From e626da4409bd753ac84a9a3a2a291d32775eee16 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 12 Aug 2023 12:14:36 +0100 Subject: [PATCH 1/4] fix(query): lower properties protocol --- .../query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/query.rego b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/query.rego index 7b92056eef7..b46c5f9d285 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/query.rego +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { properties := value.properties.securityRules[x].properties properties.access == "Allow" - properties.protocol == "Tcp" + lower(properties.protocol) == "tcp" properties.direction == "Inbound" arm_lib.contains_port(properties, 22) arm_lib.source_address_prefix_is_open(properties) From 4c2908896f63c841c6b906e9fe5da6a31ea3c5d8 Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 12 Aug 2023 12:20:19 +0100 Subject: [PATCH 2/4] changed metadata and positive expected result --- .../metadata.json | 2 +- .../test/positive7.json | 48 +++++++++++++++++++ .../test/positive_expected_result.json | 6 +++ 3 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive7.json diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/metadata.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/metadata.json index 4879b98c6af..6e84d83765b 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/metadata.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/metadata.json @@ -4,7 +4,7 @@ "severity": "HIGH", "category": "Networking and Firewall", "descriptionText": "Port 22 (SSH) is exposed to the Internet", - "descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2020-07-01/networksecuritygroups?tabs=json#securityrulepropertiesformat-object", + "descriptionUrl": "https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#security-rules", "platform": "AzureResourceManager", "cloudProvider": "azure", "descriptionID": "97b6233c" diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive7.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive7.json new file mode 100644 index 00000000000..4da3b508b48 --- /dev/null +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive7.json @@ -0,0 +1,48 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "securitygroup", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "location": "location1", + "tags": {}, + "properties": {}, + "resources": [ + { + "type": "securityRules", + "apiVersion": "2020-11-01", + "properties": { + "description": "access to SSH", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRanges": [ + "22-23" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + }, + "name": "sr" + } + + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json index 2ff5ffd1ce3..32a0ddfd146 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -34,5 +34,11 @@ "severity": "HIGH", "line": 22, "fileName": "positive6.json" + }, + { + "queryName": "Network Security Group With Unrestricted Access To SSH", + "severity": "HIGH", + "line": 22, + "fileName": "positive7.json" } ] From aef06cb4a677b1cbd032eab2cd25a5e46c099ede Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 12 Aug 2023 13:06:05 +0100 Subject: [PATCH 3/4] fixed query and metadata --- .../metadata.json | 2 +- .../query.rego | 2 +- .../test/positive7.json | 48 ------------------- .../test/positive_expected_result.json | 6 --- 4 files changed, 2 insertions(+), 56 deletions(-) delete mode 100644 assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive7.json diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/metadata.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/metadata.json index 6e84d83765b..2133c26beb3 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/metadata.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/metadata.json @@ -4,7 +4,7 @@ "severity": "HIGH", "category": "Networking and Firewall", "descriptionText": "Port 22 (SSH) is exposed to the Internet", - "descriptionUrl": "https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#security-rules", + "descriptionUrl": "https://learn.microsoft.com/en-us/azure/templates/microsoft.network/networksecuritygroups?pivots=deployment-language-bicep#securityrulepropertiesformat", "platform": "AzureResourceManager", "cloudProvider": "azure", "descriptionID": "97b6233c" diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/query.rego b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/query.rego index b46c5f9d285..7b92056eef7 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/query.rego +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { properties := value.properties.securityRules[x].properties properties.access == "Allow" - lower(properties.protocol) == "tcp" + properties.protocol == "Tcp" properties.direction == "Inbound" arm_lib.contains_port(properties, 22) arm_lib.source_address_prefix_is_open(properties) diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive7.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive7.json deleted file mode 100644 index 4da3b508b48..00000000000 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive7.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "properties": { - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "2.0.0.0", - "apiProfile": "2019-03-01-hybrid", - "parameters": {}, - "variables": {}, - "functions": [], - "resources": [ - { - "name": "securitygroup", - "type": "Microsoft.Network/networkSecurityGroups", - "apiVersion": "2020-11-01", - "location": "location1", - "tags": {}, - "properties": {}, - "resources": [ - { - "type": "securityRules", - "apiVersion": "2020-11-01", - "properties": { - "description": "access to SSH", - "protocol": "TCP", - "sourcePortRange": "*", - "destinationPortRanges": [ - "22-23" - ], - "sourceAddressPrefix": "*", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": 100, - "direction": "Inbound" - }, - "name": "sr" - } - - ] - } - ], - "outputs": {} - }, - "parameters": {} - }, - "kind": "template", - "type": "Microsoft.Blueprint/blueprints/artifacts", - "name": "myTemplate" -} diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json index 32a0ddfd146..2ff5ffd1ce3 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -34,11 +34,5 @@ "severity": "HIGH", "line": 22, "fileName": "positive6.json" - }, - { - "queryName": "Network Security Group With Unrestricted Access To SSH", - "severity": "HIGH", - "line": 22, - "fileName": "positive7.json" } ] From 8a13a5237614fc007903895e6e7894c3f7c257d3 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Mon, 6 May 2024 15:03:42 +0100 Subject: [PATCH 4/4] fix query to lower properties protocol and new test added --- .../query.rego | 4 +- .../test/positive7.json | 47 +++++++++++++++++++ .../test/positive_expected_result.json | 6 +++ 3 files changed, 55 insertions(+), 2 deletions(-) create mode 100644 assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive7.json diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/query.rego b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/query.rego index 7b92056eef7..c821982dc6d 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/query.rego +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { properties := value.properties.securityRules[x].properties properties.access == "Allow" - properties.protocol == "Tcp" + lower(properties.protocol) == "tcp" properties.direction == "Inbound" arm_lib.contains_port(properties, 22) arm_lib.source_address_prefix_is_open(properties) @@ -38,7 +38,7 @@ CxPolicy[result] { properties := typeInfo.properties properties.access == "Allow" - properties.protocol == "Tcp" + lower(properties.protocol) == "tcp" properties.direction == "Inbound" arm_lib.contains_port(properties, 22) arm_lib.source_address_prefix_is_open(properties) diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive7.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive7.json new file mode 100644 index 00000000000..f9ff447d608 --- /dev/null +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive7.json @@ -0,0 +1,47 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "securitygroup", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "location": "location1", + "tags": {}, + "properties": {}, + "resources": [ + { + "type": "securityRules", + "apiVersion": "2020-11-01", + "properties": { + "description": "access to SSH", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRanges": [ + "22-23" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + }, + "name": "sr" + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json index a2a2afda9bc..89f5d2d09c0 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -34,5 +34,11 @@ "severity": "MEDIUM", "line": 22, "fileName": "positive6.json" + }, + { + "queryName": "Network Security Group With Unrestricted Access To SSH", + "severity": "MEDIUM", + "line": 22, + "fileName": "positive7.json" } ] \ No newline at end of file