From 0694722827eca57cc62d6d201eda802945ad950d Mon Sep 17 00:00:00 2001 From: Preslav Date: Wed, 7 Aug 2024 13:25:38 +0300 Subject: [PATCH] =?UTF-8?q?=F0=9F=A7=B9=20Check=20the=20pricing=20tier=20f?= =?UTF-8?q?or=20the=20Servers=20plan=20when=20verifying=20if=20Azure's=20D?= =?UTF-8?q?efender=20for=20Servers=20is=20enabled.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Preslav --- providers/azure/resources/cloud_defender.go | 24 +++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/providers/azure/resources/cloud_defender.go b/providers/azure/resources/cloud_defender.go index f2b50eefba..64a47bcbf9 100644 --- a/providers/azure/resources/cloud_defender.go +++ b/providers/azure/resources/cloud_defender.go @@ -24,12 +24,13 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud" "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime" + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity" security "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity" ) const ( - vaQualysPolicyDefinitionId string = "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b" - + vaQualysPolicyDefinitionId string = "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b" + defenderForServersPolicyDefinitionId string = "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d" // There are two policy per component: one for ARC clusters and one for k8s clusters arcClusterDefenderExtensionDefinitionId string = "/providers/Microsoft.Authorization/policyDefinitions/708b60a6-d253-4fe0-9114-4be4c00f012c" kubernetesClusterDefenderExtensionDefinitionId string = "/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5" @@ -71,6 +72,15 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForServers() (interfa if err != nil { return nil, err } + clientFactory, err := armsecurity.NewClientFactory(subId, token, nil) + if err != nil { + return nil, err + } + vmPricing, err := clientFactory.NewPricingsClient().Get(ctx, fmt.Sprintf("subscriptions/%s", subId), "VirtualMachines", &security.PricingsClientGetOptions{}) + if err != nil { + return nil, err + } + ep := cloud.AzurePublic.Services[cloud.ResourceManager].Endpoint list, err := getPolicyAssignments(ctx, subId, ep, rawToken.Token) if err != nil { @@ -87,7 +97,16 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForServers() (interfa } resp := defenderForServers{} + if vmPricing.Properties.PricingTier != nil { + // According to the CIS implementation of checking if the defender for servers is on, we need to check if the pricing tier is standard + // https://learn.microsoft.com/en-us/rest/api/defenderforcloud/pricings/list?view=rest-defenderforcloud-2024-01-01&tabs=HTTP#pricingtier + resp.Enabled = *vmPricing.Properties.PricingTier == security.PricingTierStandard + } + for _, it := range list.PolicyAssignments { + if it.Properties.PolicyDefinitionID == defenderForServersPolicyDefinitionId { + resp.Enabled = true + } if it.Properties.PolicyDefinitionID == vaQualysPolicyDefinitionId { resp.Enabled = true resp.VulnerabilityManagementToolName = "Microsoft Defender for Cloud integrated Qualys scanner" @@ -136,6 +155,7 @@ func (a *mqlAzureSubscriptionCloudDefenderService) defenderForContainers() (inte if err != nil { return nil, err } + ep := cloud.AzurePublic.Services[cloud.ResourceManager].Endpoint pas, err := getPolicyAssignments(ctx, subId, ep, rawToken.Token) if err != nil {