Merge pull request #1682 from abdullahaslam306/feature/SAAS-18217-azu…

…re-acr-log-analytics-enabled Feature/saas 18217 azure acr log analytics enabled
aquasecurity · Aug 3, 2023 · 4c5a7a3 · 4c5a7a3
2 parents 1042122 + e842d08
commit 4c5a7a3
Show file tree

Hide file tree

Showing 4 changed files with 222 additions and 0 deletions.
diff --git a/exports.js b/exports.js
@@ -906,6 +906,7 @@ module.exports = {
         'acrHasTags'                    : require(__dirname + '/plugins/azure/containerregistry/acrHasTags.js'),
         'acrPublicAccess'               : require(__dirname + '/plugins/azure/containerregistry/acrPublicAccess.js'),
         'acrCMKEncryption'              : require(__dirname + '/plugins/azure/containerregistry/acrCMKEncryption.js'),
+        'acrLogAnalyticsEnabled'        : require(__dirname + '/plugins/azure/containerregistry/acrLogAnalyticsEnabled.js'),
         'acrAnonymousPullAccessEnabled' : require(__dirname + '/plugins/azure/containerregistry/acrAnonymousPullAccessEnabled.js'),
 
         'endpointLoggingEnabled'        : require(__dirname + '/plugins/azure/cdnprofiles/endpointLoggingEnabled.js'),

diff --git a/helpers/azure/api.js b/helpers/azure/api.js
@@ -899,6 +899,11 @@ var tertiarycalls = {
             reliesOnPath: 'networkSecurityGroups.listAll',
             properties: ['id'],
             url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2017-05-01-preview'
+        },
+        listByContainerRegistries: {
+            reliesOnPath: 'registries.list',
+            properties: ['id'],
+            url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview'
         }
     },
     backupShortTermRetentionPolicies: {

diff --git a/plugins/azure/containerregistry/acrLogAnalyticsEnabled.js b/plugins/azure/containerregistry/acrLogAnalyticsEnabled.js
@@ -0,0 +1,61 @@
+const async = require('async');
+const helpers = require('../../../helpers/azure');
+
+module.exports = {
+    title: 'ACR Log Analytics Enabled',
+    category: 'Container Registry',
+    domain: 'Containers',
+    description: 'Ensure that Azure container registry logs are sent to the Log Analytics workspace.',
+    more_info: 'Enabling Log Analytics for Azure container registry ensures that logs are shipped to a central repository that can be queried and audited.',
+    recommended_action: 'Modify container registry and enable Send to Log Analytics from diagnostic settings.',
+    link: 'https://learn.microsoft.com/en-us/azure/container-registry/monitor-service',
+    apis: ['registries:list', 'diagnosticSettings:listByContainerRegistries'],
+
+    run: function(cache, settings, callback) {
+        const results = [];
+        const source = {};
+        const locations = helpers.locations(settings.govcloud);
+
+        async.each(locations.registries, (location, rcb) => {
+            const registries = helpers.addSource(cache, source,
+                ['registries', 'list', location]);
+
+            if (!registries) return rcb();
+
+            if (registries.err || !registries.data) {
+                helpers.addResult(results, 3,
+                    'Unable to query for container registries: ' + helpers.addError(registries), location);
+                return rcb();
+            }
+
+            if (!registries.data.length) {
+                helpers.addResult(results, 0, 'No existing container registries found', location);
+                return rcb();
+            }
+
+            for (let registry of registries.data) {
+                const diagnosticSettings = helpers.addSource(cache, source,
+                    ['diagnosticSettings', 'listByContainerRegistries', location, registry.id]);
+
+                if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) {
+                    helpers.addResult(results, 3,
+                        'Unable to query diagnostics settings: ' + helpers.addError(diagnosticSettings), location, registry.id);
+                } else if (!diagnosticSettings.data.length) {
+                    helpers.addResult(results, 2, 'No existing diagnostics settings', location, registry.id);
+                } else {  
+                    let found = diagnosticSettings.data.find(ds => ds.logs && ds.logs.length);
+
+                    if (found) {
+                        helpers.addResult(results, 0, 'Logging is enabled for container registry', location, registry.id);
+                    } else {
+                        helpers.addResult(results, 2, 'Logging is not enabled for container registry', location, registry.id);
+                    }
+                }
+            }
+
+            rcb();
+        }, function() {
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/azure/containerregistry/acrLogAnalyticsEnabled.spec.js b/plugins/azure/containerregistry/acrLogAnalyticsEnabled.spec.js
@@ -0,0 +1,155 @@
+var expect = require('chai').expect;
+var acrLogAnalyticsEnabled = require('./acrLogAnalyticsEnabled');
+
+const containerRegistries = [
+   {
+        "id": "/subscriptions/ade0e01e-f9cd-49d3-bba7-d5a5362a3414/resourceGroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/testregistry12543",
+        "name": "testregistry12543",
+        "type": "Microsoft.ContainerRegistry/registries",
+        "location": "eastus",
+        "tags": {},
+        "sku": {
+            "name": "Basic",
+            "tier": "Basic"
+        },
+        "loginServer": "testregistry12543.azurecr.io",
+        "creationDate": "2019-10-18T21:16:01.347Z",
+        "provisioningState": "Succeeded",
+        "adminUserEnabled": true,
+        "publicNetworkAccess": "Enabled"
+    }
+];
+
+const diagnosticSettings = [
+  {
+    id: '/subscriptions/dce7d0ad-ebf6-437f-a3b0-28fc0d22117e/resourcegroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/gio-test-events-1-nsg/providers/microsoft.insights/diagnosticSettings/gio-test-setting',
+    type: 'Microsoft.Insights/diagnosticSettings',
+    name: 'gio-test-setting',
+    location: 'eastus',
+    kind: null,
+    tags: null,
+    identity: null,
+    storageAccountId: null,
+    serviceBusRuleId: null,
+    workspaceId: '/subscriptions/dce7d0ad-ebf6-437f-a3b0-28fc0d22117e/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-dce7d0ad-ebf6-437f-a3b0-28fc0d22117e-eus',
+    eventHubAuthorizationRuleId: null,
+    eventHubName: null,
+    metrics: [],
+    logs: [
+      {
+        category: 'NetworkSecurityGroupEvent',
+        categoryGroup: null,
+        enabled: true,
+        retentionPolicy: [Object]
+      },
+      {
+        category: 'NetworkSecurityGroupRuleCounter',
+        categoryGroup: null,
+        enabled: true,
+        retentionPolicy: [Object]
+      }
+    ],
+    logAnalyticsDestinationType: null
+  },
+  {
+    id: '/subscriptions/dce7d0ad-ebf6-437f-a3b0-28fc0d22117e/resourcegroups/deleteasap/providers/microsoft.network/networksecuritygroups/gio-test-events-1-nsg/providers/microsoft.insights/diagnosticSettings/gio-test-setting',
+    type: 'Microsoft.Insights/diagnosticSettings',
+    name: 'gio-test-setting',
+    location: 'eastus',
+    kind: null,
+    tags: null,
+    identity: null,
+    storageAccountId: null,
+    serviceBusRuleId: null,
+    workspaceId: '/subscriptions/dce7d0ad-ebf6-437f-a3b0-28fc0d22117e/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-dce7d0ad-ebf6-437f-a3b0-28fc0d22117e-eus',
+    eventHubAuthorizationRuleId: null,
+    eventHubName: null,
+    metrics: [],
+    logs: [],
+    logAnalyticsDestinationType: null
+  }
+];
+
+
+const createCache = (listRegistries, diagnosticSetting) => {
+    let logs = {};
+    if (listRegistries && listRegistries.length > 0) {
+        logs[listRegistries[0].id] = {
+            data: diagnosticSetting
+        };
+    }
+
+    return {
+        registries: {
+            list: {
+                'eastus': {
+                    data: listRegistries
+                }
+            }
+        },
+        diagnosticSettings: {
+          listByContainerRegistries: {
+                'eastus': logs
+            }
+        }
+    };
+};
+
+describe('acrLogAnalyticsEnabled', function() {
+    describe('run', function() {
+        it('should give passing result if No existing container registry found', function(done) {
+            const cache = createCache([], []);
+            acrLogAnalyticsEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No existing container registries found');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give Failing result if No existing diagnostics settings', function(done) {
+            const cache = createCache([containerRegistries[0]],[]);
+            acrLogAnalyticsEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('No existing diagnostics settings');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give unknown result if Unable to query for container registry Groups', function(done) {
+            const cache = createCache(null);
+            acrLogAnalyticsEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to query for container registries:');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give passing result if Log Analytics is enabled for ACR', function(done) {
+            const cache = createCache([containerRegistries[0]], [diagnosticSettings[0]]);
+            acrLogAnalyticsEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('Logging is enabled for container registry');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give failing result if Log Analytics is not enabled for ACR', function(done) {
+            const cache = createCache([containerRegistries[0]], [diagnosticSettings[1]]);
+            acrLogAnalyticsEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('Logging is not enabled for container registry');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+    });
+});