDdosProtection() + ddos_plans_list = [] + client.ddos_protection_plans.list.return_value = ddos_plans_list + assert ( + action.remediate( + client, "resource_group", "virtual_network_name", "subscription_id" + ) + == 1 + ) def test_remediate_with_exception(self): client = Mock() client.virtual_networks.begin_create_or_update.side_effect = Exception action = VirtualNetworkEnableDdosProtection() with pytest.raises(Exception): - assert action.remediate(client, "security_group_id", "resource_group") \ No newline at end of file + assert action.remediate(client, "security_group_id", "resource_group") From a320a1957bb34118e1a13295d1f7269159193932 Mon Sep 17 00:00:00 2001 From: Shrutika Kulkarni Date: Wed, 11 Nov 2020 23:23:43 +0530 Subject: [PATCH 7/9] Made changes in README.md --- .../azure_security_center_enable_ddos_protection/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/README.md b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/README.md index a33f4a1..26d5e07 100644 --- a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/README.md +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/README.md @@ -1,6 +1,6 @@ # Enable DDoS protection for Virtual Network -This job enables DDos protection for a virtual network by listing all the available DDoS protection plans and assigning any one to the virtual network. +This job enables DDoS protection for a virtual network by listing all the available DDoS protection plans and assigning any one to the virtual network. ### Applicable Rule @@ -8,7 +8,7 @@ This job enables DDos protection for a virtual network by listing all the availa 3abf3147-ea53-4302-b237-caab4d764c77 ##### Rule Name: -DDos protection is enabled for virtual network +DDoS Protection Standard should be enabled ## Getting Started ### Prerequisites From b8837aa7aef5ac6ae80f896c07cc5146589089ba Mon Sep 17 00:00:00 2001 From: Shrutika Kulkarni Date: Thu, 12 Nov 2020 00:43:51 +0530 Subject: [PATCH 8/9] Added the unit test in tox.ini --- tox.ini | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tox.ini b/tox.ini index 45dcf7e..a19d93c 100644 --- a/tox.ini +++ b/tox.ini @@ -17,6 +17,7 @@ envlist = unit-azure-vm-close-port-22 unit-azure-blob-remove-public-access unit-azure-storage-allow-only-https + unit-azure-security-center-enable-ddos-protection [testenv] passenv = @@ -125,3 +126,9 @@ description = Unit test the project changedir = test commands = pytest --capture=no --basetemp="{envtmpdir}" unit/test_azure_storage_account_allow_https_traffic_only.py deps = -r remediation_worker/jobs/azure_storage_account_allow_https_traffic_only/requirements-dev.txt + +[testenv:unit-azure-security-center-enable-ddos-protection] +description = Unit test the project +changedir = test +commands = pytest --capture=no --basetemp="{envtmpdir}" unit/test_azure_security_center_enable_ddos_protection.py +deps = -r remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements-dev.txt \ No newline at end of file From e4e5ea55e4bb8fad8dfd2b808dbd46b36d102f4b Mon Sep 17 00:00:00 2001 From: Mohammad Zuber Khan Date: Mon, 16 Nov 2020 23:49:22 -0800 Subject: [PATCH 9/9] fix requirements-dev.txt for tox run --- .../requirements-dev.txt | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements-dev.txt b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements-dev.txt index 0c3049a..594637e 100644 --- a/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements-dev.txt +++ b/remediation_worker/jobs/azure_security_center_enable_ddos_protection/requirements-dev.txt @@ -2,8 +2,11 @@ -c constraints.txt importlib-metadata==2.0.0 \ - --hash=sha256:77a540690e24b0305878c37ffd421785a6f7e53c8b5720d211b211de8d0e95da \ + --hash=sha256:77a540690e24b0305878c37ffd421785a6f7e53c8b5720d211b211de8d0e95da \ --hash=sha256:cefa1a2f919b866c5beb7c9f7b0ebb4061f30a8a9bf16d609b000e2dfaceb9c3 +attrs==20.1.0 \ + --hash=sha256:0ef97238856430dcf9228e07f316aefc17e8939fc8507e18c6501b761ef1a42a \ + --hash=sha256:2867b7b9f8326499ab5b0e2d12801fa5c98842d2cbd22b35112ae04bf85b4dff iniconfig==1.1.1 \ --hash=sha256:011e24c64b7f47f6ebd835bb12a743f2fbe9a26d4cecaa7f53bc4f35ee9da8b3 \ --hash=sha256:bc3af051d7d14b2ee5ef9969666def0cd1a000e121eaea580d4a313df4b37f32