TestCases/SubscriptionSecurity/SSProvisioning/SSProvisioningTest.ps1
|
Set-StrictMode -Version Latest class SSProvisioningTest:AzSKTestBase{ [string]$AlertsRGName = "AzSKRG" #This is the standard name used by AzSK for Alerts RG. SSProvisioningTest([TestCase] $testcase, [TestSettings] $testsettings):Base($testcase, $testsettings){ } [void] Execute(){ switch ($this.testcase.TestMethod.Trim()){ "TestSetAzSKAlerts"{ $this.TestSetAzSKAlerts() break } "TestRemoveAzSKAlertsJustOne"{ $this.TestRemoveAzSKAlertsJustOne() break } "TestRemoveAzSKAlerts"{ $this.TestRemoveAzSKAlerts() break } "TestSetAzSKARMPolicies"{ $this.TestSetAzSKARMPolicies() break } "TestRemoveAzSKARMPolicies"{ $this.TestRemoveAzSKARMPolicies() break } Default { } } } [TestCaseResult] TestSetAzSKAlerts(){ try{ if($this.SetAzSKAlertTestPrerequisite([AlertPrerequisites]::RemoveAlerts)) { Set-AzSKAlerts -SubscriptionId $this.settings.SubscriptionId -SecurityContactEmails $this.settings.SecurityPOCEmail -DoNotOpenOutputFolder #Expected control status for id Azure_Subscription_Audit_Configure_Critical_Alerts should be Passed $this.testcaseResult = $this.GetControlIdStatus("Azure_Subscription_Audit_Configure_Critical_Alerts",[TestStatus]::Passed) } else { $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Unable to set prerequisite for test case.") } } catch{ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Error while setting AzSK Alerts.") } return $this.testcaseResult } [TestCaseResult] TestRemoveAzSKAlertsJustOne(){ try{ #Validate if alerts are present on subscriptions if($this.SetAzSKAlertTestPrerequisite([AlertPrerequisites]::SetAlerts)) { Remove-AzSKAlerts -SubscriptionId $this.settings.SubscriptionId -AlertNames $this.settings.AlertName $alertResource = Get-AzureRmResource -ResourceType "Microsoft.Insights/activityLogAlerts" -ResourceGroupName $this.AlertsRGName Get-AzureRmResource -ResourceType "Microsoft.Insights/activityLogAlerts" -ResourceGroupName $this.AlertsRGName -ResourceName $this.settings.AlertName -ErrorAction Ignore if($null -eq $alertResource) { $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Passed,"Successfully removed only one alert.") } else{ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Remove-AzSKAlerts with alertName must remove just that alert.") } } else { $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Unable to set prerequisite for test case.") } } catch{ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Error while removing desired AzSK Alert.") } return $this.testcaseResult } [TestCaseResult] TestRemoveAzSKAlerts(){ try { #Set prerequisite by setting alerts if($this.SetAzSKAlertTestPrerequisite([AlertPrerequisites]::SetAlerts)) { Remove-AzSKAlerts -SubscriptionId $this.settings.SubscriptionId -Tags "Mandatory" $alertResource = $this.GetAzSKAlertsList() if($null -eq $alertResource) { $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Passed,"Successfully removed allalert.") } else{ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Remove-AzSKAlerts not removed all alerts.") } } else { $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Unable to set prerequisite for test case.") } } catch { $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Error while removing AzSK Alerts.") } return $this.testcaseResult } [TestCaseResult] GetControlIdStatus([string] $ControlId,[TestStatus] $expectedStatus) { $testcaseResult = $null $subScanPath = Get-AzSKSubscriptionSecurityStatus -SubscriptionId $this.settings.SubscriptionId -ControlIds $ControlId -DoNotOpenOutputFolder $securityReportFile = (Get-ChildItem $subScanPath -Recurse -Include "SecurityReport*") | Select-Object -First 1 $testResult = [TestStatus]::Failed if($securityReportFile.FullName) { $testResult = Get-Content $securityReportFile.FullName | ConvertFrom-Csv | Where-Object ControlID -EQ "Azure_Subscription_Audit_Configure_Critical_Alerts" | Select-Object Status if($null -ne $testResult -and $testResult.Status -eq $expectedStatus) { $testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Passed,"Successfully verified expected status '$expectedStatus' for control id $ControlId") } else{ $testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Not able to verify expected status '$expectedStatus' for control id $ControlId") } } else { $testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Not able to verify status as get scan not exported report") } return $testcaseResult } [bool] SetAzSKAlertTestPrerequisite([AlertPrerequisites] $alertPreq) { $IsPrerequisiteSet = $false $alertsRG = Get-AzureRmResourceGroup -Name $this.AlertsRGName -ErrorAction Ignore $existingalerts= $null if($alertsRG) { $existingalerts = $this.GetAzSKAlertsList() } switch($alertPreq) { "RemoveAlerts" { #Validate if AzSK alerts are already present and remove alerts if exists if(($existingalerts | Measure-Object).Count -ne '0') { Remove-AzSKAlerts -SubscriptionId $this.settings.SubscriptionId -Tags 'Mandatory' -DoNotOpenOutputFolder #Validate if all alerts are removed $alerttlist = $this.GetAzSKAlertsList() if($null -eq $alerttlist -or ($alerttlist | Measure-Object) -eq 0) { return $true } } else { return $true } } "SetAlerts" { if(($existingalerts | Measure-Object).Count -eq 0) { Set-AzSKAlerts -SubscriptionId $this.settings.SubscriptionId -SecurityContactEmails $this.settings.SecurityPOCEmail -DoNotOpenOutputFolder #Validate if all alerts are set if(($null -ne $this.GetAzSKAlertsList()) ) { return $true } } else { return $true } } } return $IsPrerequisiteSet } [PSObject] GetAzSKAlertsList() { return Get-AzureRmResource -ResourceType "Microsoft.Insights/activityLogAlerts" -ResourceGroupName $this.AlertsRGName -ErrorAction Ignore } [TestCaseResult[]] TestSetAzSKARMPolicies(){ try{ $ExistingPolicy = [array](Get-AzureRmPolicyAssignment) if(($ExistingPolicy| Measure-Object).Count -ne '0') { try{ Remove-AzSKARMPolicies -SubscriptionId $this.settings.SubscriptionId -Tags 'Mandatory' } catch { #error while removing ARM policies } } Set-AzSKARMPolicies -SubscriptionId $this.settings.SubscriptionId $tstPol = [array](Get-AzureRmPolicyAssignment) if(($tstPol| Measure-Object).Count -ge '6'){ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Passed,"Successfully set the AzSK ARM policy.") } else{ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Failed to set the AzSK ARM policy.") } } catch{ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Error while setting AzSK ARM policy.") } return $this.testcaseResult } [TestCaseResult[]] TestRemoveAzSKARMPolicies(){ try{ $ExistingPolicy = [array](Get-AzureRmPolicyAssignment) if(($ExistingPolicy| Measure-Object).Count -eq '0') { try{ Set-AzSKARMPolicies -SubscriptionId $this.settings.SubscriptionId } catch { #error while setting ARM policies } } Remove-AzSKARMPolicies -SubscriptionId $this.settings.SubscriptionId -Tags 'Mandatory' $tstPol = [array](Get-AzureRmPolicyAssignment) if(($tstPol| Measure-Object).Count -eq 0){ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Passed,"Successfully removed the AzSK ARM policy.") } else{ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Failed to remove the AzSK ARM policy.") } } catch{ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Error while removing AzSK ARM policy.") } return $this.testcaseResult } } enum AlertPrerequisites{ SetAlerts RemoveAlerts } |