aquasecurity · alphadev4 · May 20, 2024 · May 19, 2024 · May 19, 2024 · May 20, 2024
diff --git a/exports.js b/exports.js
@@ -1091,6 +1091,7 @@ module.exports = {
         'eventHubMinimumTLSversion'     : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'),
         'eventHubPublicAccess'          : require(__dirname + '/plugins/azure/eventhub/eventHubPublicAccess.js'),
         'eventHubNamespaceCmkEncrypted' : require(__dirname + '/plugins/azure/eventhub/eventHubNamespaceCmkEncrypted.js'),
+        'eventHubDiagnosticLogs'        : require(__dirname + '/plugins/azure/eventhub/eventHubDiagnosticLogs.js'),
 
         'accessLogsEnabled'             : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'),
         'frontDoorMinimumTlsVersion'    : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'),

diff --git a/helpers/azure/api.js b/helpers/azure/api.js
@@ -1235,6 +1235,11 @@ var tertiarycalls = {
             reliesOnPath: 'eventGrid.listDomains',
             properties: ['id'],
             url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview'
+        },
+        listByEventHubs:{
+            reliesOnPath: 'eventHub.listEventHub',
+            properties: ['id'],
+            url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview'
         }
     },
     backupShortTermRetentionPolicies: {

diff --git a/plugins/azure/eventhub/eventHubDiagnosticLogs.js b/plugins/azure/eventhub/eventHubDiagnosticLogs.js
@@ -0,0 +1,64 @@
+var async = require('async');
+const helpers = require('../../../helpers/azure');
+
+module.exports = {
+    title: 'Event Hubs Namespace Diagnostic Logs',
+    category: 'Event Hubs',
+    domain: 'Content Delivery',
+    severity: 'Medium',
+    description: 'Ensures that Event Hubs namespace has diagnostic logs enabled.',
+    more_info: 'Enabling diagnostics logs for Event Hubs namespace helps to gain insights into the service operation and troubleshoot performance issues. This helps identifying security threats and recreate activity trails to use for investigation purposes.',
+    recommended_action: 'Enable diagnostic logs for all the Event Hubs namespaces.',
+    link: 'https://learn.microsoft.com/en-us/azure/event-hubs/monitor-event-hubs',
+    apis: ['eventHub:listEventHub','diagnosticSettings:listByEventHubs'],
+    realtime_triggers: ['microsofteventhub:namespaces:write', 'microsofteventhub:namespaces:delete','microsoftinsights:diagnosticsettings:write','microsoftinsights:diagnosticsettings:delete'],
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var locations = helpers.locations(settings.govcloud);
+
+        async.each(locations.eventHub, function(location, rcb) {
+            var eventHubs = helpers.addSource(cache, source,
+                ['eventHub', 'listEventHub', location]);
+
+            if (!eventHubs) return rcb();
+
+            if (eventHubs.err || !eventHubs.data) {
+                helpers.addResult(results, 3,
+                    'Unable to query for Event Hubs namespaces: ' + helpers.addError(eventHubs), location);
+                return rcb();
+            }
+
+            if (!eventHubs.data.length) {
+                helpers.addResult(results, 0, 'No Event Hubs namespaces found', location);
+                return rcb();
+            }
+
+            for (let eventHub of eventHubs.data){
+                if (!eventHub.id) continue;
+
+                const diagnosticSettings = helpers.addSource(cache, source,
+                    ['diagnosticSettings', 'listByEventHubs', location, eventHub.id]);
+
+                if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) {
+                    helpers.addResult(results, 3, `Unable to query for Event Hubs namespace diagnostic settings: ${helpers.addError(diagnosticSettings)}`,
+                        location, eventHub.id);
+                    continue;
+                }
+
+                var found = diagnosticSettings.data.find(ds => ds.logs && ds.logs.length);
+
+                if (found) {
+                    helpers.addResult(results, 0, 'Event Hubs namespace has diagnostic logs enabled', location, eventHub.id);
+                } else {
+                    helpers.addResult(results, 2, 'Event Hubs namespace does not have diagnostic logs enabled', location, eventHub.id);
+                }    
+            }
+
+            rcb();
+        }, function() {
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/azure/eventhub/eventHubDiagnosticLogs.spec.js b/plugins/azure/eventhub/eventHubDiagnosticLogs.spec.js
@@ -0,0 +1,139 @@
+var expect = require('chai').expect;
+var eventHubDiagnosticLogs = require('./eventHubDiagnosticLogs.js');
+
+const eventHub = [
+    {
+        "kind": "v12.0",
+        "location": "eastus",
+        "tags": {},
+        "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/testHub'",
+        "name": "testHub",
+        "type": 'Microsoft.EventHub/Namespaces',
+        "location": 'East US',
+        "tags": {},
+        "minimumTlsVersion": '1.2',
+        "publicNetworkAccess": 'Enabled',
+        "disableLocalAuth": true,
+        "zoneRedundant": true,
+        "isAutoInflateEnabled": false,
+        "maximumThroughputUnits": 0,
+        "kafkaEnabled": false
+    },
+];
+
+const diagnosticSettings = [
+    {
+
+        "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.eventHub/domains/domain/providers/microsoft.insights/diagnosticSettings/testlogs",
+        "type": "Microsoft.Insights/diagnosticSettings",
+        "name": "testlogs",
+        "location": null,
+        "kind": null,
+        "tags": null,
+        "storageAccountId": null,
+        "logs": [
+            {
+                "category": "runTime",
+                "categoryGroup": null,
+                "enabled": true,
+            }
+        ],
+        "logAnalyticsDestinationType": null,
+
+        "identity": null
+    }
+
+];
+
+const createCache = (eventHub, ds) => {
+    const id = eventHub && eventHub.length ? eventHub[0].id : null;
+    return {
+        eventHub: {
+            listEventHub: {
+                'eastus': {
+                    data: eventHub
+                }
+            }
+        },
+        diagnosticSettings: {
+            listByEventHubs: {
+                'eastus': {
+                    [id]: {
+                        data: ds
+                    }
+                }
+            }
+
+        },
+    };
+};
+
+const createErrorCache = () => {
+    return {
+        eventHub: {
+            listEventHub: {
+                'eastus': {}
+            }
+        }
+    };
+};
+
+describe('eventHubDiagnosticLogs', function () {
+    describe('run', function () {
+
+        it('should give unknown result if unable to query for Event Hubs namespaces:', function (done) {
+            const cache = createCache(null);
+            eventHubDiagnosticLogs.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to query for Event Hubs namespaces:');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give passing result if No Event Hubs namespaces found', function (done) {
+            const cache = createCache([]);
+            eventHubDiagnosticLogs.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No Event Hubs namespaces found');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give unknown result if unable to query for diagnostic settings', function(done) {
+            const cache = createCache([eventHub[0]], null);
+            eventHubDiagnosticLogs.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to query for Event Hubs namespace diagnostic settings:');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give passing result if Event Hubs namespace has diagnostic logs enabled', function (done) {
+            const cache = createCache([eventHub[0]], [diagnosticSettings[0]]);
+            eventHubDiagnosticLogs.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('Event Hubs namespace has diagnostic logs enabled');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give failing result if Event Hubs namespace does not have diagnostic logs enabled', function (done) {
+            const cache = createCache([eventHub[0]],[[]]);
+            eventHubDiagnosticLogs.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('Event Hubs namespace does not have diagnostic logs enabled');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+    });
+});