Addition of azure tests

CI workflow rename
elastic · Dec 31, 2023 · 7400ad7 · 7400ad7
1 parent e6872d7
commit 7400ad7
Show file tree

Hide file tree

Showing 21 changed files with 1,372 additions and 0 deletions.
diff --git a/.github/workflows/azure-ci.yml b/.github/workflows/azure-ci.yml
@@ -0,0 +1,72 @@
+name: CIS-AZURE-CI
+
+on:
+  pull_request_target:
+    branches:
+      - main
+      - "[0-9]+.[0-9]+"
+    types: [opened, synchronize, reopened]
+
+jobs:
+  Run-CSPM-AZURE-Tests:
+    name: CIS AZURE integration test
+    if: false
+    runs-on: ubuntu-22.04
+    timeout-minutes: 60
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      - name: Init Hermit
+        run: ./bin/hermit env -r >> $GITHUB_ENV
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.9'
+
+      - name: Install Poetry
+        run: |
+          curl -sSL https://install.python-poetry.org | python3 -
+          poetry --version
+
+      - name: Build cloudbeat binary
+        uses: magefile/mage-action@v3
+        with:
+          version: latest
+          args: build
+
+      - name: Run Elasticsearch
+        uses: elastic/elastic-github-actions/elasticsearch@master
+        with:
+          stack-version: ${{ env.ELK_VERSION }}
+          security-enabled: false
+
+      - name: Run cloudbeat in background
+        env:
+          ES_HOST: http://localhost:9200
+          ES_USERNAME: elastic
+          ES_PASSWORD: changeme
+          AZURE_ACCOUNT_TYPE: single-account
+          AZURE_CREDENTIALS_TYPE: client-secret
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CREDENTIALS.AZURE_CLIENT_ID }}
+	        AZURE_TENANT_ID: ${{ secrets.AZURE_CREDENTIALS.AZURE_TENANT_ID }}
+	        AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CREDENTIALS.AZURE_CLIENT_SECRET }}
+        run: |
+          ./cloudbeat -c deploy/azure/cloudbeat-azure.yml -d '*' &
+
+      - name: Check for findings
+        working-directory: ./tests
+        env:
+          USE_K8S: false
+        run: |
+          poetry install
+          poetry run pytest -k "cspm_azure" --alluredir=./allure/results/ --clean-alluredir --maxfail=4
+
+      - name: Print cloudbeat logs
+        if: always()
+        run: |
+          cat logs/cloudbeat*
diff --git a/deploy/azure/cloudbeat-azure.yml b/deploy/azure/cloudbeat-azure.yml
@@ -2,6 +2,13 @@ cloudbeat:
   config:
     v1:
       benchmark: cis_azure
+      azure:
+        account_type: ${AZURE_ACCOUNT_TYPE:""}
+        credentials:
+          type: ${AZURE_CREDENTIALS_TYPE:""}
+          client_id: ${AZURE_CLIENT_ID:""}
+	        tenant_id: ${AZURE_TENANT_ID:""}
+	        client_secret: ${AZURE_CLIENT_SECRET:""}
   type: cloudbeat/cis_azure
   # Defines how often an event is sent to the output
   period: 30s

diff --git a/tests/configuration.py b/tests/configuration.py
@@ -17,6 +17,7 @@
 agent.findings_timeout = 500
 agent.eks_findings_timeout = 120
 agent.aws_findings_timeout = 10
+agent.azure_findings_timeout = 10
 agent.cluster_type = os.getenv("CLUSTER_TYPE", "eks")  # options: vanilla / eks / vanilla_aws
 agent.agentless = os.getenv("TEST_AGENTLESS", "false") == "true"
 

diff --git a/tests/product/tests/data/azure/__init__.py b/tests/product/tests/data/azure/__init__.py
diff --git a/tests/product/tests/data/azure/azure_app_service_test_cases.py b/tests/product/tests/data/azure/azure_app_service_test_cases.py
@@ -0,0 +1,126 @@
+"""
+This module provides Azure app service rule test cases.
+Cases are organized as rules.
+Each rule has one or more test cases.
+App service identification is performed by resource name.
+"""
+from ..azure_test_case import AzureServiceCase
+from ..constants import RULE_PASS_STATUS, RULE_FAIL_STATUS
+
+CIS_9_4 = "CIS 9.4"
+CIS_9_10 = "CIS 9.10"
+CIS_9_2 = "CIS 9.2"
+CIS_9_3 = "CIS 9.3"
+CIS_9_5 = "CIS 9.5"
+CIS_9_9 = "CIS 9.9"
+
+cis_azure_9_4_pass = AzureServiceCase(
+    rule_tag=CIS_9_4,
+    case_identifier="test-app-service-pass",
+    expected=RULE_PASS_STATUS,
+)
+
+cis_azure_9_4_fail = AzureServiceCase(
+    rule_tag=CIS_9_4,
+    case_identifier="test-app-service-fail",
+    expected=RULE_FAIL_STATUS,
+)
+
+cis_azure_9_4 = {
+    "9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' expect: passed": cis_azure_9_4_pass,
+    "9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' expect: failed": cis_azure_9_4_fail,
+}
+
+cis_azure_9_10_pass = AzureServiceCase(
+    rule_tag=CIS_9_10,
+    case_identifier="test-app-service-pass",
+    expected=RULE_PASS_STATUS,
+)
+
+cis_azure_9_10_fail = AzureServiceCase(
+    rule_tag=CIS_9_10,
+    case_identifier="test-app-service-fail",
+    expected=RULE_FAIL_STATUS,
+)
+
+cis_azure_9_10 = {
+    "9.10 Ensure FTP deployments are Disabled expect: passed": cis_azure_9_10_pass,
+    "9.10 Ensure FTP deployments are Disabled expect: failed": cis_azure_9_10_fail,
+}
+
+cis_azure_9_2_pass = AzureServiceCase(
+    rule_tag=CIS_9_2,
+    case_identifier="test-app-service-pass",
+    expected=RULE_PASS_STATUS,
+)
+
+cis_azure_9_2_fail = AzureServiceCase(
+    rule_tag=CIS_9_2,
+    case_identifier="test-app-service-fail",
+    expected=RULE_FAIL_STATUS,
+)
+
+cis_azure_9_2 = {
+    "9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service expect: passed": cis_azure_9_2_pass,
+    "9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service expect: failed": cis_azure_9_2_fail,
+}
+
+cis_azure_9_3_pass = AzureServiceCase(
+    rule_tag=CIS_9_3,
+    case_identifier="test-app-service-pass",
+    expected=RULE_PASS_STATUS,
+)
+
+cis_azure_9_3_fail = AzureServiceCase(
+    rule_tag=CIS_9_3,
+    case_identifier="test-app-service-fail",
+    expected=RULE_FAIL_STATUS,
+)
+
+cis_azure_9_3 = {
+    "9.3 Ensure Web App is using the latest version of TLS encryption expect: passed": cis_azure_9_3_pass,
+    "9.3 Ensure Web App is using the latest version of TLS encryption expect: failed": cis_azure_9_3_fail,
+}
+
+cis_azure_9_5_pass = AzureServiceCase(
+    rule_tag=CIS_9_5,
+    case_identifier="test-app-service-pass",
+    expected=RULE_PASS_STATUS,
+)
+
+cis_azure_9_5_fail = AzureServiceCase(
+    rule_tag=CIS_9_5,
+    case_identifier="test-app-service-fail",
+    expected=RULE_FAIL_STATUS,
+)
+
+cis_azure_9_5 = {
+    "9.5 Ensure that Register with Azure Active Directory is enabled on App Service expect: passed": cis_azure_9_5_pass,
+    "9.5 Ensure that Register with Azure Active Directory is enabled on App Service expect: failed": cis_azure_9_5_fail,
+}
+
+cis_azure_9_9_pass = AzureServiceCase(
+    rule_tag=CIS_9_9,
+    case_identifier="test-app-service-pass",
+    expected=RULE_PASS_STATUS,
+)
+
+cis_azure_9_9_fail = AzureServiceCase(
+    rule_tag=CIS_9_9,
+    case_identifier="test-app-service-fail",
+    expected=RULE_FAIL_STATUS,
+)
+
+cis_azure_9_9 = {
+    "9.9 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App expect: passed": cis_azure_9_9_pass,
+    "9.9 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App expect: failed": cis_azure_9_9_fail,
+}
+
+cis_azure_app_service_cases = {
+    **cis_azure_9_4,
+    **cis_azure_9_10,
+    **cis_azure_9_2,
+    **cis_azure_9_3,
+    **cis_azure_9_5,
+    **cis_azure_9_9,
+}
diff --git a/tests/product/tests/data/azure/azure_database_service_test_cases.py b/tests/product/tests/data/azure/azure_database_service_test_cases.py
@@ -0,0 +1,107 @@
+"""
+This module provides Azure database service rule test cases.
+Cases are organized as rules.
+Each rule has one or more test cases.
+Database service identification is performed by resource name.
+"""
+from ..azure_test_case import AzureServiceCase
+from ..constants import RULE_PASS_STATUS, RULE_FAIL_STATUS
+
+CIS_4_5_1 = "CIS 4.5.1"
+CIS_4_1_2 = "CIS 4.1.2"
+CIS_4_1_4 = "CIS 4.1.4"
+CIS_4_3_1 = "CIS 4.3.1"
+CIS_4_4_1 = "CIS 4.4.1"
+
+cis_azure_4_5_1_pass = AzureServiceCase(
+    rule_tag=CIS_4_5_1,
+    case_identifier="test-database-service-pass",
+    expected=RULE_PASS_STATUS,
+)
+
+cis_azure_4_5_1_fail = AzureServiceCase(
+    rule_tag=CIS_4_5_1,
+    case_identifier="test-database-service-fail",
+    expected=RULE_FAIL_STATUS,
+)
+
+cis_azure_4_5_1 = {
+    "4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks expect: passed": cis_azure_4_5_1_pass,
+    "4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks expect: failed": cis_azure_4_5_1_fail,
+}
+
+cis_azure_4_1_2_pass = AzureServiceCase(
+    rule_tag=CIS_4_1_2,
+    case_identifier="test-database-service-pass",
+    expected=RULE_PASS_STATUS,
+)
+
+cis_azure_4_1_2_fail = AzureServiceCase(
+    rule_tag=CIS_4_1_2,
+    case_identifier="test-database-service-fail",
+    expected=RULE_FAIL_STATUS,
+)
+
+cis_azure_4_1_2 = {
+    "4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) expect: passed": cis_azure_4_1_2_pass,
+    "4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) expect: failed": cis_azure_4_1_2_fail,
+}
+
+cis_azure_4_1_4_pass = AzureServiceCase(
+    rule_tag=CIS_4_1_4,
+    case_identifier="test-database-service-pass",
+    expected=RULE_PASS_STATUS,
+)
+
+cis_azure_4_1_4_fail = AzureServiceCase(
+    rule_tag=CIS_4_1_4,
+    case_identifier="test-database-service-fail",
+    expected=RULE_FAIL_STATUS,
+)
+
+cis_azure_4_1_4 = {
+    "4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers expect: passed": cis_azure_4_1_4_pass,
+    "4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers expect: failed": cis_azure_4_1_4_fail,
+}
+
+cis_azure_4_3_1_pass = AzureServiceCase(
+    rule_tag=CIS_4_3_1,
+    case_identifier="test-database-service-pass",
+    expected=RULE_PASS_STATUS,
+)
+
+cis_azure_4_3_1_fail = AzureServiceCase(
+    rule_tag=CIS_4_3_1,
+    case_identifier="test-database-service-fail",
+    expected=RULE_FAIL_STATUS,
+)
+
+cis_azure_4_3_1 = {
+    "4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server expect: passed": cis_azure_4_3_1_pass,
+    "4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server expect: failed": cis_azure_4_3_1_fail,
+}
+
+cis_azure_4_4_1_pass = AzureServiceCase(
+    rule_tag=CIS_4_4_1,
+    case_identifier="test-database-service-pass",
+    expected=RULE_PASS_STATUS,
+)
+
+cis_azure_4_4_1_fail = AzureServiceCase(
+    rule_tag=CIS_4_4_1,
+    case_identifier="test-database-service-fail",
+    expected=RULE_FAIL_STATUS,
+)
+
+cis_azure_4_4_1 = {
+    "4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server expect: passed": cis_azure_4_4_1_pass,
+    "4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server expect: failed": cis_azure_4_4_1_fail,
+}
+
+cis_azure_database_service_cases = {
+    **cis_azure_4_5_1,
+    **cis_azure_4_1_2,
+    **cis_azure_4_1_4,
+    **cis_azure_4_3_1,
+    **cis_azure_4_4_1,
+}
diff --git a/tests/product/tests/data/azure/azure_identity_access_management_test_cases.py b/tests/product/tests/data/azure/azure_identity_access_management_test_cases.py
@@ -0,0 +1,32 @@
+"""
+This module provides Azure identity access management rule test cases.
+Cases are organized as rules.
+Each rule has one or more test cases.
+Identity access management identification is performed by resource name.
+"""
+from ..azure_test_case import AzureServiceCase
+from ..constants import RULE_PASS_STATUS, RULE_FAIL_STATUS
+
+
+CIS_1_23 = "CIS 1.23"
+
+cis_azure_1_23_pass = AzureServiceCase(
+    rule_tag=CIS_1_23,
+    case_identifier="test-identity-access-management-pass",
+    expected=RULE_PASS_STATUS,
+)
+
+cis_azure_1_23_fail = AzureServiceCase(
+    rule_tag=CIS_1_23,
+    case_identifier="test-identity-access-management-fail",
+    expected=RULE_FAIL_STATUS,
+)
+
+cis_azure_1_23 = {
+    "1.23 Ensure That No Custom Subscription Administrator Roles Exist expect: passed": cis_azure_1_23_pass,
+    "1.23 Ensure That No Custom Subscription Administrator Roles Exist expect: failed": cis_azure_1_23_fail,
+}
+
+cis_azure_identity_access_management_cases = {
+    **cis_azure_1_23,
+}
diff --git a/tests/product/tests/data/azure/azure_key_vault_test_cases.py b/tests/product/tests/data/azure/azure_key_vault_test_cases.py
@@ -0,0 +1,31 @@
+"""
+This module provides Azure key vault rule test cases.
+Cases are organized as rules.
+Each rule has one or more test cases.
+Key vault identification is performed by resource name.
+"""
+from ..azure_test_case import AzureServiceCase
+from ..constants import RULE_PASS_STATUS, RULE_FAIL_STATUS
+
+CIS_8_5 = "CIS 8.5"
+
+cis_azure_8_5_pass = AzureServiceCase(
+    rule_tag=CIS_8_5,
+    case_identifier="test-key-vault-pass",
+    expected=RULE_PASS_STATUS,
+)
+
+cis_azure_8_5_fail = AzureServiceCase(
+    rule_tag=CIS_8_5,
+    case_identifier="test-key-vault-fail",
+    expected=RULE_FAIL_STATUS,
+)
+
+cis_azure_8_5 = {
+    "8.5 Ensure the Key Vault is Recoverable expect: passed": cis_azure_8_5_pass,
+    "8.5 Ensure the Key Vault is Recoverable expect: failed": cis_azure_8_5_fail,
+}
+
+cis_azure_key_vault_cases = {
+    **cis_azure_8_5,
+}