ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(azure): add new check related with Public IPs in Shodan.io (#3433)

Browse Source 
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
This commit is contained in:
Pedro Martín
2024-02-27 13:33:38 +01:00
committed by GitHub
parent ab14efa329
commit bd05aaa4f9
63 changed files with 315 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/developer-guide/unit-testing.md
View File

@@ -527,7 +527,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
# Azure Constants # Azure Constants
AZURE_SUBSCRIPTION = str(uuid4()) from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION

4
docs/tutorials/configuration_file.md
View File

@@ -41,6 +41,7 @@ The following list includes all the Azure checks with configurable variables tha
| Check Name | Value | Type | | Check Name | Value | Type |
|---------------------------------------------------------------|--------------------------------------------------|-----------------| |---------------------------------------------------------------|--------------------------------------------------|-----------------|
| `network_public_ip_shodan` | `shodan_api_key` | String |
| `app_ensure_php_version_is_latest` | `php_latest_version` | String | | `app_ensure_php_version_is_latest` | `php_latest_version` | String |
| `app_ensure_python_version_is_latest` | `python_latest_version` | String | | `app_ensure_python_version_is_latest` | `python_latest_version` | String |
| `app_ensure_java_version_is_latest` | `java_latest_version` | String | | `app_ensure_java_version_is_latest` | `java_latest_version` | String |
@@ -136,6 +137,9 @@ aws:
# Azure Configuration # Azure Configuration
azure: azure:
# Azure Network Configuration
# azure.network_public_ip_shodan
shodan_api_key: null
# Azure App Configuration # Azure App Configuration
# azure.app_ensure_php_version_is_latest # azure.app_ensure_php_version_is_latest

7
docs/tutorials/pentesting.md
View File

@@ -50,6 +50,7 @@ Several checks analyse resources that are exposed to the Internet, these are:
- sagemaker_notebook_instance_without_direct_internet_access_configured - sagemaker_notebook_instance_without_direct_internet_access_configured
- sns_topics_not_publicly_accessible - sns_topics_not_publicly_accessible
- sqs_queues_not_publicly_accessible - sqs_queues_not_publicly_accessible
- network_public_ip_shodan
... ...
@@ -64,5 +65,9 @@ prowler <provider> --categories internet-exposed
Prowler allows you check if any elastic ip in your AWS Account is exposed in Shodan with `-N`/`--shodan <shodan_api_key>` option: Prowler allows you check if any elastic ip in your AWS Account is exposed in Shodan with `-N`/`--shodan <shodan_api_key>` option:
```console ```console
prowler aws --shodan <shodan_api_key> -c ec2_elastic_ip_shodan prowler aws -N/--shodan <shodan_api_key> -c ec2_elastic_ip_shodan
```
Also, you can check if any of your Azure Subscription has an public IP exposed in shodan:
```console
prowler azure -N/--shodan <shodan_api_key> -c network_public_ip_shodan
``` ```

3
prowler/config/config.yaml
View File

@@ -89,6 +89,9 @@ aws:
# Azure Configuration # Azure Configuration
azure: azure:
# Azure Network Configuration
# azure.network_public_ip_shodan
shodan_api_key: null
# Azure App Service # Azure App Service
# azure.app_ensure_php_version_is_latest # azure.app_ensure_php_version_is_latest

11
prowler/providers/azure/lib/arguments/arguments.py
View File

@@ -52,6 +52,17 @@ def init_parser(self):
type=validate_azure_region, type=validate_azure_region,
help="Azure region from `az cloud list --output table`, by default AzureCloud", help="Azure region from `az cloud list --output table`, by default AzureCloud",
) )
# 3rd Party Integrations
azure_3rd_party_subparser = azure_parser.add_argument_group(
"3rd Party Integrations"
)
azure_3rd_party_subparser.add_argument(
"-N",
"--shodan",
nargs="?",
default=None,
help="Shodan API key used by check network_public_ip_shodan.",
)
def validate_azure_region(region): def validate_azure_region(region):

0
prowler/providers/azure/services/network/network_public_ip_shodan/__init__.py Normal file
View File

32
prowler/providers/azure/services/network/network_public_ip_shodan/network_public_ip_shodan.metadata.json Normal file
View File

@@ -0,0 +1,32 @@
{
"Provider": "azure",
"CheckID": "network_public_ip_shodan",
"CheckTitle": "Check if an Azure Public IP is exposed in Shodan (requires Shodan API KEY).",
"CheckType": [],
"ServiceName": "network",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "Network",
"Description": "Check if an Azure Public IP is exposed in Shodan (requires Shodan API KEY).",
"Risk": "If an Azure Public IP is exposed in Shodan, it can be accessed by anyone on the internet. This can lead to unauthorized access to your resources.",
"RelatedUrl": "",
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
},
"Recommendation": {
"Text": "Check Identified IPs; Consider changing them to private ones and delete them from Shodan.",
"Url": "https://www.shodan.io/"
}
},
"Categories": [
"internet-exposed"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
}

40
prowler/providers/azure/services/network/network_public_ip_shodan/network_public_ip_shodan.py Normal file
View File

@@ -0,0 +1,40 @@
import shodan
from prowler.lib.check.models import Check, Check_Report_Azure
from prowler.lib.logger import logger
from prowler.providers.azure.services.network.network_client import network_client
class network_public_ip_shodan(Check):
def execute(self):
findings = []
shodan_api_key = network_client.audit_config.get("shodan_api_key")
if shodan_api_key:
api = shodan.Shodan(shodan_api_key)
for subscription, public_ips in network_client.public_ip_addresses.items():
for ip in public_ips:
report = Check_Report_Azure(self.metadata())
report.subscription = subscription
report.resource_name = ip.name
report.resource_id = ip.id
try:
shodan_info = api.host(ip.ip_address)
report.status = "FAIL"
report.status_extended = f"Public IP {ip.ip_address} listed in Shodan with open ports {str(shodan_info['ports'])} and ISP {shodan_info['isp']} in {shodan_info['country_name']}. More info at https://www.shodan.io/host/{ip.ip_address}."
findings.append(report)
except shodan.APIError as error:
if "No information available for that IP" in error.value:
report.status = "PASS"
report.status_extended = (
f"Public IP {ip.ip_address} is not listed in Shodan."
)
findings.append(report)
continue
else:
logger.error(f"Unknown Shodan API Error: {error.value}")
else:
logger.error(
"ERROR: No Shodan API Key -- Please input a Shodan API Key with -N/--shodan or in config.yaml"
)
return findings

32
prowler/providers/azure/services/network/network_service.py
View File

@@ -13,6 +13,7 @@ class Network(AzureService):
self.security_groups = self.__get_security_groups__() self.security_groups = self.__get_security_groups__()
self.bastion_hosts = self.__get_bastion_hosts__() self.bastion_hosts = self.__get_bastion_hosts__()
self.network_watchers = self.__get_network_watchers__() self.network_watchers = self.__get_network_watchers__()
self.public_ip_addresses = self.__get_public_ip_addresses__()
def __get_security_groups__(self): def __get_security_groups__(self):
logger.info("Network - Getting Network Security Groups...") logger.info("Network - Getting Network Security Groups...")
@@ -92,6 +93,29 @@ class Network(AzureService):
) )
return bastion_hosts return bastion_hosts
def __get_public_ip_addresses__(self):
logger.info("Network - Getting Public IP Addresses...")
public_ip_addresses = {}
for subscription, client in self.clients.items():
try:
public_ip_addresses.update({subscription: []})
public_ip_addresses_list = client.public_ip_addresses.list_all()
for public_ip_address in public_ip_addresses_list:
public_ip_addresses[subscription].append(
PublicIp(
id=public_ip_address.id,
name=public_ip_address.name,
location=public_ip_address.location,
ip_address=public_ip_address.ip_address,
)
)
except Exception as error:
logger.error(
f"Subscription name: {subscription} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
return public_ip_addresses
@dataclass @dataclass
class BastionHost: class BastionHost:
@@ -114,3 +138,11 @@ class SecurityGroup:
name: str name: str
location: str location: str
security_rules: list security_rules: list
@dataclass
class PublicIp:
id: str
name: str
location: str
ip_address: str

6
prowler/providers/common/outputs.py
View File

@@ -78,6 +78,12 @@ class Azure_Output_Options(Provider_Output_Options):
# First call Provider_Output_Options init # First call Provider_Output_Options init
super().__init__(arguments, allowlist_file, bulk_checks_metadata) super().__init__(arguments, allowlist_file, bulk_checks_metadata)
# Confire Shodan API
if arguments.shodan:
audit_info = change_config_var(
"shodan_api_key", arguments.shodan, audit_info
)
# Check if custom output filename was input, if not, set the default # Check if custom output filename was input, if not, set the default
if ( if (
not hasattr(arguments, "output_filename") not hasattr(arguments, "output_filename")

4
tests/config/config_test.py
View File

@@ -51,6 +51,8 @@ config_aws = {
"organizations_trusted_delegated_administrators": [], "organizations_trusted_delegated_administrators": [],
} }
config_azure = {"shodan_api_key": None}
class Test_Config: class Test_Config:
def test_get_aws_available_regions(self): def test_get_aws_available_regions(self):
@@ -184,7 +186,7 @@ class Test_Config:
config_test_file = f"{path}/fixtures/config.yaml" config_test_file = f"{path}/fixtures/config.yaml"
provider = "azure" provider = "azure"
assert load_and_validate_config_file(provider, config_test_file) is None assert load_and_validate_config_file(provider, config_test_file) == config_azure
def test_load_and_validate_config_file_old_format(self): def test_load_and_validate_config_file_old_format(self):
path = pathlib.Path(os.path.dirname(os.path.realpath(__file__))) path = pathlib.Path(os.path.dirname(os.path.realpath(__file__)))

3
tests/config/fixtures/config.yaml
View File

@@ -56,6 +56,9 @@ aws:
# Azure Configuration # Azure Configuration
azure: azure:
# Azure Network Configuration
# azure.network_public_ip_shodan
shodan_api_key: null
# GCP Configuration # GCP Configuration
gcp: gcp:

15
tests/lib/cli/parser_test.py
View File

@@ -122,6 +122,7 @@ class Test_Parser:
assert not parsed.sp_env_auth assert not parsed.sp_env_auth
assert not parsed.browser_auth assert not parsed.browser_auth
assert not parsed.managed_identity_auth assert not parsed.managed_identity_auth
assert not parsed.shodan
def test_default_parser_no_arguments_gcp(self): def test_default_parser_no_arguments_gcp(self):
provider = "gcp" provider = "gcp"
@@ -1052,6 +1053,20 @@ class Test_Parser:
assert parsed.provider == "azure" assert parsed.provider == "azure"
assert parsed.az_cli_auth assert parsed.az_cli_auth
def test_azure_parser_shodan_short(self):
argument = "-N"
shodan_api_key = str(uuid.uuid4())
command = [prowler_command, "azure", argument, shodan_api_key]
parsed = self.parser.parse(command)
assert parsed.shodan == shodan_api_key
def test_azure_parser_shodan_long(self):
argument = "--shodan"
shodan_api_key = str(uuid.uuid4())
command = [prowler_command, "azure", argument, shodan_api_key]
parsed = self.parser.parse(command)
assert parsed.shodan == shodan_api_key
def test_parser_azure_auth_managed_identity(self): def test_parser_azure_auth_managed_identity(self):
argument = "--managed-identity-auth" argument = "--managed-identity-auth"
command = [prowler_command, "azure", argument] command = [prowler_command, "azure", argument]

3
tests/providers/azure/services/cosmosdb/cosmosdb_account_firewall_use_selected_networks/cosmosdb_account_firewall_use_selected_networks_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.cosmosdb.cosmosdb_service import Account from prowler.providers.azure.services.cosmosdb.cosmosdb_service import Account
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_cosmosdb_account_firewall_use_selected_networks: class Test_cosmosdb_account_firewall_use_selected_networks:

3
tests/providers/azure/services/cosmosdb/cosmosdb_account_use_aad_and_rbac/cosmosdb_account_use_aad_and_rbac_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.cosmosdb.cosmosdb_service import Account from prowler.providers.azure.services.cosmosdb.cosmosdb_service import Account
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_cosmosdb_account_use_aad_and_rbac: class Test_cosmosdb_account_use_aad_and_rbac:

3
tests/providers/azure/services/cosmosdb/cosmosdb_account_use_private_endpoints/cosmosdb_account_use_private_endpoints_test.py
View File

@@ -4,8 +4,7 @@ from uuid import uuid4
from azure.mgmt.cosmosdb.models import PrivateEndpointConnection from azure.mgmt.cosmosdb.models import PrivateEndpointConnection
from prowler.providers.azure.services.cosmosdb.cosmosdb_service import Account from prowler.providers.azure.services.cosmosdb.cosmosdb_service import Account
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_cosmosdb_account_use_private_endpoints: class Test_cosmosdb_account_use_private_endpoints:

3
tests/providers/azure/services/defender/defender_ensure_defender_for_app_services_is_on/defender_ensure_defender_for_app_services_is_on_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_defender_ensure_defender_for_app_services_is_on: class Test_defender_ensure_defender_for_app_services_is_on:

3
tests/providers/azure/services/defender/defender_ensure_defender_for_arm_is_on/defender_ensure_defender_for_arm_is_on_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_defender_ensure_defender_for_arm_is_on: class Test_defender_ensure_defender_for_arm_is_on:

3
tests/providers/azure/services/defender/defender_ensure_defender_for_azure_sql_databases_is_on/defender_ensure_defender_for_azure_sql_databases_is_on_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_defender_ensure_defender_for_azure_sql_databases_is_on: class Test_defender_ensure_defender_for_azure_sql_databases_is_on:

3
tests/providers/azure/services/defender/defender_ensure_defender_for_containers_is_on/defender_ensure_defender_for_containers_is_on_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_defender_ensure_defender_for_containers_is_on: class Test_defender_ensure_defender_for_containers_is_on:

3
tests/providers/azure/services/defender/defender_ensure_defender_for_cosmosdb_is_on/defender_ensure_defender_for_cosmosdb_is_on_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_defender_ensure_defender_for_cosmosdb_is_on: class Test_defender_ensure_defender_for_cosmosdb_is_on:

3
tests/providers/azure/services/defender/defender_ensure_defender_for_databases_is_on/defender_ensure_defender_for_databases_is_on_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_defender_ensure_defender_for_databases_is_on: class Test_defender_ensure_defender_for_databases_is_on:

3
tests/providers/azure/services/defender/defender_ensure_defender_for_dns_is_on/defender_ensure_defender_for_dns_is_on_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_defender_ensure_defender_for_dns_is_on: class Test_defender_ensure_defender_for_dns_is_on:

3
tests/providers/azure/services/defender/defender_ensure_defender_for_keyvault_is_on/defender_ensure_defender_for_keyvault_is_on_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_defender_ensure_defender_for_keyvault_is_on: class Test_defender_ensure_defender_for_keyvault_is_on:

3
tests/providers/azure/services/defender/defender_ensure_defender_for_os_relational_databases_is_on/defender_ensure_defender_for_os_relational_databases_is_on_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_defender_ensure_defender_for_os_relational_databases_is_on: class Test_defender_ensure_defender_for_os_relational_databases_is_on:

3
tests/providers/azure/services/defender/defender_ensure_defender_for_server_is_on/defender_ensure_defender_for_server_is_on_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_defender_ensure_defender_for_server_is_on: class Test_defender_ensure_defender_for_server_is_on:

3
tests/providers/azure/services/defender/defender_ensure_defender_for_sql_servers_is_on/defender_ensure_defender_for_sql_servers_is_on_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_defender_ensure_defender_for_sql_servers_is_on: class Test_defender_ensure_defender_for_sql_servers_is_on:

3
tests/providers/azure/services/defender/defender_ensure_defender_for_storage_is_on/defender_ensure_defender_for_storage_is_on_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_defender_ensure_defender_for_storage_is_on: class Test_defender_ensure_defender_for_storage_is_on:

3
tests/providers/azure/services/network/network_bastion_host_exists/network_bastion_host_exists_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.network.network_service import BastionHost from prowler.providers.azure.services.network.network_service import BastionHost
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_network_bastion_host_exists: class Test_network_bastion_host_exists:

3
tests/providers/azure/services/network/network_flow_log_more_than_90_days/network_flow_log_more_than_90_days_test.py
View File

@@ -4,8 +4,7 @@ from uuid import uuid4
from azure.mgmt.network.models._models import FlowLog, RetentionPolicyParameters from azure.mgmt.network.models._models import FlowLog, RetentionPolicyParameters
from prowler.providers.azure.services.network.network_service import NetworkWatcher from prowler.providers.azure.services.network.network_service import NetworkWatcher
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_network_flow_log_more_than_90_days: class Test_network_flow_log_more_than_90_days:

3
tests/providers/azure/services/network/network_http_internet_access_restricted/network_http_internet_access_restricted_test.py
View File

@@ -4,8 +4,7 @@ from uuid import uuid4
from azure.mgmt.network.models._models import SecurityRule from azure.mgmt.network.models._models import SecurityRule
from prowler.providers.azure.services.network.network_service import SecurityGroup from prowler.providers.azure.services.network.network_service import SecurityGroup
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_network_http_internet_access_restricted: class Test_network_http_internet_access_restricted:

78
tests/providers/azure/services/network/network_public_ip_shodan/network_public_ip_shodan_test.py Normal file
View File

@@ -0,0 +1,78 @@
from unittest import mock
from prowler.providers.azure.services.network.network_service import PublicIp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
class Test_network_public_ip_shodan:
def test_no_public_ip_addresses(self):
network_client = mock.MagicMock
network_client.public_ip_addresses = {}
network_client.audit_info = mock.MagicMock
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
):
from prowler.providers.azure.services.network.network_public_ip_shodan.network_public_ip_shodan import (
network_public_ip_shodan,
)
network_client.audit_config = {"shodan_api_key": "api_key"}
check = network_public_ip_shodan()
result = check.execute()
assert len(result) == 0
def test_network_ip_in_shodan(self):
network_client = mock.MagicMock
public_ip_id = "id"
public_ip_name = "name"
ip_address = "ip_address"
shodan_info = {
"ports": [80, 443],
"isp": "Microsoft Corporation",
"country_name": "country_name",
}
network_client.audit_info = mock.MagicMock
network_client.public_ip_addresses = {
AZURE_SUBSCRIPTION: [
PublicIp(
id=public_ip_id,
name=public_ip_name,
location=None,
ip_address=ip_address,
)
]
}
with mock.patch(
"prowler.providers.azure.services.network.network_service.Network",
new=network_client,
) as service_client, mock.patch(
"prowler.providers.azure.services.network.network_client.network_client",
new=service_client,
), mock.patch(
"prowler.providers.azure.services.network.network_public_ip_shodan.network_public_ip_shodan.shodan.Shodan.host",
return_value=shodan_info,
):
from prowler.providers.azure.services.network.network_public_ip_shodan.network_public_ip_shodan import (
network_public_ip_shodan,
)
network_client.audit_config = {"shodan_api_key": "api_key"}
check = network_public_ip_shodan()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Public IP {ip_address} listed in Shodan with open ports {str(shodan_info['ports'])} and ISP {shodan_info['isp']} in {shodan_info['country_name']}. More info at https://www.shodan.io/host/{ip_address}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].resource_name == public_ip_name
assert result[0].resource_id == public_ip_id

3
tests/providers/azure/services/network/network_rdp_internet_access_restricted/network_rdp_internet_access_restricted_test.py
View File

@@ -4,8 +4,7 @@ from uuid import uuid4
from azure.mgmt.network.models._models import SecurityRule from azure.mgmt.network.models._models import SecurityRule
from prowler.providers.azure.services.network.network_service import SecurityGroup from prowler.providers.azure.services.network.network_service import SecurityGroup
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_network_rdp_internet_access_restricted: class Test_network_rdp_internet_access_restricted:

32
tests/providers/azure/services/network/network_service_test.py
View File

@@ -6,6 +6,7 @@ from prowler.providers.azure.services.network.network_service import (
BastionHost, BastionHost,
Network, Network,
NetworkWatcher, NetworkWatcher,
PublicIp,
SecurityGroup, SecurityGroup,
) )
from tests.providers.azure.azure_fixtures import ( from tests.providers.azure.azure_fixtures import (
@@ -52,6 +53,19 @@ def mock_network_get_network_watchers(_):
} }
def mock_network_get_public_ip_addresses(_):
return {
AZURE_SUBSCRIPTION: [
PublicIp(
id="id",
name="name",
location="location",
ip_address="ip_address",
)
]
}
@patch( @patch(
"prowler.providers.azure.services.network.network_service.Network.__get_security_groups__", "prowler.providers.azure.services.network.network_service.Network.__get_security_groups__",
new=mock_network_get_security_groups, new=mock_network_get_security_groups,
@@ -64,6 +78,10 @@ def mock_network_get_network_watchers(_):
"prowler.providers.azure.services.network.network_service.Network.__get_network_watchers__", "prowler.providers.azure.services.network.network_service.Network.__get_network_watchers__",
new=mock_network_get_network_watchers, new=mock_network_get_network_watchers,
) )
@patch(
"prowler.providers.azure.services.network.network_service.Network.__get_public_ip_addresses__",
new=mock_network_get_public_ip_addresses,
)
class Test_Network_Service: class Test_Network_Service:
def test__get_client__(self): def test__get_client__(self):
network = Network(set_mocked_azure_audit_info()) network = Network(set_mocked_azure_audit_info())
@@ -127,3 +145,17 @@ class Test_Network_Service:
assert network.bastion_hosts[AZURE_SUBSCRIPTION][0].id == "id" assert network.bastion_hosts[AZURE_SUBSCRIPTION][0].id == "id"
assert network.bastion_hosts[AZURE_SUBSCRIPTION][0].name == "name" assert network.bastion_hosts[AZURE_SUBSCRIPTION][0].name == "name"
assert network.bastion_hosts[AZURE_SUBSCRIPTION][0].location == "location" assert network.bastion_hosts[AZURE_SUBSCRIPTION][0].location == "location"
def __get_public_ip_addresses__(self):
network = Network(set_mocked_azure_audit_info())
assert (
network.public_ip_addresses[AZURE_SUBSCRIPTION][0].__class__.__name__
== "PublicIp"
)
assert network.public_ip_addresses[AZURE_SUBSCRIPTION][0].id == "id"
assert network.public_ip_addresses[AZURE_SUBSCRIPTION][0].name == "name"
assert network.public_ip_addresses[AZURE_SUBSCRIPTION][0].location == "location"
assert (
network.public_ip_addresses[AZURE_SUBSCRIPTION][0].ip_address
== "ip_address"
)

3
tests/providers/azure/services/network/network_ssh_internet_access_restricted/network_ssh_internet_access_restricted_test.py
View File

@@ -4,8 +4,7 @@ from uuid import uuid4
from azure.mgmt.network.models._models import SecurityRule from azure.mgmt.network.models._models import SecurityRule
from prowler.providers.azure.services.network.network_service import SecurityGroup from prowler.providers.azure.services.network.network_service import SecurityGroup
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_network_ssh_internet_access_restricted: class Test_network_ssh_internet_access_restricted:

3
tests/providers/azure/services/network/network_udp_internet_access_restricted/network_udp_internet_access_restricted_test.py
View File

@@ -4,8 +4,7 @@ from uuid import uuid4
from azure.mgmt.network.models._models import SecurityRule from azure.mgmt.network.models._models import SecurityRule
from prowler.providers.azure.services.network.network_service import SecurityGroup from prowler.providers.azure.services.network.network_service import SecurityGroup
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_network_udp_internet_access_restricted: class Test_network_udp_internet_access_restricted:

4
tests/providers/azure/services/network/network_watcher_enabled/network_watcher_enabled_test.py
View File

@@ -1,9 +1,7 @@
from unittest import mock from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.network.network_service import NetworkWatcher from prowler.providers.azure.services.network.network_service import NetworkWatcher
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_network_watcher_enabled: class Test_network_watcher_enabled:

3
tests/providers/azure/services/postgresql/postgresql_flexible_server_allow_access_services_disabled/postgresql_flexible_server_allow_access_services_disabled_test.py
View File

@@ -5,8 +5,7 @@ from prowler.providers.azure.services.postgresql.postgresql_service import (
Firewall, Firewall,
Server, Server,
) )
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_postgresql_flexible_server_allow_access_services_disabled: class Test_postgresql_flexible_server_allow_access_services_disabled:

3
tests/providers/azure/services/postgresql/postgresql_flexible_server_connection_throttling_on/postgresql_flexible_server_connection_throttling_on_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.postgresql.postgresql_service import Server from prowler.providers.azure.services.postgresql.postgresql_service import Server
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_postgresql_flexible_server_connection_throttling_on: class Test_postgresql_flexible_server_connection_throttling_on:

3
tests/providers/azure/services/postgresql/postgresql_flexible_server_enforce_ssl_enabled/postgresql_flexible_server_enforce_ssl_enabled_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.postgresql.postgresql_service import Server from prowler.providers.azure.services.postgresql.postgresql_service import Server
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_postgresql_flexible_server_enforce_ssl_enabled: class Test_postgresql_flexible_server_enforce_ssl_enabled:

3
tests/providers/azure/services/postgresql/postgresql_flexible_server_log_checkpoints_on/postgresql_flexible_server_log_checkpoints_on_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.postgresql.postgresql_service import Server from prowler.providers.azure.services.postgresql.postgresql_service import Server
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_postgresql_flexible_server_log_checkpoints_on: class Test_postgresql_flexible_server_log_checkpoints_on:

3
tests/providers/azure/services/postgresql/postgresql_flexible_server_log_connections_on/postgresql_flexible_server_log_connections_on_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.postgresql.postgresql_service import Server from prowler.providers.azure.services.postgresql.postgresql_service import Server
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_postgresql_flexible_server_log_connections_on: class Test_postgresql_flexible_server_log_connections_on:

3
tests/providers/azure/services/postgresql/postgresql_flexible_server_log_disconnections_on/postgresql_flexible_server_log_disconnections_on_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.postgresql.postgresql_service import Server from prowler.providers.azure.services.postgresql.postgresql_service import Server
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_postgresql_flexible_server_log_disconnections_on: class Test_postgresql_flexible_server_log_disconnections_on:

3
tests/providers/azure/services/postgresql/postgresql_flexible_server_log_retention_days_greater_3/postgresql_flexible_server_log_retention_days_greater_3_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.postgresql.postgresql_service import Server from prowler.providers.azure.services.postgresql.postgresql_service import Server
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_postgresql_flexible_server_log_retention_days_greater_3: class Test_postgresql_flexible_server_log_retention_days_greater_3:

3
tests/providers/azure/services/sqlserver/sqlserver_azuread_administrator_enabled/sqlserver_azuread_administrator_enabled_test.py
View File

@@ -4,8 +4,7 @@ from uuid import uuid4
from azure.mgmt.sql.models import ServerExternalAdministrator from azure.mgmt.sql.models import ServerExternalAdministrator
from prowler.providers.azure.services.sqlserver.sqlserver_service import Server from prowler.providers.azure.services.sqlserver.sqlserver_service import Server
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_sqlserver_azuread_administrator_enabled: class Test_sqlserver_azuread_administrator_enabled:

3
tests/providers/azure/services/sqlserver/sqlserver_microsoft_defender_enabled/sqlserver_microsoft_defender_enabled_test.py
View File

@@ -4,8 +4,7 @@ from uuid import uuid4
from azure.mgmt.sql.models import ServerSecurityAlertPolicy from azure.mgmt.sql.models import ServerSecurityAlertPolicy
from prowler.providers.azure.services.sqlserver.sqlserver_service import Server from prowler.providers.azure.services.sqlserver.sqlserver_service import Server
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_sqlserver_microsoft_defender_enabled: class Test_sqlserver_microsoft_defender_enabled:

3
tests/providers/azure/services/sqlserver/sqlserver_tde_encrypted_with_cmk/sqlserver_tde_encrypted_with_cmk_test.py
View File

@@ -7,8 +7,7 @@ from prowler.providers.azure.services.sqlserver.sqlserver_service import (
Database, Database,
Server, Server,
) )
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_sqlserver_tde_encrypted_with_cmk: class Test_sqlserver_tde_encrypted_with_cmk:

3
tests/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled_test.py
View File

@@ -7,8 +7,7 @@ from prowler.providers.azure.services.sqlserver.sqlserver_service import (
Database, Database,
Server, Server,
) )
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_sqlserver_tde_encryption_enabled: class Test_sqlserver_tde_encryption_enabled:

3
tests/providers/azure/services/sqlserver/sqlserver_unrestricted_inbound_access/sqlserver_unrestricted_inbound_access_test.py
View File

@@ -4,8 +4,7 @@ from uuid import uuid4
from azure.mgmt.sql.models import FirewallRule from azure.mgmt.sql.models import FirewallRule
from prowler.providers.azure.services.sqlserver.sqlserver_service import Server from prowler.providers.azure.services.sqlserver.sqlserver_service import Server
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_sqlserver_unrestricted_inbound_access: class Test_sqlserver_unrestricted_inbound_access:

3
tests/providers/azure/services/sqlserver/sqlserver_va_emails_notifications_admins_enabled/sqlserver_va_emails_notifications_admins_enabled_test.py
View File

@@ -7,8 +7,7 @@ from azure.mgmt.sql.models import (
) )
from prowler.providers.azure.services.sqlserver.sqlserver_service import Server from prowler.providers.azure.services.sqlserver.sqlserver_service import Server
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_sqlserver_va_emails_notifications_admins_enabled: class Test_sqlserver_va_emails_notifications_admins_enabled:

3
tests/providers/azure/services/sqlserver/sqlserver_va_periodic_recurring_scans_enabled/sqlserver_va_periodic_recurring_scans_enabled_test.py
View File

@@ -7,8 +7,7 @@ from azure.mgmt.sql.models import (
) )
from prowler.providers.azure.services.sqlserver.sqlserver_service import Server from prowler.providers.azure.services.sqlserver.sqlserver_service import Server
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_sqlserver_va_periodic_recurring_scans_enabled: class Test_sqlserver_va_periodic_recurring_scans_enabled:

3
tests/providers/azure/services/sqlserver/sqlserver_va_scan_reports_configured/sqlserver_va_scan_reports_configured_test.py
View File

@@ -7,8 +7,7 @@ from azure.mgmt.sql.models import (
) )
from prowler.providers.azure.services.sqlserver.sqlserver_service import Server from prowler.providers.azure.services.sqlserver.sqlserver_service import Server
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_sqlserver_va_scan_reports_configured: class Test_sqlserver_va_scan_reports_configured:

3
tests/providers/azure/services/sqlserver/sqlserver_vulnerability_assessment_enabled/sqlserver_vulnerability_assessment_enabled_test.py
View File

@@ -11,8 +11,7 @@ from prowler.providers.azure.services.sqlserver.sqlserver_service import (
Database, Database,
Server, Server,
) )
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_sqlserver_vulnerability_assessment_enabled: class Test_sqlserver_vulnerability_assessment_enabled:

3
tests/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.storage.storage_service import Account from prowler.providers.azure.services.storage.storage_service import Account
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_storage_blob_public_access_level_is_disabled: class Test_storage_blob_public_access_level_is_disabled:

3
tests/providers/azure/services/storage/storage_default_network_access_rule_is_denied/storage_default_network_access_rule_is_denied_test.py
View File

@@ -4,8 +4,7 @@ from uuid import uuid4
from azure.mgmt.storage.v2022_09_01.models import NetworkRuleSet from azure.mgmt.storage.v2022_09_01.models import NetworkRuleSet
from prowler.providers.azure.services.storage.storage_service import Account from prowler.providers.azure.services.storage.storage_service import Account
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_storage_default_network_access_rule_is_denied: class Test_storage_default_network_access_rule_is_denied:

3
tests/providers/azure/services/storage/storage_ensure_azure_services_are_trusted_to_access_is_enabled/storage_ensure_azure_services_are_trusted_to_access_is_enabled_test.py
View File

@@ -4,8 +4,7 @@ from uuid import uuid4
from azure.mgmt.storage.v2022_09_01.models import NetworkRuleSet from azure.mgmt.storage.v2022_09_01.models import NetworkRuleSet
from prowler.providers.azure.services.storage.storage_service import Account from prowler.providers.azure.services.storage.storage_service import Account
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_storage_ensure_azure_services_are_trusted_to_access_is_enabled: class Test_storage_ensure_azure_services_are_trusted_to_access_is_enabled:

3
tests/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys/storage_ensure_encryption_with_customer_managed_keys_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.storage.storage_service import Account from prowler.providers.azure.services.storage.storage_service import Account
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_storage_ensure_encryption_with_customer_managed_keys: class Test_storage_ensure_encryption_with_customer_managed_keys:

3
tests/providers/azure/services/storage/storage_ensure_minimum_tls_version_12/storage_ensure_minimum_tls_version_12_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.storage.storage_service import Account from prowler.providers.azure.services.storage.storage_service import Account
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_storage_ensure_minimum_tls_version_12: class Test_storage_ensure_minimum_tls_version_12:

3
tests/providers/azure/services/storage/storage_ensure_private_endpoints_in_storage_accounts/storage_ensure_private_endpoints_in_storage_accounts_test.py
View File

@@ -4,8 +4,7 @@ from uuid import uuid4
from azure.mgmt.storage.v2023_01_01.models import PrivateEndpointConnection from azure.mgmt.storage.v2023_01_01.models import PrivateEndpointConnection
from prowler.providers.azure.services.storage.storage_service import Account from prowler.providers.azure.services.storage.storage_service import Account
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_storage_ensure_private_endpoints_in_storage_accounts: class Test_storage_ensure_private_endpoints_in_storage_accounts:

3
tests/providers/azure/services/storage/storage_ensure_soft_delete_is_enabled/storage_ensure_soft_delete_is_enabled_test.py
View File

@@ -7,8 +7,7 @@ from prowler.providers.azure.services.storage.storage_service import (
Account, Account,
BlobProperties, BlobProperties,
) )
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_storage_ensure_soft_delete_is_enabled: class Test_storage_ensure_soft_delete_is_enabled:

3
tests/providers/azure/services/storage/storage_infrastructure_encryption_is_enabled/storage_infrastructure_encryption_is_enabled_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.storage.storage_service import Account from prowler.providers.azure.services.storage.storage_service import Account
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_storage_infrastructure_encryption_is_enabled: class Test_storage_infrastructure_encryption_is_enabled:

3
tests/providers/azure/services/storage/storage_secure_transfer_required_is_enabled/storage_secure_transfer_required_is_enabled_test.py
View File

@@ -2,8 +2,7 @@ from unittest import mock
from uuid import uuid4 from uuid import uuid4
from prowler.providers.azure.services.storage.storage_service import Account from prowler.providers.azure.services.storage.storage_service import Account
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
AZURE_SUBSCRIPTION = str(uuid4())
class Test_storage_secure_transfer_required_is_enabled: class Test_storage_secure_transfer_required_is_enabled:

2
tests/providers/common/common_outputs_test.py
View File

@@ -201,6 +201,7 @@ class Test_Common_Output_Options:
arguments.verbose = True arguments.verbose = True
arguments.only_logs = False arguments.only_logs = False
arguments.unix_timestamp = False arguments.unix_timestamp = False
arguments.shodan = "test-api-key"
# Mock Azure Audit Info # Mock Azure Audit Info
audit_info = self.set_mocked_azure_audit_info() audit_info = self.set_mocked_azure_audit_info()
@@ -241,6 +242,7 @@ class Test_Common_Output_Options:
arguments.verbose = True arguments.verbose = True
arguments.only_logs = False arguments.only_logs = False
arguments.unix_timestamp = False arguments.unix_timestamp = False
arguments.shodan = "test-api-key"
# Mock Azure Audit Info # Mock Azure Audit Info
audit_info = self.set_mocked_azure_audit_info() audit_info = self.set_mocked_azure_audit_info()