Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckAccountIdentityRegistered = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0002", Provider: providers.AzureProvider, Service: "appservice", ShortCode: "account-identity-registered", Summary: "Web App has registration with AD enabled", Impact: "Interaction between services can't easily be achieved without username/password", Resolution: "Register the app identity with AD", Explanation: `Registering the identity used by an App with AD allows it to interact with other services without using username and password`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformAccountIdentityRegisteredGoodExamples, BadExamples: terraformAccountIdentityRegisteredBadExamples, Links: terraformAccountIdentityRegisteredLinks, RemediationMarkdown: terraformAccountIdentityRegisteredRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, service := range s.Azure.AppService.Services { if service.Metadata.IsUnmanaged() { continue } if service.Identity.Type.IsEmpty() { results.Add( "App service does not have an identity type.", service.Identity.Type, ) } else { results.AddPassed(&service) } } return }, )
View Source
var CheckAuthenticationEnabled = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0003", Provider: providers.AzureProvider, Service: "appservice", ShortCode: "authentication-enabled", Summary: "App Service authentication is activated", Impact: "Anonymous HTTP requests will be accepted", Resolution: "Enable authentication to prevent anonymous request being accepted", Explanation: `Enabling authentication ensures that all communications in the application are authenticated. The auth_settings block needs to be filled out with the appropriate auth backend settings`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformAuthenticationEnabledGoodExamples, BadExamples: terraformAuthenticationEnabledBadExamples, Links: terraformAuthenticationEnabledLinks, RemediationMarkdown: terraformAuthenticationEnabledRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, service := range s.Azure.AppService.Services { if service.Metadata.IsUnmanaged() { continue } if service.Authentication.Enabled.IsFalse() { results.Add( "App service does not have authentication enabled.", service.Authentication.Enabled, ) } else { results.AddPassed(&service) } } return }, )
View Source
var CheckEnableHttp2 = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0005", Provider: providers.AzureProvider, Service: "appservice", ShortCode: "enable-http2", Summary: "Web App uses the latest HTTP version", Impact: "Outdated versions of HTTP has security vulnerabilities", Resolution: "Use the latest version of HTTP", Explanation: `Use the latest version of HTTP to ensure you are benefiting from security fixes`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableHttp2GoodExamples, BadExamples: terraformEnableHttp2BadExamples, Links: terraformEnableHttp2Links, RemediationMarkdown: terraformEnableHttp2RemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, service := range s.Azure.AppService.Services { if service.Metadata.IsUnmanaged() { continue } if service.Site.EnableHTTP2.IsFalse() { results.Add( "App service does not have HTTP/2 enabled.", service.Site.EnableHTTP2, ) } else { results.AddPassed(&service) } } return }, )
View Source
var CheckEnforceHttps = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0004", Provider: providers.AzureProvider, Service: "appservice", ShortCode: "enforce-https", Summary: "Ensure the Function App can only be accessed via HTTPS. The default is false.", Impact: "Anyone can access the Function App using HTTP.", Resolution: "You can redirect all HTTP requests to the HTTPS port.", Explanation: `By default, clients can connect to function endpoints by using both HTTP or HTTPS. You should redirect HTTP to HTTPs because HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated.`, Links: []string{ "https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https", "https://docs.microsoft.com/en-us/azure/azure-functions/security-concepts", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnforceHttpsGoodExamples, BadExamples: terraformEnforceHttpsBadExamples, Links: terraformEnforceHttpsLinks, RemediationMarkdown: terraformEnforceHttpsRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, functionApp := range s.Azure.AppService.FunctionApps { if functionApp.Metadata.IsUnmanaged() { continue } if functionApp.HTTPSOnly.IsFalse() { results.Add( "Function app does not have HTTPS enforced.", functionApp.HTTPSOnly, ) } else { results.AddPassed(&functionApp) } } return }, )
View Source
var CheckRequireClientCert = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0001", Provider: providers.AzureProvider, Service: "appservice", ShortCode: "require-client-cert", Summary: "Web App accepts incoming client certificate", Impact: "Mutual TLS is not being used", Resolution: "Enable incoming certificates for clients", Explanation: `The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled only an authenticated client with valid certificates can access the app.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformRequireClientCertGoodExamples, BadExamples: terraformRequireClientCertBadExamples, Links: terraformRequireClientCertLinks, RemediationMarkdown: terraformRequireClientCertRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, service := range s.Azure.AppService.Services { if service.Metadata.IsUnmanaged() { continue } if service.EnableClientCert.IsFalse() { results.Add( "App service does not have client certificates enabled.", service.EnableClientCert, ) } else { results.AddPassed(&service) } } return }, )
View Source
var CheckUseSecureTlsPolicy = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0006", Provider: providers.AzureProvider, Service: "appservice", ShortCode: "use-secure-tls-policy", Summary: "Web App uses latest TLS version", Impact: "The minimum TLS version for apps should be TLS1_2", Resolution: "The TLS version being outdated and has known vulnerabilities", Explanation: `Use a more recent TLS/SSL policy for the App Service`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformUseSecureTlsPolicyGoodExamples, BadExamples: terraformUseSecureTlsPolicyBadExamples, Links: terraformUseSecureTlsPolicyLinks, RemediationMarkdown: terraformUseSecureTlsPolicyRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, service := range s.Azure.AppService.Services { if service.Metadata.IsUnmanaged() { continue } if service.Site.MinimumTLSVersion.NotEqualTo("1.2") { results.Add( "App service does not require a secure TLS version.", service.Site.MinimumTLSVersion, ) } else { results.AddPassed(&service) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
¶
Click to show internal directories.
Click to hide internal directories.