ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 23:05:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(checks-gcp): Include 4 new checks covering GCP CIS (#2376)

Browse Source 
Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
This commit is contained in:
Jit
2023-05-24 11:10:43 +01:00
committed by GitHub
parent c31072f42f
commit 3ab0cd02df
17 changed files with 872 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

137
tests/providers/gcp/services/compute/compute_default_service_account_in_use/compute_default_service_account_in_use_test.py Normal file
View File

@@ -0,0 +1,137 @@
from re import search
from unittest import mock
GCP_PROJECT_ID = "123456789012"
class Test_compute_default_service_account_in_use:
def test_compute_no_instances(self):
compute_client = mock.MagicMock
compute_client.instances = []
with mock.patch(
"prowler.providers.gcp.services.compute.compute_default_service_account_in_use.compute_default_service_account_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_default_service_account_in_use.compute_default_service_account_in_use import (
compute_default_service_account_in_use,
)
check = compute_default_service_account_in_use()
result = check.execute()
assert len(result) == 0
def test_one_compliant_instance(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[{"email": "123-compute@developer.gserviceaccount.com"}],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_default_service_account_in_use.compute_default_service_account_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_default_service_account_in_use.compute_default_service_account_in_use import (
compute_default_service_account_in_use,
)
check = compute_default_service_account_in_use()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search(
f"The default service account is not configured to be used with VM Instance {instance.name}",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_one_compliant_instance_gke(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="gke-test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[
{"email": f"{GCP_PROJECT_ID}-compute@developer.gserviceaccount.com"}
],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_default_service_account_in_use.compute_default_service_account_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_default_service_account_in_use.compute_default_service_account_in_use import (
compute_default_service_account_in_use,
)
check = compute_default_service_account_in_use()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search(
f"The default service account is not configured to be used with VM Instance {instance.name}",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_instance_with_default_service_account(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[
{"email": f"{GCP_PROJECT_ID}-compute@developer.gserviceaccount.com"}
],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_default_service_account_in_use.compute_default_service_account_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_default_service_account_in_use.compute_default_service_account_in_use import (
compute_default_service_account_in_use,
)
check = compute_default_service_account_in_use()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search(
f"The default service account is configured to be used with VM Instance {instance.name}",
result[0].status_extended,
)
assert result[0].resource_id == instance.id

145
tests/providers/gcp/services/compute/compute_default_service_account_in_use_with_full_api_access/compute_default_service_account_in_use_with_full_api_access_test.py Normal file
View File

@@ -0,0 +1,145 @@
from re import search
from unittest import mock
GCP_PROJECT_ID = "123456789012"
class Test_compute_default_service_account_in_use_with_full_api_access:
def test_compute_no_instances(self):
compute_client = mock.MagicMock
compute_client.instances = []
with mock.patch(
"prowler.providers.gcp.services.compute.compute_default_service_account_in_use_with_full_api_access.compute_default_service_account_in_use_with_full_api_access.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_default_service_account_in_use_with_full_api_access.compute_default_service_account_in_use_with_full_api_access import (
compute_default_service_account_in_use_with_full_api_access,
)
check = compute_default_service_account_in_use_with_full_api_access()
result = check.execute()
assert len(result) == 0
def test_one_compliant_instance(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[
{"email": "123-compute@developer.gserviceaccount.com", "scopes": []}
],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_default_service_account_in_use_with_full_api_access.compute_default_service_account_in_use_with_full_api_access.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_default_service_account_in_use_with_full_api_access.compute_default_service_account_in_use_with_full_api_access import (
compute_default_service_account_in_use_with_full_api_access,
)
check = compute_default_service_account_in_use_with_full_api_access()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search(
f"The VM Instance {instance.name} is not configured to use the default service account with full access to all cloud APIs ",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_one_compliant_instance_gke(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="gke-test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[
{
"email": f"{GCP_PROJECT_ID}-compute@developer.gserviceaccount.com",
"scopes": ["https://www.googleapis.com/auth/cloud-platform"],
}
],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_default_service_account_in_use_with_full_api_access.compute_default_service_account_in_use_with_full_api_access.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_default_service_account_in_use_with_full_api_access.compute_default_service_account_in_use_with_full_api_access import (
compute_default_service_account_in_use_with_full_api_access,
)
check = compute_default_service_account_in_use_with_full_api_access()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search(
f"The VM Instance {instance.name} is not configured to use the default service account with full access to all cloud APIs ",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_instance_with_default_service_account(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[
{
"email": f"{GCP_PROJECT_ID}-compute@developer.gserviceaccount.com",
"scopes": ["https://www.googleapis.com/auth/cloud-platform"],
}
],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_default_service_account_in_use_with_full_api_access.compute_default_service_account_in_use_with_full_api_access.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_default_service_account_in_use_with_full_api_access.compute_default_service_account_in_use_with_full_api_access import (
compute_default_service_account_in_use_with_full_api_access,
)
check = compute_default_service_account_in_use_with_full_api_access()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search(
f"The VM Instance {instance.name} is configured to use the default service account with full access to all cloud APIs ",
result[0].status_extended,
)
assert result[0].resource_id == instance.id

208
tests/providers/gcp/services/compute/compute_serial_ports_in_use/compute_serial_ports_in_use_test.py Normal file
View File

@@ -0,0 +1,208 @@
from re import search
from unittest import mock
GCP_PROJECT_ID = "123456789012"
class Test_compute_serial_ports_in_use:
def test_compute_no_instances(self):
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = []
with mock.patch(
"prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use import (
compute_serial_ports_in_use,
)
check = compute_serial_ports_in_use()
result = check.execute()
assert len(result) == 0
def test_one_compliant_instance_without_metadata(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use import (
compute_serial_ports_in_use,
)
check = compute_serial_ports_in_use()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search(
f"VM Instance {instance.name} have Enable Connecting to Serial Ports off",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_one_compliant_instance_with_0(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={"items": [{"key": "serial-port-enabled", "value": "0"}]},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use import (
compute_serial_ports_in_use,
)
check = compute_serial_ports_in_use()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search(
f"VM Instance {instance.name} have Enable Connecting to Serial Ports off",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_one_compliant_instance_with_false(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={"items": [{"key": "serial-port-enabled", "value": "false"}]},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use import (
compute_serial_ports_in_use,
)
check = compute_serial_ports_in_use()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search(
f"VM Instance {instance.name} have Enable Connecting to Serial Ports off",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_one_instance_with_serial_ports_enable_1(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={"items": [{"key": "serial-port-enable", "value": "1"}]},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use import (
compute_serial_ports_in_use,
)
check = compute_serial_ports_in_use()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search(
f"VM Instance {instance.name} have Enable Connecting to Serial Ports set to on",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_one_instance_with_serial_ports_enable_true(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={"items": [{"key": "serial-port-enable", "value": "true"}]},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_serial_ports_in_use.compute_serial_ports_in_use import (
compute_serial_ports_in_use,
)
check = compute_serial_ports_in_use()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search(
f"VM Instance {instance.name} have Enable Connecting to Serial Ports set to on",
result[0].status_extended,
)
assert result[0].resource_id == instance.id

134
tests/providers/gcp/services/compute/compute_shielded_vm_enabled/compute_shielded_vm_enabled_test.py Normal file
View File

@@ -0,0 +1,134 @@
from re import search
from unittest import mock
GCP_PROJECT_ID = "123456789012"
class Test_compute_shielded_vm_enabled:
def test_compute_no_instances(self):
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = []
with mock.patch(
"prowler.providers.gcp.services.compute.compute_shielded_vm_enabled.compute_shielded_vm_enabled.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_shielded_vm_enabled.compute_shielded_vm_enabled import (
compute_shielded_vm_enabled,
)
check = compute_shielded_vm_enabled()
result = check.execute()
assert len(result) == 0
def test_one_compliant_instance(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=True,
service_accounts=[],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_shielded_vm_enabled.compute_shielded_vm_enabled.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_shielded_vm_enabled.compute_shielded_vm_enabled import (
compute_shielded_vm_enabled,
)
check = compute_shielded_vm_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search(
f"VM Instance {instance.name} have vTPM or Integrity Monitoring set to on",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_one_instance_with_shielded_vtpm_disabled(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=False,
shielded_enabled_integrity_monitoring=True,
service_accounts=[],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_shielded_vm_enabled.compute_shielded_vm_enabled.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_shielded_vm_enabled.compute_shielded_vm_enabled import (
compute_shielded_vm_enabled,
)
check = compute_shielded_vm_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search(
f"VM Instance {instance.name} don't have vTPM and Integrity Monitoring set to on",
result[0].status_extended,
)
assert result[0].resource_id == instance.id
def test_one_instance_with_shielded_integrity_monitoring_disabled(self):
from prowler.providers.gcp.services.compute.compute_service import Instance
instance = Instance(
name="test",
id="1234567890",
zone="us-central1-a",
public_ip=True,
metadata={},
shielded_enabled_vtpm=True,
shielded_enabled_integrity_monitoring=False,
service_accounts=[],
)
compute_client = mock.MagicMock
compute_client.project_id = GCP_PROJECT_ID
compute_client.instances = [instance]
with mock.patch(
"prowler.providers.gcp.services.compute.compute_shielded_vm_enabled.compute_shielded_vm_enabled.compute_client",
new=compute_client,
):
from prowler.providers.gcp.services.compute.compute_shielded_vm_enabled.compute_shielded_vm_enabled import (
compute_shielded_vm_enabled,
)
check = compute_shielded_vm_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search(
f"VM Instance {instance.name} don't have vTPM and Integrity Monitoring set to on",
result[0].status_extended,
)
assert result[0].resource_id == instance.id