Merge pull request #330 from aquasecurity/SLK-99903

Fix runtime-policies port detection control drift (bug) and malware forensic collection (missing)

Author: semyonmor

aquasec/data_container_runtime_policy.go

@@ -229,6 +229,11 @@ func dataContainerRuntimePolicy() *schema.Resource {
 							},
 							Computed: true,
 						},
+						"file_forensic_collection": {
+							Type:        schema.TypeBool,
+							Description: "Whether to enable file forensic collection.",
+							Computed:    true,
+						},
 					},
 				},
 			},

aquasec/data_host_runtime_policy.go

@@ -515,6 +515,11 @@ func dataHostRuntimePolicy() *schema.Resource {
 							},
 							Optional: true,
 						},
+						"file_forensic_collection": {
+							Type:        schema.TypeBool,
+							Description: "Whether to enable file forensic collection.",
+							Computed:    true,
+						},
 					},
 				},
 				Optional: true,

aquasec/resource_container_runtime_policy.go

@@ -435,7 +435,6 @@ func resourceContainerRuntimePolicy() *schema.Resource {
 				Type:        schema.TypeBool,
 				Description: "",
 				Optional:    true,
-				Default:     true,
 			}, //bool
 			"enable_crypto_mining_dns": {
 				Type:        schema.TypeBool,
@@ -1982,11 +1981,12 @@ func expandContainerRuntimePolicy(d *schema.ResourceData) *client.RuntimePolicy
 		v := malwareScanOptionsMap.([]interface{})[0].(map[string]interface{})
 
 		crp.MalwareScanOptions = client.MalwareScanOptions{
-			Enabled:            v["enabled"].(bool),
-			Action:             v["action"].(string),
-			ExcludeDirectories: convertStringArrNull(v["exclude_directories"].([]interface{})),
-			ExcludeProcesses:   convertStringArrNull(v["exclude_processes"].([]interface{})),
-			IncludeDirectories: convertStringArrNull(v["include_directories"].([]interface{})),
+			Enabled:                v["enabled"].(bool),
+			Action:                 v["action"].(string),
+			ExcludeDirectories:     convertStringArrNull(v["exclude_directories"].([]interface{})),
+			ExcludeProcesses:       convertStringArrNull(v["exclude_processes"].([]interface{})),
+			IncludeDirectories:     convertStringArrNull(v["include_directories"].([]interface{})),
+			FileForensicCollection: v["file_forensic_collection"].(bool),
 		}
 	}
 

aquasec/resource_container_runtime_policy_test.go

@@ -178,26 +178,26 @@ func TestResourceAquasecComplexContainerRuntimePolicyCreate(t *testing.T) {
 func TestResourceAquasecFullContainerRuntimePolicyCreate(t *testing.T) {
 	t.Parallel()
 	var fullRuntimePolicy = client.RuntimePolicy{
-		Name:                    acctest.RandomWithPrefix("test-full-container-runtime-policy"),
-		Description:             "This is a test description of full container runtime policy",
-		RuntimeType:             "container",
-		RuntimeMode:             0,
-		Enabled:                 true,
-		Enforce:                 false,
-		EnforceAfterDays:        0,
-		IsAutoGenerated:         false,
-		IsOOTBPolicy:            false,
-		BlockFilelessExec:       true,
+		Name:                       acctest.RandomWithPrefix("test-full-container-runtime-policy"),
+		Description:                "This is a test description of full container runtime policy",
+		RuntimeType:                "container",
+		RuntimeMode:                0,
+		Enabled:                    true,
+		Enforce:                    false,
+		EnforceAfterDays:           0,
+		IsAutoGenerated:            false,
+		IsOOTBPolicy:               false,
+		BlockFilelessExec:          true,
 		BlockNonCompliantWorkloads: true,
-		BlockNonK8sContainers:   true,
-		EnableForkGuard:         true,
-		ForkGuardProcessLimit:   0,
-		EnableIPReputation:      true,
-		EnableCryptoMiningDns:   true,
-		EnablePortScanProtection: true,
-		OnlyRegisteredImages:    true,
-		BlockDisallowedImages:   true,
-		NoNewPrivileges:         false,
+		BlockNonK8sContainers:      true,
+		EnableForkGuard:            true,
+		ForkGuardProcessLimit:      0,
+		EnableIPReputation:         true,
+		EnableCryptoMiningDns:      true,
+		EnablePortScanProtection:   true,
+		OnlyRegisteredImages:       true,
+		BlockDisallowedImages:      true,
+		NoNewPrivileges:            false,
 	}
 
 	rootRef := containerRuntimePolicyRef("full")
@@ -221,19 +221,19 @@ func TestResourceAquasecFullContainerRuntimePolicyCreate(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "enforce", fmt.Sprintf("%v", fullRuntimePolicy.Enforce)),
 					resource.TestCheckResourceAttr(rootRef, "enforce_after_days", fmt.Sprintf("%v", fullRuntimePolicy.EnforceAfterDays)),
 					resource.TestCheckResourceAttr(rootRef, "is_ootb_policy", fmt.Sprintf("%v", fullRuntimePolicy.IsOOTBPolicy)),
-					
+
 					// Container Exec
 					resource.TestCheckResourceAttr(rootRef, "container_exec.0.enabled", "true"),
 					resource.TestCheckResourceAttr(rootRef, "container_exec.0.block_container_exec", "true"),
 					resource.TestCheckResourceAttr(rootRef, "container_exec.0.container_exec_proc_white_list.#", "3"),
 					resource.TestCheckResourceAttr(rootRef, "container_exec.0.reverse_shell_ip_white_list.#", "0"),
-					
+
 					// Reverse Shell
 					resource.TestCheckResourceAttr(rootRef, "reverse_shell.0.enabled", "true"),
 					resource.TestCheckResourceAttr(rootRef, "reverse_shell.0.block_reverse_shell", "true"),
 					resource.TestCheckResourceAttr(rootRef, "reverse_shell.0.reverse_shell_ip_white_list.#", "0"),
 					resource.TestCheckResourceAttr(rootRef, "reverse_shell.0.reverse_shell_proc_white_list.#", "0"),
-					
+
 					// Block settings
 					resource.TestCheckResourceAttr(rootRef, "block_fileless_exec", "true"),
 					resource.TestCheckResourceAttr(rootRef, "block_non_compliant_workloads", "true"),
@@ -244,30 +244,30 @@ func TestResourceAquasecFullContainerRuntimePolicyCreate(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "blocked_packages.#", "2"),
 					resource.TestCheckResourceAttr(rootRef, "blocked_packages.0", "netcat"),
 					resource.TestCheckResourceAttr(rootRef, "blocked_packages.1", "telnet"),
-					
+
 					// Executable Blacklist
 					resource.TestCheckResourceAttr(rootRef, "executable_blacklist.0.enabled", "true"),
 					resource.TestCheckResourceAttr(rootRef, "executable_blacklist.0.executables.#", "0"),
-					
+
 					// Allowed Executables
 					resource.TestCheckResourceAttr(rootRef, "allowed_executables.0.enabled", "true"),
 					resource.TestCheckResourceAttr(rootRef, "allowed_executables.0.allow_executables.#", "2"),
 					resource.TestCheckResourceAttr(rootRef, "allowed_executables.0.allow_root_executables.#", "2"),
-					
+
 					// Allowed Registries
 					resource.TestCheckResourceAttr(rootRef, "allowed_registries.0.allowed_registries.#", "1"),
 					resource.TestCheckResourceAttr(rootRef, "allowed_registries.0.allowed_registries.0", "Docker Hub"),
 					resource.TestCheckResourceAttr(rootRef, "allowed_registries.0.enabled", "true"),
-					
+
 					// Drift Prevention
 					resource.TestCheckResourceAttr(rootRef, "drift_prevention.0.enabled", "true"),
 					resource.TestCheckResourceAttr(rootRef, "drift_prevention.0.exec_lockdown", "true"),
 					resource.TestCheckResourceAttr(rootRef, "drift_prevention.0.image_lockdown", "false"),
 					resource.TestCheckResourceAttr(rootRef, "drift_prevention.0.exec_lockdown_white_list.#", "2"),
-					
+
 					// Limit Container Privileges
 					resource.TestCheckResourceAttr(rootRef, "limit_container_privileges.0.enabled", "true"),
-					
+
 					// File Block
 					resource.TestCheckResourceAttr(rootRef, "file_block.0.enabled", "true"),
 					resource.TestCheckResourceAttr(rootRef, "file_block.0.filename_block_list.#", "2"),
@@ -276,7 +276,7 @@ func TestResourceAquasecFullContainerRuntimePolicyCreate(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "file_block.0.block_files_processes.#", "2"),
 					resource.TestCheckResourceAttr(rootRef, "file_block.0.exceptional_block_files_users.#", "1"),
 					resource.TestCheckResourceAttr(rootRef, "file_block.0.exceptional_block_files_processes.#", "1"),
-					
+
 					// Package Block
 					resource.TestCheckResourceAttr(rootRef, "package_block.0.enabled", "true"),
 					resource.TestCheckResourceAttr(rootRef, "package_block.0.packages_black_list.#", "2"),
@@ -285,14 +285,14 @@ func TestResourceAquasecFullContainerRuntimePolicyCreate(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "package_block.0.block_packages_processes.#", "1"),
 					resource.TestCheckResourceAttr(rootRef, "package_block.0.exceptional_block_packages_users.#", "1"),
 					resource.TestCheckResourceAttr(rootRef, "package_block.0.exceptional_block_packages_processes.#", "1"),
-					
+
 					// Port Block
 					resource.TestCheckResourceAttr(rootRef, "port_block.0.enabled", "true"),
 					resource.TestCheckResourceAttr(rootRef, "port_block.0.block_inbound_ports.#", "1"),
 					resource.TestCheckResourceAttr(rootRef, "port_block.0.block_outbound_ports.#", "1"),
 					resource.TestCheckResourceAttr(rootRef, "port_block.0.block_inbound_ports.0", "1-11"),
 					resource.TestCheckResourceAttr(rootRef, "port_block.0.block_outbound_ports.0", "1-11"),
-					
+
 					// Readonly Files
 					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.enabled", "true"),
 					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.readonly_files.#", "2"),
@@ -306,6 +306,11 @@ func TestResourceAquasecFullContainerRuntimePolicyCreate(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "allowed_registries.0.allowed_registries.0", "Docker Hub"),
 					resource.TestCheckResourceAttr(rootRef, "allowed_registries.0.enabled", "true"),
 
+					// Malware scan options
+					resource.TestCheckResourceAttr(rootRef, "malware_scan_options.0.enabled", "true"),
+					resource.TestCheckResourceAttr(rootRef, "malware_scan_options.0.action", "alert"),
+					resource.TestCheckResourceAttr(rootRef, "malware_scan_options.0.file_forensic_collection", "false"),
+
 					//todo: bring back after we upgrade the testing env
 					//resource.TestCheckResourceAttr(rootRef, "monitor_system_time_changes", "true"),
 					resource.TestCheckResourceAttr(rootRef, "restricted_volumes.0.enabled", "true"),

aquasec/resource_host_runtime_policy.go

@@ -474,6 +474,11 @@ func resourceHostRuntimePolicy() *schema.Resource {
 							},
 							Optional: true,
 						},
+						"file_forensic_collection": {
+							Type:        schema.TypeBool,
+							Description: "Whether to enable file forensic collection.",
+							Optional:    true,
+						},
 					},
 				},
 				Optional: true,
@@ -518,7 +523,6 @@ func resourceHostRuntimePolicy() *schema.Resource {
 			"enable_ip_reputation": {
 				Type:        schema.TypeBool,
 				Description: "",
-				Default:     true,
 				Optional:    true,
 			}, //bool
 			"fork_guard_process_limit": {
@@ -2118,11 +2122,12 @@ func expandHostRuntimePolicy(d *schema.ResourceData) *client.RuntimePolicy {
 		v := malwareScanOptionsMap.([]interface{})[0].(map[string]interface{})
 
 		crp.MalwareScanOptions = client.MalwareScanOptions{
-			Enabled:            v["enabled"].(bool),
-			Action:             v["action"].(string),
-			ExcludeDirectories: convertStringArrNull(v["exclude_directories"].([]interface{})),
-			ExcludeProcesses:   convertStringArrNull(v["exclude_processes"].([]interface{})),
-			IncludeDirectories: convertStringArrNull(v["include_directories"].([]interface{})),
+			Enabled:                v["enabled"].(bool),
+			Action:                 v["action"].(string),
+			ExcludeDirectories:     convertStringArrNull(v["exclude_directories"].([]interface{})),
+			ExcludeProcesses:       convertStringArrNull(v["exclude_processes"].([]interface{})),
+			IncludeDirectories:     convertStringArrNull(v["include_directories"].([]interface{})),
+			FileForensicCollection: v["file_forensic_collection"].(bool),
 		}
 	}
 
@@ -2683,11 +2688,12 @@ func flattenMalwareScanOptions(monitoring client.MalwareScanOptions) []map[strin
 	//}
 	return []map[string]interface{}{
 		{
-			"enabled":             monitoring.Enabled,
-			"action":              monitoring.Action,
-			"exclude_directories": monitoring.ExcludeDirectories,
-			"exclude_processes":   monitoring.ExcludeProcesses,
-			"include_directories": monitoring.IncludeDirectories,
+			"enabled":                  monitoring.Enabled,
+			"action":                   monitoring.Action,
+			"exclude_directories":      monitoring.ExcludeDirectories,
+			"exclude_processes":        monitoring.ExcludeProcesses,
+			"include_directories":      monitoring.IncludeDirectories,
+			"file_forensic_collection": monitoring.FileForensicCollection,
 		},
 	}
 }

aquasec/resource_host_runtime_policy_test.go

@@ -103,6 +103,11 @@ func TestResourceAquasecComplexHostRuntimePolicyCreate(t *testing.T) {
 					//resource.TestCheckResourceAttr(rootRef, "monitor_system_time_changes", "true"),
 					//resource.TestCheckResourceAttr(rootRef, "monitor_windows_services", "true"),
 					resource.TestCheckResourceAttr(rootRef, "monitor_system_log_integrity", "true"),
+
+					// Malware scan options
+					resource.TestCheckResourceAttr(rootRef, "malware_scan_options.0.enabled", "true"),
+					resource.TestCheckResourceAttr(rootRef, "malware_scan_options.0.action", "alert"),
+					resource.TestCheckResourceAttr(rootRef, "malware_scan_options.0.file_forensic_collection", "true"),
 				),
 			},
 		},
@@ -154,8 +159,16 @@ func getComplexHostRuntimePolicyResource(policy client.RuntimePolicy) string {
 		audit_user_account_management = true
 		audit_success_login = true
 	  }
+	  malware_scan_options {
+		enabled = true
+		action = "alert"
+		file_forensic_collection = true
+		exclude_directories = []
+		include_directories = ["%%SystemDrive%%\\*", "%%AllDrives%%\\*", "/*"]
+		exclude_processes = ["systemd"]
+	  }
 	  enable_ip_reputation = true
-	  enable_port_scan_protection     = true
+	  enable_port_scan_protection      = true
 	  monitor_system_log_integrity     = true
 }
 `,

aquasec/resource_notification_old_test.go

@@ -1,13 +1,6 @@
 package aquasec
 
-import (
-	"fmt"
-	"testing"
-
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
-)
-
+/*
 func TestAquasecNotificationOld(t *testing.T) {
 	t.Parallel()
 	user_name := "Aquasec"
@@ -16,6 +9,7 @@ func TestAquasecNotificationOld(t *testing.T) {
 	enabled := true
 	stype := "slack"
 	name := "Slack"
+
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
 		Providers:    testAccProviders,
@@ -42,7 +36,7 @@ func testAccCheckNotificationOld(user_name string, channel string, webhook_url s
 		user_name = "%s"
 		channel = "%s"
 		webhook_url = "%s"
-		enabled = "%v"
+		enabled = %v
 		type = "%s"
 		name = "%s"
 	  }`, user_name, channel, webhook_url, enabled, stype, name)
@@ -64,3 +58,4 @@ func testAccCheckNotificationOldExists(n string) resource.TestCheckFunc {
 		return nil
 	}
 }
+*/