Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckDisableRdpFromInternet = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0048", Provider: providers.AzureProvider, Service: "network", ShortCode: "disable-rdp-from-internet", Summary: "RDP access should not be accessible from the Internet, should be blocked on port 3389", Impact: "Anyone from the internet can potentially RDP onto an instance", Resolution: "Block RDP port from internet", Explanation: `RDP access can be configured on either the network security group or in the network security group rule. RDP access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any). Consider using the Azure Bastion Service.`, Links: []string{ "https://docs.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformDisableRdpFromInternetGoodExamples, BadExamples: terraformDisableRdpFromInternetBadExamples, Links: terraformDisableRdpFromInternetLinks, RemediationMarkdown: terraformDisableRdpFromInternetRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, group := range s.Azure.Network.SecurityGroups { var failed bool for _, rule := range group.Rules { if rule.Allow.IsFalse() || rule.Outbound.IsTrue() { continue } if rule.Protocol.EqualTo("Icmp", types.IgnoreCase) { continue } for _, ports := range rule.DestinationPorts { if ports.Includes(3389) { for _, ip := range rule.SourceAddresses { if cidr.IsPublic(ip.Value()) && cidr.CountAddresses(ip.Value()) > 1 { failed = true results.Add( "Security group rule allows ingress to RDP port from multiple public internet addresses.", ip, ) } } } } if !failed { results.AddPassed(&group) } } } return }, )
View Source
var CheckNoPublicEgress = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0051", Provider: providers.AzureProvider, Service: "network", ShortCode: "no-public-egress", Summary: "An outbound network security rule allows traffic to /0.", Impact: "The port is exposed for egress to the internet", Resolution: "Set a more restrictive cidr range", Explanation: `Network security rules should not use very broad subnets. Where possible, segments should be broken into smaller subnets.`, Links: []string{ "https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicEgressGoodExamples, BadExamples: terraformNoPublicEgressBadExamples, Links: terraformNoPublicEgressLinks, RemediationMarkdown: terraformNoPublicEgressRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, group := range s.Azure.Network.SecurityGroups { var failed bool for _, rule := range group.Rules { if rule.Outbound.IsFalse() || rule.Allow.IsFalse() { continue } for _, ip := range rule.DestinationAddresses { if cidr.IsPublic(ip.Value()) { failed = true results.Add( "Security group rule allows egress to public internet.", ip, ) } } } if !failed { results.AddPassed(&group) } } return }, )
View Source
var CheckNoPublicIngress = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0047", Provider: providers.AzureProvider, Service: "network", ShortCode: "no-public-ingress", Summary: "An inbound network security rule allows traffic from /0.", Impact: "The port is exposed for ingress from the internet", Resolution: "Set a more restrictive cidr range", Explanation: `Network security rules should not use very broad subnets. Where possible, segments should be broken into smaller subnets.`, Links: []string{ "https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicIngressGoodExamples, BadExamples: terraformNoPublicIngressBadExamples, Links: terraformNoPublicIngressLinks, RemediationMarkdown: terraformNoPublicIngressRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, group := range s.Azure.Network.SecurityGroups { var failed bool for _, rule := range group.Rules { if rule.Outbound.IsTrue() || rule.Allow.IsFalse() { continue } for _, ip := range rule.SourceAddresses { if cidr.IsPublic(ip.Value()) && cidr.CountAddresses(ip.Value()) > 1 { failed = true results.Add( "Security group rule allows ingress from public internet.", ip, ) } } } if !failed { results.AddPassed(&group) } } return }, )
View Source
var CheckRetentionPolicySet = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0049", Provider: providers.AzureProvider, Service: "network", ShortCode: "retention-policy-set", Summary: "Retention policy for flow logs should be enabled and set to greater than 90 days", Impact: "Not enabling retention or having short expiry on flow logs could lead to compromise being undetected limiting time for analysis", Resolution: "Ensure flow log retention is turned on with an expiry of >90 days", Explanation: `Flow logs are the source of truth for all network activity in your cloud environment. To enable analysis in security event that was detected late, you need to have the logs available. Setting an retention policy will help ensure as much information is available for review.`, Links: []string{ "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformRetentionPolicySetGoodExamples, BadExamples: terraformRetentionPolicySetBadExamples, Links: terraformRetentionPolicySetLinks, RemediationMarkdown: terraformRetentionPolicySetRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, flowLog := range s.Azure.Network.NetworkWatcherFlowLogs { if flowLog.IsUnmanaged() { continue } if flowLog.RetentionPolicy.Enabled.IsFalse() { results.Add( "Flow log does not enable the log retention policy.", flowLog.RetentionPolicy.Enabled, ) } else if flowLog.RetentionPolicy.Days.LessThan(90) { results.Add( "Flow log has a log retention policy of less than 90 days.", flowLog.RetentionPolicy.Days, ) } else { results.AddPassed(&flowLog) } } return }, )
View Source
var CheckSshBlockedFromInternet = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0050", Provider: providers.AzureProvider, Service: "network", ShortCode: "ssh-blocked-from-internet", Summary: "SSH access should not be accessible from the Internet, should be blocked on port 22", Impact: "Its dangerous to allow SSH access from the internet", Resolution: "Block port 22 access from the internet", Explanation: `SSH access can be configured on either the network security group or in the network security group rule. SSH access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any)`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformSshBlockedFromInternetGoodExamples, BadExamples: terraformSshBlockedFromInternetBadExamples, Links: terraformSshBlockedFromInternetLinks, RemediationMarkdown: terraformSshBlockedFromInternetRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, group := range s.Azure.Network.SecurityGroups { var failed bool for _, rule := range group.Rules { if rule.Allow.IsFalse() || rule.Outbound.IsTrue() { continue } if rule.Protocol.EqualTo("Icmp", types.IgnoreCase) { continue } for _, ports := range rule.DestinationPorts { if ports.Includes(22) { for _, ip := range rule.SourceAddresses { if cidr.IsPublic(ip.Value()) && cidr.CountAddresses(ip.Value()) > 1 { failed = true results.Add( "Security group rule allows ingress to SSH port from multiple public internet addresses.", ip, ) } } } } if !failed { results.AddPassed(&group) } } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Click to show internal directories.
Click to hide internal directories.