Merge pull request #124 from cloudgraphdev/feature/CG-1263-azure-nist-36-update

feat(CG-1263): update azure network watcher cis and nist rule

Author: tyler-dunkel

src/azure/cis-1.3.1/rules/azure-cis-1.3.1-6.5.ts

@@ -1,6 +1,6 @@
 export default {
   id: 'azure-cis-1.3.1-6.5',  
-  title: 'Azure CIS 6.5 Ensure that Network Watcher is \'Enabled\' (Manual)',
+  title: 'Azure CIS 6.5 Ensure that Network Watcher is \'Enabled\'',
 
   description: 'Enable Network Watcher for Azure subscriptions.',
 
@@ -31,5 +31,19 @@ export default {
       'https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-create',
       'https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-3-enable-logging-for-azure-network-activities',
   ],  
-  severity: 'high' 
+  severity: 'high',
+  gql: `{
+    queryazureResourceGroup {
+      id
+      __typename
+      virtualNetworks {
+        id
+      }
+    }
+  }`,
+  resource: 'queryazureResourceGroup[*]',
+  check: ({ resource }: any) => {
+    const { virtualNetworks } = resource
+    return !!virtualNetworks
+  },
 }

src/azure/cis-1.3.1/tests/azure-cis-1.3.1-6.x.test.ts

@@ -7,6 +7,7 @@ import Azure_CIS_131_61 from '../rules/azure-cis-1.3.1-6.1'
 import Azure_CIS_131_62 from '../rules/azure-cis-1.3.1-6.2'
 import Azure_CIS_131_63 from '../rules/azure-cis-1.3.1-6.3'
 import Azure_CIS_131_64 from '../rules/azure-cis-1.3.1-6.4'
+import Azure_CIS_131_65 from '../rules/azure-cis-1.3.1-6.5'
 import Azure_CIS_131_66 from '../rules/azure-cis-1.3.1-6.6'
 import { initRuleEngine } from '../../../utils/test'
 
@@ -38,9 +39,18 @@ export interface QueryazureSqlServer {
   firewallRules?: FirewallRules[]
 }
 
+export interface VirtualNetwork {
+  id: string
+}
+
+export interface QueryazureResourceGroup {
+  id: string
+  virtualNetworks?: VirtualNetwork[]
+}
 export interface CIS6xQueryResponse {
   queryazureNetworkSecurityGroup?: QueryazureNetworkSecurityGroup[]
   queryazureSqlServer?: QueryazureSqlServer[]
+  queryazureResourceGroup?: QueryazureResourceGroup[]
 }
 
 describe('CIS Microsoft Azure Foundations: 1.3.1', () => {
@@ -373,6 +383,56 @@ describe('CIS Microsoft Azure Foundations: 1.3.1', () => {
     })
   })
 
+  describe('Azure CIS 6.5 Ensure that Network Watcher is Enabled', () => {
+    const getTestRuleFixture = (
+      enabled: boolean,
+    ): CIS6xQueryResponse => {
+      return {
+        queryazureResourceGroup: [
+          {
+            id: cuid(),
+            virtualNetworks: enabled? [
+              {
+                id: cuid(),
+              },
+            ]: undefined,
+          },
+        ],
+      }
+    }
+
+    const testRule = async (
+      data: CIS6xQueryResponse,
+      expectedResult: Result
+    ): Promise<void> => {
+      // Act
+      const [processedRule] = await rulesEngine.processRule(
+        Azure_CIS_131_65 as Rule,
+        { ...data }
+      )
+
+      // Asserts
+      expect(processedRule.result).toBe(expectedResult)
+    }
+
+    test('No Security Issue when Network Watcher is enabled', async () => {
+      const data: CIS6xQueryResponse = getTestRuleFixture(
+        true,
+      )
+
+      await testRule(data, Result.PASS)
+    })
+
+    test('Security Issue when Network Watcher is disabled', async () => {
+      const data: CIS6xQueryResponse = getTestRuleFixture(
+        false,
+      )
+
+      await testRule(data, Result.FAIL)
+    })
+  })
+
+
   describe('Azure CIS 6.6 Ensure that UDP Services are restricted from the Internet', () => {
     const getTestRuleFixture = (
       access?: string,

src/azure/nist-800-53-rev4/rules/azure-nist-800-53-rev4-3.6.ts

@@ -32,5 +32,19 @@ export default {
       'https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-create',
       'https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-3-enable-logging-for-azure-network-activities',
   ],  
-  severity: 'high' 
+  severity: 'high',
+  gql: `{
+    queryazureResourceGroup {
+      id
+      __typename
+      virtualNetworks {
+        id
+      }
+    }
+  }`,
+  resource: 'queryazureResourceGroup[*]',
+  check: ({ resource }: any) => {
+    const { virtualNetworks } = resource
+    return !!virtualNetworks
+  },
 }

src/azure/nist-800-53-rev4/tests/nist-800-53-rev4-3.x.test.ts

@@ -8,6 +8,7 @@ import Azure_NIST_800_53_32 from '../rules/azure-nist-800-53-rev4-3.2'
 import Azure_NIST_800_53_33 from '../rules/azure-nist-800-53-rev4-3.3'
 import Azure_NIST_800_53_34 from '../rules/azure-nist-800-53-rev4-3.4'
 import Azure_NIST_800_53_35 from '../rules/azure-nist-800-53-rev4-3.5'
+import Azure_NIST_800_53_36 from '../rules/azure-nist-800-53-rev4-3.6'
 import Azure_NIST_800_53_37 from '../rules/azure-nist-800-53-rev4-3.7'
 import { initRuleEngine, testRule } from '../../../utils/test'
 
@@ -67,11 +68,21 @@ export interface QueryazureSqlServer {
   firewallRules?: FirewallRules[]
 }
 
+export interface VirtualNetwork {
+  id: string
+}
+
+export interface QueryazureResourceGroup {
+  id: string
+  virtualNetworks?: VirtualNetwork[]
+}
+
 export interface NIST3xQueryResponse {
   queryazureStorageContainer?: QueryazureStorageContainer[]
   queryazureDiagnosticSetting?: QueryazureDiagnosticSetting[]
   queryazureSqlServer?: QueryazureSqlServer[]
   queryazureSubscription?: QueryazureSubscription[]
+  queryazureResourceGroup?: QueryazureResourceGroup[]
 }
 
 describe('Azure NIST 800-53: Rev. 4', () => {
@@ -341,6 +352,41 @@ describe('Azure NIST 800-53: Rev. 4', () => {
     })
   })
 
+  describe('Azure NIST 3.6 Virtual Network Network Watcher should be enabled', () => {
+    const getTestRuleFixture = (
+      enabled: boolean,
+    ): NIST3xQueryResponse => {
+      return {
+        queryazureResourceGroup: [
+          {
+            id: cuid(),
+            virtualNetworks: enabled? [
+              {
+                id: cuid(),
+              },
+            ]: undefined,
+          },
+        ],
+      }
+    }
+
+    test('No Security Issue when Network Watcher is enabled', async () => {
+      const data: NIST3xQueryResponse = getTestRuleFixture(
+        true,
+      )
+
+      await testRule(rulesEngine, data, Azure_NIST_800_53_36 as Rule, Result.PASS)
+    })
+
+    test('Security Issue when Network Watcher is disabled', async () => {
+      const data: NIST3xQueryResponse = getTestRuleFixture(
+        false,
+      )
+
+      await testRule(rulesEngine, data, Azure_NIST_800_53_36 as Rule, Result.FAIL)
+    })
+  })
+
   describe('Azure NIST 3.7 Ensure that Activity Log Alert exists for Create or Update Network Security Group', () => {
     const getTestRuleFixture_527 = (
       enabled: boolean,