ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-11 07:15:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(checks-gcp): Include 4 new checks covering GCP CIS (#2376)

Browse Source 
Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
This commit is contained in:
Jit
2023-05-24 11:10:43 +01:00
committed by GitHub
parent c31072f42f
commit 3ab0cd02df
17 changed files with 872 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
prowler/providers/gcp/services/compute/compute_default_service_account_in_use/__init__.py Normal file
View File

31
prowler/providers/gcp/services/compute/compute_default_service_account_in_use/compute_default_service_account_in_use.metadata.json Normal file
View File

@@ -0,0 +1,31 @@
{
"Provider": "gcp",
"CheckID": "compute_default_service_account_in_use",
"CheckTitle": "Ensure That Instances Are Not Configured To Use the Default Service Account",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "VMInstance",
"Description": "It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.",
"Risk": "",
"RelatedUrl": "",
"Remediation": {
"Code": {
"CLI": "https://docs.bridgecrew.io/docs/bc_gcp_iam_1#cli-command",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/default-service-accounts-in-use.html",
"Terraform": "https://docs.bridgecrew.io/docs/bc_gcp_iam_1#terraform"
},
"Recommendation": {
"Text": "",
"Url": ""
}
},
"Categories": [],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
}

32
prowler/providers/gcp/services/compute/compute_default_service_account_in_use/compute_default_service_account_in_use.py Normal file
View File

@@ -0,0 +1,32 @@
from prowler.lib.check.models import Check, Check_Report_GCP
from prowler.providers.gcp.services.compute.compute_client import compute_client
class compute_default_service_account_in_use(Check):
def execute(self) -> Check_Report_GCP:
findings = []
for instance in compute_client.instances:
report = Check_Report_GCP(self.metadata())
report.project_id = compute_client.project_id
report.resource_id = instance.id
report.resource_name = instance.name
report.location = instance.zone
report.status = "PASS"
report.status_extended = f"The default service account is not configured to be used with VM Instance {instance.name}"
if (
any(
[
(
sa["email"]
== f"{compute_client.project_id}-compute@developer.gserviceaccount.com"
)
for sa in instance.service_accounts
]
)
and instance.name[:4] != "gke-"
):
report.status = "FAIL"
report.status_extended = f"The default service account is configured to be used with VM Instance {instance.name}"
findings.append(report)
return findings

0
prowler/providers/gcp/services/compute/compute_default_service_account_in_use_with_full_api_access/__init__.py Normal file
View File

31
prowler/providers/gcp/services/compute/compute_default_service_account_in_use_with_full_api_access/compute_default_service_account_in_use_with_full_api_access.metadata.json Normal file
View File

@@ -0,0 +1,31 @@
{
"Provider": "gcp",
"CheckID": "compute_default_service_account_in_use_with_full_api_access",
"CheckTitle": "Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "VMInstance",
"Description": "To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`.",
"Risk": "",
"RelatedUrl": "",
"Remediation": {
"Code": {
"CLI": "https://docs.bridgecrew.io/docs/bc_gcp_iam_2#cli-command",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/default-service-accounts-with-full-access-in-use.html",
"Terraform": "https://docs.bridgecrew.io/docs/bc_gcp_iam_2#terraform"
},
"Recommendation": {
"Text": "",
"Url": ""
}
},
"Categories": [],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
}

29
prowler/providers/gcp/services/compute/compute_default_service_account_in_use_with_full_api_access/compute_default_service_account_in_use_with_full_api_access.py Normal file
View File

@@ -0,0 +1,29 @@
from prowler.lib.check.models import Check, Check_Report_GCP
from prowler.providers.gcp.services.compute.compute_client import compute_client
class compute_default_service_account_in_use_with_full_api_access(Check):
def execute(self) -> Check_Report_GCP:
findings = []
for instance in compute_client.instances:
report = Check_Report_GCP(self.metadata())
report.project_id = compute_client.project_id
report.resource_id = instance.id
report.resource_name = instance.name
report.location = instance.zone
report.status = "PASS"
report.status_extended = f"The VM Instance {instance.name} is not configured to use the default service account with full access to all cloud APIs "
for service_account in instance.service_accounts:
if (
service_account["email"]
== f"{compute_client.project_id}-compute@developer.gserviceaccount.com"
and "https://www.googleapis.com/auth/cloud-platform"
in service_account["scopes"]
and instance.name[:4] != "gke-"
):
report.status = "FAIL"
report.status_extended = f"The VM Instance {instance.name} is configured to use the default service account with full access to all cloud APIs "
break
findings.append(report)
return findings

0
prowler/providers/gcp/services/compute/compute_serial_ports_in_use/__init__.py Normal file
View File

31
prowler/providers/gcp/services/compute/compute_serial_ports_in_use/compute_serial_ports_in_use.metadata.json Normal file
View File

@@ -0,0 +1,31 @@
{
"Provider": "gcp",
"CheckID": "compute_serial_ports_in_use",
"CheckTitle": "Ensure Enable Connecting to Serial Ports Is Not Enabled for VM Instance",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "VMInstance",
"Description": "Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.",
"Risk": "",
"RelatedUrl": "",
"Remediation": {
"Code": {
"CLI": "https://docs.bridgecrew.io/docs/bc_gcp_networking_11#cli-command",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/disable-interactive-serial-console-support.html",
"Terraform": "https://docs.bridgecrew.io/docs/bc_gcp_networking_11#terraform"
},
"Recommendation": {
"Text": "",
"Url": ""
}
},
"Categories": [],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
}

27
prowler/providers/gcp/services/compute/compute_serial_ports_in_use/compute_serial_ports_in_use.py Normal file
View File

@@ -0,0 +1,27 @@
from prowler.lib.check.models import Check, Check_Report_GCP
from prowler.providers.gcp.services.compute.compute_client import compute_client
class compute_serial_ports_in_use(Check):
def execute(self) -> Check_Report_GCP:
findings = []
for instance in compute_client.instances:
report = Check_Report_GCP(self.metadata())
report.project_id = compute_client.project_id
report.resource_id = instance.id
report.resource_name = instance.name
report.location = instance.zone
report.status = "PASS"
report.status_extended = f"VM Instance {instance.name} have Enable Connecting to Serial Ports off"
if instance.metadata.get("items"):
for item in instance.metadata["items"]:
if item["key"] == "serial-port-enable" and item["value"] in [
"1",
"true",
]:
report.status = "FAIL"
report.status_extended = f"VM Instance {instance.name} have Enable Connecting to Serial Ports set to on"
break
findings.append(report)
return findings

12
prowler/providers/gcp/services/compute/compute_service.py
View File

@@ -56,6 +56,14 @@ class Compute:
id=instance["id"],
zone=zone,
public_ip=public_ip,
metadata=instance["metadata"],
shielded_enabled_vtpm=instance[
"shieldedInstanceConfig"
]["enableVtpm"],
shielded_enabled_integrity_monitoring=instance[
"shieldedInstanceConfig"
]["enableIntegrityMonitoring"],
service_accounts=instance["serviceAccounts"],
)
)
@@ -95,6 +103,10 @@ class Instance(BaseModel):
id: str
zone: str
public_ip: bool
metadata: dict
shielded_enabled_vtpm: bool
shielded_enabled_integrity_monitoring: bool
service_accounts: list
class Network(BaseModel):

0
prowler/providers/gcp/services/compute/compute_shielded_vm_enabled/__init__.py Normal file
View File

31
prowler/providers/gcp/services/compute/compute_shielded_vm_enabled/compute_shielded_vm_enabled.metadata.json Normal file
View File

@@ -0,0 +1,31 @@
{
"Provider": "gcp",
"CheckID": "compute_shielded_vm_enabled",
"CheckTitle": "Ensure Compute Instances Are Launched With Shielded VM Enabled",
"CheckType": [],
"ServiceName": "compute",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "VMInstance",
"Description": "To defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.",
"Risk": "",
"RelatedUrl": "",
"Remediation": {
"Code": {
"CLI": "https://docs.bridgecrew.io/docs/bc_gcp_general_y#cli-command",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/enable-shielded-vm.html",
"Terraform": "https://docs.bridgecrew.io/docs/bc_gcp_general_y#terraform"
},
"Recommendation": {
"Text": "",
"Url": ""
}
},
"Categories": [],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
}

24
prowler/providers/gcp/services/compute/compute_shielded_vm_enabled/compute_shielded_vm_enabled.py Normal file
View File

@@ -0,0 +1,24 @@
from prowler.lib.check.models import Check, Check_Report_GCP
from prowler.providers.gcp.services.compute.compute_client import compute_client
class compute_shielded_vm_enabled(Check):
def execute(self) -> Check_Report_GCP:
findings = []
for instance in compute_client.instances:
report = Check_Report_GCP(self.metadata())
report.project_id = compute_client.project_id
report.resource_id = instance.id
report.resource_name = instance.name
report.location = instance.zone
report.status = "PASS"
report.status_extended = f"VM Instance {instance.name} have vTPM or Integrity Monitoring set to on"
if (
not instance.shielded_enabled_vtpm
or not instance.shielded_enabled_integrity_monitoring
):
report.status = "FAIL"
report.status_extended = f"VM Instance {instance.name} don't have vTPM and Integrity Monitoring set to on"
findings.append(report)
return findings

137
tests/providers/gcp/services/compute/compute_default_service_account_in_use/compute_default_service_account_in_use_test.py Normal file
View File

@@ -0,0 +1,137 @@
from re import search
from unittest import mock
GCP_PROJECT_ID = "123456789012"
class Test_compute_default_service_account_in_use:
def test_compute_no_instances(self):
compute_client = mock.MagicMock
compute_client.instances = []
with mock.patch(
"prowler.providers.gcp.services.compute.compute_default_service_account_in_use.compute_default_service_account_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_default_service_account_in_use.compute_default_service_account_in_use import (
compute_default_service_account_in_use,
)
check = compute_default_service_account_in_use()
result = check.execute()
assert len(result) == 0
def test_one_compliant_instance(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[{"email": "123-compute@developer.gserviceaccount.com"}],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_default_service_account_in_use.compute_default_service_account_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_default_service_account_in_use.compute_default_service_account_in_use import (
compute_default_service_account_in_use,
)
check = compute_default_service_account_in_use()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search(
f"The default service account is not configured to be used with VM Instance {instance.name}",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_one_compliant_instance_gke(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="gke-test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[
{"email": f"{GCP_PROJECT_ID}-compute@developer.gserviceaccount.com"}
],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_default_service_account_in_use.compute_default_service_account_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_default_service_account_in_use.compute_default_service_account_in_use import (
compute_default_service_account_in_use,
)
check = compute_default_service_account_in_use()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search(
f"The default service account is not configured to be used with VM Instance {instance.name}",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_instance_with_default_service_account(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[
{"email": f"{GCP_PROJECT_ID}-compute@developer.gserviceaccount.com"}
],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_default_service_account_in_use.compute_default_service_account_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_default_service_account_in_use.compute_default_service_account_in_use import (
compute_default_service_account_in_use,
)
check = compute_default_service_account_in_use()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search(
f"The default service account is configured to be used with VM Instance {instance.name}",
result[0].status_extended,
)
assert result[0].resource_id == instance.id

145
tests/providers/gcp/services/compute/compute_default_service_account_in_use_with_full_api_access/compute_default_service_account_in_use_with_full_api_access_test.py Normal file
View File

@@ -0,0 +1,145 @@
from re import search
from unittest import mock
GCP_PROJECT_ID = "123456789012"
class Test_compute_default_service_account_in_use_with_full_api_access:
def test_compute_no_instances(self):
compute_client = mock.MagicMock
compute_client.instances = []
with mock.patch(
"prowler.providers.gcp.services.compute.compute_default_service_account_in_use_with_full_api_access.compute_default_service_account_in_use_with_full_api_access.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_default_service_account_in_use_with_full_api_access.compute_default_service_account_in_use_with_full_api_access import (
compute_default_service_account_in_use_with_full_api_access,
)
check = compute_default_service_account_in_use_with_full_api_access()
result = check.execute()
assert len(result) == 0
def test_one_compliant_instance(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[
{"email": "123-compute@developer.gserviceaccount.com", "scopes": []}
],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_default_service_account_in_use_with_full_api_access.compute_default_service_account_in_use_with_full_api_access.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_default_service_account_in_use_with_full_api_access.compute_default_service_account_in_use_with_full_api_access import (
compute_default_service_account_in_use_with_full_api_access,
)
check = compute_default_service_account_in_use_with_full_api_access()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search(
f"The VM Instance {instance.name} is not configured to use the default service account with full access to all cloud APIs ",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_one_compliant_instance_gke(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="gke-test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[
{
"email": f"{GCP_PROJECT_ID}-compute@developer.gserviceaccount.com",
"scopes": ["https://www.googleapis.com/auth/cloud-platform"],
}
],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_default_service_account_in_use_with_full_api_access.compute_default_service_account_in_use_with_full_api_access.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_default_service_account_in_use_with_full_api_access.compute_default_service_account_in_use_with_full_api_access import (
compute_default_service_account_in_use_with_full_api_access,
)
check = compute_default_service_account_in_use_with_full_api_access()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search(
f"The VM Instance {instance.name} is not configured to use the default service account with full access to all cloud APIs ",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_instance_with_default_service_account(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[
{
"email": f"{GCP_PROJECT_ID}-compute@developer.gserviceaccount.com",
"scopes": ["https://www.googleapis.com/auth/cloud-platform"],
}
],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_default_service_account_in_use_with_full_api_access.compute_default_service_account_in_use_with_full_api_access.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_default_service_account_in_use_with_full_api_access.compute_default_service_account_in_use_with_full_api_access import (
compute_default_service_account_in_use_with_full_api_access,
)
check = compute_default_service_account_in_use_with_full_api_access()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search(
f"The VM Instance {instance.name} is configured to use the default service account with full access to all cloud APIs ",
result[0].status_extended,
)
assert result[0].resource_id == instance.id

208
tests/providers/gcp/services/compute/compute_serial_ports_in_use/compute_serial_ports_in_use_test.py Normal file
View File

@@ -0,0 +1,208 @@
from re import search
from unittest import mock
GCP_PROJECT_ID = "123456789012"
class Test_compute_serial_ports_in_use:
def test_compute_no_instances(self):
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = []
with mock.patch(
"prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use import (
compute_serial_ports_in_use,
)
check = compute_serial_ports_in_use()
result = check.execute()
assert len(result) == 0
def test_one_compliant_instance_without_metadata(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use import (
compute_serial_ports_in_use,
)
check = compute_serial_ports_in_use()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search(
f"VM Instance {instance.name} have Enable Connecting to Serial Ports off",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_one_compliant_instance_with_0(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={"items": [{"key": "serial-port-enabled", "value": "0"}]},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use import (
compute_serial_ports_in_use,
)
check = compute_serial_ports_in_use()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search(
f"VM Instance {instance.name} have Enable Connecting to Serial Ports off",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_one_compliant_instance_with_false(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={"items": [{"key": "serial-port-enabled", "value": "false"}]},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use import (
compute_serial_ports_in_use,
)
check = compute_serial_ports_in_use()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search(
f"VM Instance {instance.name} have Enable Connecting to Serial Ports off",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_one_instance_with_serial_ports_enable_1(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={"items": [{"key": "serial-port-enable", "value": "1"}]},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use import (
compute_serial_ports_in_use,
)
check = compute_serial_ports_in_use()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search(
f"VM Instance {instance.name} have Enable Connecting to Serial Ports set to on",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_one_instance_with_serial_ports_enable_true(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={"items": [{"key": "serial-port-enable", "value": "true"}]},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use import (
compute_serial_ports_in_use,
)
check = compute_serial_ports_in_use()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search(
f"VM Instance {instance.name} have Enable Connecting to Serial Ports set to on",
result[0].status_extended,
)
assert result[0].resource_id == instance.id

134
tests/providers/gcp/services/compute/compute_shielded_vm_enabled/compute_shielded_vm_enabled_test.py Normal file
View File

@@ -0,0 +1,134 @@
from re import search
from unittest import mock
GCP_PROJECT_ID = "123456789012"
class Test_compute_shielded_vm_enabled:
def test_compute_no_instances(self):
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = []
with mock.patch(
"prowler.providers.gcp.services.compute.compute_shielded_vm_enabled.compute_shielded_vm_enabled.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_shielded_vm_enabled.compute_shielded_vm_enabled import (
compute_shielded_vm_enabled,
)
check = compute_shielded_vm_enabled()
result = check.execute()
assert len(result) == 0
def test_one_compliant_instance(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_shielded_vm_enabled.compute_shielded_vm_enabled.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_shielded_vm_enabled.compute_shielded_vm_enabled import (
compute_shielded_vm_enabled,
)
check = compute_shielded_vm_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search(
f"VM Instance {instance.name} have vTPM or Integrity Monitoring set to on",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_one_instance_with_shielded_vtpm_disabled(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=False,
shielded_enabled_integrity_monitoring=True,
service_accounts=[],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_shielded_vm_enabled.compute_shielded_vm_enabled.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_shielded_vm_enabled.compute_shielded_vm_enabled import (
compute_shielded_vm_enabled,
)
check = compute_shielded_vm_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search(
f"VM Instance {instance.name} don't have vTPM and Integrity Monitoring set to on",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_one_instance_with_shielded_integrity_monitoring_disabled(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=False,
service_accounts=[],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_shielded_vm_enabled.compute_shielded_vm_enabled.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_shielded_vm_enabled.compute_shielded_vm_enabled import (
compute_shielded_vm_enabled,
)
check = compute_shielded_vm_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search(
f"VM Instance {instance.name} don't have vTPM and Integrity Monitoring set to on",
result[0].status_extended,
)
assert result[0].resource_id == instance.id