Skip to content

Commit

Permalink
Merge pull request #184 from prancer-io/azure-iac-new-rego3
Browse files Browse the repository at this point in the history 
Azure iac new rego files (sql_servers, Redis, keyvaultkeys)
  • Loading branch information
@rezoan
rezoan authored Aug 11, 2021
2 parents f2e6569 + 09bb25d commit 68be10b
Show file tree
Hide file tree
Showing 5 changed files with 393 additions and 10 deletions.
113 changes: 113 additions & 0 deletions azure/iac/Redis.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
package rule

# https://docs.microsoft.com/en-us/azure/templates/Microsoft.Cache/redis

# PR-AZR-0131-ARM

default enableSslPort = null

azure_attribute_absence ["enableSslPort"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.cache/redis"
not resource.properties.enableNonSslPort
}

azure_issue ["enableSslPort"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.cache/redis"
resource.properties.enableNonSslPort != false
}

enableSslPort {
azure_attribute_absence["enableSslPort"]
}


enableSslPort {
lower(input.resources[_].type) == "microsoft.cache/redis"
not azure_issue["servenableSslPorterRole"]
}


enableSslPort = false {
azure_issue["enableSslPort"]
}

enableSslPort_err = "Redis cache is currently allowing unsecure connection via a non ssl port opened" {
azure_issue["enableSslPort"]
}


enableSslPort_metadata := {
"Policy Code": "PR-AZR-0131-ARM",
"Type": "IaC",
"Product": "AZR",
"Language": "ARM template",
"Policy Title": "Ensure that the Redis Cache accepts only SSL connections",
"Policy Description": "It is recommended that Redis Cache should allow only SSL connections. Note: some Redis tools (like redis-cli) do not support SSL. When using such tools plain connection ports should be enabled.",
"Resource Type": "Microsoft.Cache/redis",
"Policy Help URL": "",
"Resource Help URL": "https://docs.microsoft.com/en-us/azure/templates/Microsoft.Cache/redis"
}




# https://docs.microsoft.com/en-us/azure/templates/microsoft.cache/redis/linkedservers

# PR-AZR-0132-ARM

default serverRole = null


azure_attribute_absence ["serverRole"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.cache/redis/linkedservers"
not resource.properties.serverRole
}

azure_issue ["serverRole"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.cache/redis/linkedservers"
lower(resource.properties.serverRole) != "secondary"
}


serverRole {
lower(input.resources[_].type) == "microsoft.cache/redis/linkedservers"
not azure_attribute_absence["serverRole"]
not azure_issue["serverRole"]
}


serverRole = false {
azure_attribute_absence["serverRole"]
}


serverRole = false {
azure_issue["serverRole"]
}


serverRole_miss_err = "Azure Redis Cache linked server property 'serverRole' is missing from the resource" {
azure_attribute_absence["serverRole"]
}


serverRole_err = "Azure Redis Cache linked backup server currently does not have secondary role." {
azure_issue["serverRole"]
}


serverRole_metadata := {
"Policy Code": "PR-AZR-0132-ARM",
"Type": "IaC",
"Product": "AZR",
"Language": "ARM template",
"Policy Title": "Redis cache should have a backup",
"Policy Description": "Replicate Redis Cache server data to another Redis Cache server using geo replication. This feature is only available for Premium tier Redis Cache. From performance point of view, Microsoft recommends that both Redis Caches (Primary and the linked secondary) reside in the same region.",
"Resource Type": "Microsoft.Cache/redis/linkedservers",
"Policy Help URL": "",
"Resource Help URL": "https://docs.microsoft.com/en-us/azure/templates/microsoft.cache/redis/linkedservers"
}
61 changes: 61 additions & 0 deletions azure/iac/keyvaultkeys.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
package rule

# https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/keys

#
# PR-AZR-0130-ARM
#

default kv_keys_expire = null

azure_attribute_absence["kv_keys_expire"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.keyvault/vaults/keys"
resource.properties.attributes.enabled != false
not resource.properties.attributes.exp
not resource.properties.rotationPolicy.attributes.expiryTime
}

azure_issue["kv_keys_expire"] {
resource := input.resources[_]
resource.properties.attributes.enabled != false
to_number(resource.properties.attributes.exp) < 0
count(resource.properties.rotationPolicy.attributes.expiryTime) == 0
}

kv_keys_expire {
lower(input.resources[_].type) == "microsoft.keyvault/vaults/keys"
not azure_attribute_absence["kv_keys_expire"]
not azure_issue["kv_keys_expire"]
}


kv_keys_expire = false {
azure_attribute_absence["kv_keys_expire"]
}

kv_keys_expire = false {
azure_issue["kv_keys_expire"]
}


kv_keys_expire_miss_err = "Azure Key Vault attribute 'exp' or 'expiryTime' is missing from the resource" {
azure_attribute_absence["kv_keys_expire"]
}

kv_keys_expire_err = "Azure Key Vault keys currently dont have any expiration date" {
azure_issue["kv_keys_expire"]
}


kv_keys_expire_metadata := {
"Policy Code": "PR-AZR-0130-ARM",
"Type": "IaC",
"Product": "AZR",
"Language": "ARM template",
"Policy Title": "Azure Key Vault keys should have an expiration date",
"Policy Description": "This policy identifies Azure Key Vault keys that do not have an expiration date. As a best practice, set an expiration date for each secret and rotate the secret regularly.",
"Resource Type": "microsoft.keyvault/vaults/keys",
"Policy Help URL": "",
"Resource Help URL": "https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/keys"
}
155 changes: 149 additions & 6 deletions azure/iac/master-compliance-test.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1197,11 +1197,11 @@
"id": "PR-AZR-0018-ARM",
"eval": "data.rule.kv_expire",
"message": "data.rule.kv_expire_err",
"remediationDescription": "Make sure you are following the ARM template guidelines for Disks from this URL : https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/disks expiration should be set for secrets",
"remediationDescription": "In Resource of type \"Microsoft.KeyVault/vaults/secrets\" make sure properties.attributes.exp exists and value isn't set empty. \n Please visit https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/secrets for details.",
"remediationFunction": "PR_AZR_0018_ARM.py"
}
],
"severity": "Medium",
"severity": "High",
"title": "Azure Key Vault secrets should have an expiration date",
"description": "This policy identifies Azure Key Vault secrets that do not have an expiration date. As a best practice, set an expiration date for each secret and rotate the secret regularly.",
"tags": [
Expand Down Expand Up @@ -3108,11 +3108,11 @@
"rule": "file(sql_servers.rego)",
"evals": [
{
"id": "PR-AZR-0126-ARM",
"id": "PR-AZR-0128-ARM",
"eval": "data.rule.sql_public_access_disabled",
"message": "data.rule.sql_public_access_disabled_err",
"remediationDescription": "In Resource of type \"Microsoft.Sql/servers\" make sure properties.publicNetworkAccess exists and value is set to \"disabled\" . \n Please visit https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers for details.",
"remediationFunction": "PR-AZR-0126-ARM.py"
"remediationFunction": "PR_AZR_0128_ARM.py"
}
],
"severity": "Medium",
Expand All @@ -3137,11 +3137,11 @@
"rule": "file(sql_alert_policy.rego)",
"evals": [
{
"id": "PR-AZR-0127-ARM",
"id": "PR-AZR-0129-ARM",
"eval": "data.rule.sql_server_alert",
"message": "data.rule.sql_server_alert_err",
"remediationDescription": "In Resource of type \"Microsoft.sql/servers/securityalertpolicies\" make sure properties.state exists and value is set to \"Enabled\" . \n Please visit https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/securityalertpolicies.",
"remediationFunction": "PR_AZR_0127_ARM.py"
"remediationFunction": "PR_AZR_0129_ARM.py"
}
],
"severity": "Medium",
Expand Down Expand Up @@ -3187,6 +3187,149 @@
]
}
]
},
{
"masterTestId": "TEST_KEYVAULT_KEYS",
"masterSnapshotId": [
"ARM_TEMPLATE_SNAPSHOT"
],
"type": "rego",
"rule": "file(keyvaultkeys.rego)",
"evals": [
{
"id": "PR-AZR-0130-ARM",
"eval": "data.rule.kv_keys_expire",
"message": "data.rule.kv_keys_expire_err",
"remediationDescription": "In Resource of type \"Microsoft.KeyVault/vaults/keys\" make sure properties.attributes.exp exists and value isn't set empty. \n Please visit https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/keys for details.",
"remediationFunction": "PR_AZR_0130_ARM.py"
}
],
"severity": "High",
"title": "Azure Key Vault keys should have an expiration date",
"description": "This policy identifies Azure Key Vault keys that do not have an expiration date. As a best practice, set an expiration date for each secret and rotate the secret regularly.",
"tags": [
{
"cloud": "git",
"compliance": [
"PCI-DSS",
"GDPR",
"ISO 27001",
"NIST CSF",
"HIPAA",
"Best Practices"
],
"service": [
"arm"
]
}
]
},
{
"masterTestId": "TEST_Redis",
"masterSnapshotId": [
"ARM_TEMPLATE_SNAPSHOT"
],
"type": "rego",
"rule": "file(Redis.rego)",
"evals": [
{
"id": "PR-AZR-0131-ARM",
"eval": "data.rule.enableSslPort",
"message": "data.rule.enableSslPort_err",
"remediationDescription": "In Resource of type \"Microsoft.Cache/redis\" make sure properties.enableNonSslPort value is set to false or isn't exist . \n Please visit https://docs.microsoft.com/en-us/azure/templates/Microsoft.Cache/redis for more details.",
"remediationFunction": "PR_AZR_0131_ARM.py"
}
],
"severity": "High",
"title": "Ensure that the Redis Cache accepts only SSL connections",
"description": "It is recommended that Redis Cache should allow only SSL connections. Note: some Redis tools (like redis-cli) do not support SSL. When using such tools plain connection ports should be enabled.",
"tags": [
{
"cloud": "git",
"compliance": [
"PCI-DSS",
"GDPR",
"ISO 27001",
"NIST CSF",
"HIPAA",
"Best Practices"
],
"service": [
"arm"
]
}
]
},
{
"masterTestId": "TEST_Redis_2",
"masterSnapshotId": [
"ARM_TEMPLATE_SNAPSHOT"
],
"type": "rego",
"rule": "file(Redis.rego)",
"evals": [
{
"id": "PR-AZR-0132-ARM",
"eval": "data.rule.serverRole",
"message": "data.rule.serverRole_err",
"remediationDescription": "In Resource of type \"Microsoft.Cache/redis/linkedServers\" make sure properties.serverRole value is set to Secondary. \n Please visit https://docs.microsoft.com/en-us/azure/templates/microsoft.cache/redis/linkedservers for more details.",
"remediationFunction": "PR_AZR_0132_ARM.py"
}
],
"severity": "Medium",
"title": "Redis cache should have a backup",
"description": "Replicate Redis Cache server data to another Redis Cache server using geo replication. This feature is only available for Premium tier Redis Cache. From performance point of view, Microsoft recommends that both Redis Caches (Primary and the linked secondary) reside in the same region.",
"tags": [
{
"cloud": "git",
"compliance": [
"PCI-DSS",
"ISO 27001",
"NIST CSF",
"HIPAA",
"Best Practices"
],
"service": [
"arm"
]
}
]
},
{
"masterTestId": "TEST_SQL_SERVER_2",
"masterSnapshotId": [
"ARM_TEMPLATE_SNAPSHOT"
],
"type": "rego",
"rule": "file(sql_servers.rego)",
"evals": [
{
"id": "PR-AZR-0133-ARM",
"eval": "data.rule.sql_server_login",
"message": "data.rule.sql_server_login_err",
"remediationDescription": "In Resource of type \"Microsoft.Sql/servers/administrators\" make sure properties.login value isn't set to \"admin\" or \"administrator\" . \n Please visit https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/administrators for details.",
"remediationFunction": "PR_AZR_0133_ARM.py"
}
],
"severity": "Medium",
"title": "Avoid using names like 'Admin' for an Azure SQL Server admin account login",
"description": "You must designate a Server admin login when you create an Azure SQL server. SQL server creates this account as a login in the master database. Only one such account can exist. This account connects using SQL Server authentication (username and password). It is recommended to avoid using names like 'admin' or 'administrator', which are targeted in brute force dictionary attacks.",
"tags": [
{
"cloud": "git",
"compliance": [
"PCI-DSS",
"GDPR",
"ISO 27001",
"NIST CSF",
"HIPAA",
"Best Practices"
],
"service": [
"arm"
]
}
]
}
]
}
Expand Down
4 changes: 2 additions & 2 deletions azure/iac/sql_alert_policy.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ sql_logical_server_alert_metadata := {
}


# PR-AZR-0127-ARM
# PR-AZR-0129-ARM

default sql_server_alert = null

Expand Down Expand Up @@ -107,7 +107,7 @@ sql_server_alert_err = "Security alert is currently not enabled on SQL Server re
}

sql_server_alert_metadata := {
"Policy Code": "PR-AZR-0127-ARM",
"Policy Code": "PR-AZR-0129-ARM",
"Type": "IaC",
"Product": "AZR",
"Language": "ARM template",
Expand Down
Loading

0 comments on commit 68be10b

Please sign in to comment.