tenable · gaurav-gogia · Jun 16, 2021 · Jun 14, 2021 · Jun 14, 2021 · Jun 15, 2021
@@ -0,0 +1,20 @@
+{
+	"name": "networkPort3020ExposedToInternetAz",
+	"file": "networkPortExposedToInternetAz.rego",
+	"policy_type": "azure",
+	"resource_type": "azurerm_network_security_rule",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "networkPort3020ExposedToInternetAz",
+		"portNumber": 3020,
+		"prefix": "",
+		"protocol": "Tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Ensure CIFS / SMB (Tcp:3020) is not exposed to entire internet for Azure Network Security Rule",
+	"reference_id": "AC_AZURE_0270",
+	"id": "AC_AZURE_0270",
+	"category": "Infrastructure Security",
+	"version": 2
+}
@@ -0,0 +1,20 @@
+{
+	"name": "networkPort3020ExposedToPublicAz",
+	"file": "networkPortExposedToPublicAz.rego",
+	"policy_type": "azure",
+	"resource_type": "azurerm_network_security_rule",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "networkPort3020ExposedToPublicAz",
+		"portNumber": 3020,
+		"prefix": "",
+		"protocol": "Tcp",
+		"suffix": ""
+	},
+	"severity": "MEDIUM",
+	"description": "Ensure CIFS / SMB (Tcp:3020) is not exposed to public for Azure Network Security Rule",
+	"reference_id": "AC_AZURE_0271",
+	"id": "AC_AZURE_0271",
+	"category": "Infrastructure Security",
+	"version": 2
+}
@@ -0,0 +1,20 @@
+{
+	"name": "networkPort3020ExposedToPrivateAz",
+	"file": "networkPortExposedToPrivateAz.rego",
+	"policy_type": "azure",
+	"resource_type": "azurerm_network_security_rule",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "networkPort3020ExposedToPrivateAz",
+		"portNumber": 3020,
+		"prefix": "",
+		"protocol": "Tcp",
+		"suffix": ""
+	},
+	"severity": "LOW",
+	"description": "Ensure CIFS / SMB (Tcp:3020) is not exposed to private hosts more than 32 for Azure Network Security Rule",
+	"reference_id": "AC_AZURE_0272",
+	"id": "AC_AZURE_0272",
+	"category": "Infrastructure Security",
+	"version": 2
+}
@@ -0,0 +1,20 @@
+{
+	"name": "networkPort7001ExposedToInternetAz",
+	"file": "networkPortExposedToInternetAz.rego",
+	"policy_type": "azure",
+	"resource_type": "azurerm_network_security_rule",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "networkPort7001ExposedToInternetAz",
+		"portNumber": 7001,
+		"prefix": "",
+		"protocol": "Tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Ensure Cassandra (Tcp:7001) is not exposed to entire internet for Azure Network Security Rule",
+	"reference_id": "AC_AZURE_0273",
+	"id": "AC_AZURE_0273",
+	"category": "Infrastructure Security",
+	"version": 2
+}
@@ -0,0 +1,20 @@
+{
+	"name": "networkPort7001ExposedToPublicAz",
+	"file": "networkPortExposedToPublicAz.rego",
+	"policy_type": "azure",
+	"resource_type": "azurerm_network_security_rule",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "networkPort7001ExposedToPublicAz",
+		"portNumber": 7001,
+		"prefix": "",
+		"protocol": "Tcp",
+		"suffix": ""
+	},
+	"severity": "MEDIUM",
+	"description": "Ensure Cassandra (Tcp:7001) is not exposed to public for Azure Network Security Rule",
+	"reference_id": "AC_AZURE_0274",
+	"id": "AC_AZURE_0274",
+	"category": "Infrastructure Security",
+	"version": 2
+}
@@ -0,0 +1,20 @@
+{
+	"name": "networkPort7001ExposedToPrivateAz",
+	"file": "networkPortExposedToPrivateAz.rego",
+	"policy_type": "azure",
+	"resource_type": "azurerm_network_security_rule",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "networkPort7001ExposedToPrivateAz",
+		"portNumber": 7001,
+		"prefix": "",
+		"protocol": "Tcp",
+		"suffix": ""
+	},
+	"severity": "LOW",
+	"description": "Ensure Cassandra (Tcp:7001) is not exposed to private hosts more than 32 for Azure Network Security Rule",
+	"reference_id": "AC_AZURE_0275",
+	"id": "AC_AZURE_0275",
+	"category": "Infrastructure Security",
+	"version": 2
+}
@@ -0,0 +1,20 @@
+{
+	"name": "networkPort61621ExposedToInternetAz",
+	"file": "networkPortExposedToInternetAz.rego",
+	"policy_type": "azure",
+	"resource_type": "azurerm_network_security_rule",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "networkPort61621ExposedToInternetAz",
+		"portNumber": 61621,
+		"prefix": "",
+		"protocol": "Tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Ensure Cassandra OpsCenter (Tcp:61621) is not exposed to entire internet for Azure Network Security Rule",
+	"reference_id": "AC_AZURE_0276",
+	"id": "AC_AZURE_0276",
+	"category": "Infrastructure Security",
+	"version": 2
+}
@@ -0,0 +1,20 @@
+{
+	"name": "networkPort22ExposedToInternetAz",
+	"file": "networkPortExposedToInternetAz.rego",
+	"policy_type": "azure",
+	"resource_type": "azurerm_network_security_rule",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "networkPort22ExposedToInternetAz",
+		"portNumber": 22,
+		"prefix": "",
+		"protocol": "Tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Ensure SSH (Tcp:22) is not exposed to entire internet for Azure Network Security Rule",
+	"reference_id": "AC_AZURE_0285",
+	"id": "AC_AZURE_0285",
+	"category": "Infrastructure Security",
+	"version": 2
+}
@@ -0,0 +1,20 @@
+{
+	"name": "networkPort22ExposedToPublicAz",
+	"file": "networkPortExposedToPublicAz.rego",
+	"policy_type": "azure",
+	"resource_type": "azurerm_network_security_rule",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "networkPort22ExposedToPublicAz",
+		"portNumber": 22,
+		"prefix": "",
+		"protocol": "Tcp",
+		"suffix": ""
+	},
+	"severity": "MEDIUM",
+	"description": "Ensure SSH (Tcp:22) is not exposed to public for Azure Network Security Rule",
+	"reference_id": "AC_AZURE_0286",
+	"id": "AC_AZURE_0286",
+	"category": "Infrastructure Security",
+	"version": 2
+}
@@ -0,0 +1,20 @@
+{
+	"name": "networkPort22ExposedToPrivateAz",
+	"file": "networkPortExposedToPrivateAz.rego",
+	"policy_type": "azure",
+	"resource_type": "azurerm_network_security_rule",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "networkPort22ExposedToPrivateAz",
+		"portNumber": 22,
+		"prefix": "",
+		"protocol": "Tcp",
+		"suffix": ""
+	},
+	"severity": "LOW",
+	"description": "Ensure SSH (Tcp:22) is not exposed to private hosts more than 32 for Azure Network Security Rule",
+	"reference_id": "AC_AZURE_0287",
+	"id": "AC_AZURE_0287",
+	"category": "Infrastructure Security",
+	"version": 2
+}
@@ -0,0 +1,20 @@
+{
+	"name": "networkPort3389ExposedToInternetAz",
+	"file": "networkPortExposedToInternetAz.rego",
+	"policy_type": "azure",
+	"resource_type": "azurerm_network_security_rule",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "networkPort3389ExposedToInternetAz",
+		"portNumber": 3389,
+		"prefix": "",
+		"protocol": "Tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Ensure that RDP access is restricted from the internet for Azure Network Security Rule",
+	"reference_id": "AC_AZURE_0342",
+	"id": "AC_AZURE_0342",
+	"category": "Infrastructure Security",
+	"version": 2
+}
@@ -0,0 +1,20 @@
+{
+	"name": "networkPortAllExposedToInternetAz",
+	"file": "networkPortExposedToInternetAz.rego",
+	"policy_type": "azure",
+	"resource_type": "azurerm_network_security_rule",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "networkPortAllExposedToInternetAz",
+		"portNumber": "*",
+		"prefix": "",
+		"protocol": "*",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Ensure that request initiated from all ports (*) for all destination ports (*) is restricted from the internet for Azure Network Security Rule",
+	"reference_id": "AC_AZURE_0357",
+	"id": "AC_AZURE_0357",
+	"category": "Infrastructure Security",
+	"version": 2
+}
@@ -0,0 +1,17 @@
+{
+	"name": "tooOpenPrivateIPs",
+	"file": "tooOpenPrivateIPs.rego",
+	"policy_type": "azure",
+	"resource_type": "azurerm_network_security_rule",
+	"template_args": {
+		"name": "tooOpenPrivateIPs",
+		"prefix": "",
+		"suffix": ""
+	},
+	"severity": "LOW",
+	"description": "Ensure server is not exposed to private hosts more than 32 for Azure Network Security Rule",
+	"reference_id": "AC_AZURE_0421",
+	"id": "AC_AZURE_0421",
+	"category": "Infrastructure Security",
+	"version": 1
+}
@@ -0,0 +1,20 @@
+{
+	"name": "networkPort5900ExposedToPrivateAz",
+	"file": "networkPortExposedToPrivateAz.rego",
+	"policy_type": "azure",
+	"resource_type": "azurerm_network_security_rule",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "networkPort5900ExposedToPrivateAz",
+		"portNumber": 5900,
+		"prefix": "",
+		"protocol": "Tcp",
+		"suffix": ""
+	},
+	"severity": "LOW",
+	"description": "Ensure VNC Server (Tcp:5900) is not exposed to private hosts more than 32 for Azure Network Security Rule",
+	"reference_id": "AC_AZURE_0422",
+	"id": "AC_AZURE_0422",
+	"category": "Infrastructure Security",
+	"version": 2
+}
@@ -0,0 +1,20 @@
+{
+	"name": "networkPort5900ExposedToPublicAz",
+	"file": "networkPortExposedToPublicAz.rego",
+	"policy_type": "azure",
+	"resource_type": "azurerm_network_security_rule",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "networkPort5900ExposedToPublicAz",
+		"portNumber": 5900,
+		"prefix": "",
+		"protocol": "Tcp",
+		"suffix": ""
+	},
+	"severity": "MEDIUM",
+	"description": "Ensure VNC Server (Tcp:5900) is not exposed to public for Azure Network Security Rule",
+	"reference_id": "AC_AZURE_0423",
+	"id": "AC_AZURE_0423",
+	"category": "Infrastructure Security",
+	"version": 2
+}
@@ -0,0 +1,20 @@
+{
+	"name": "networkPort5900ExposedToInternetAz",
+	"file": "networkPortExposedToInternetAz.rego",
+	"policy_type": "azure",
+	"resource_type": "azurerm_network_security_rule",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "networkPort5900ExposedToInternetAz",
+		"portNumber": 5900,
+		"prefix": "",
+		"protocol": "Tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Ensure VNC Server (Tcp:5900) is not exposed to entire internet for Azure Network Security Rule",
+	"reference_id": "AC_AZURE_0424",
+	"id": "AC_AZURE_0424",
+	"category": "Infrastructure Security",
+	"version": 2
+}
@@ -0,0 +1,20 @@
+{
+	"name": "networkPort5500ExposedToPrivateAz",
+	"file": "networkPortExposedToPrivateAz.rego",
+	"policy_type": "azure",
+	"resource_type": "azurerm_network_security_rule",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "networkPort5500ExposedToPrivateAz",
+		"portNumber": 5500,
+		"prefix": "",
+		"protocol": "Tcp",
+		"suffix": ""
+	},
+	"severity": "LOW",
+	"description": "Ensure VNC Listener (Tcp:5500) is not exposed to private hosts more than 32 for Azure Network Security Rule",
+	"reference_id": "AC_AZURE_0425",
+	"id": "AC_AZURE_0425",
+	"category": "Infrastructure Security",
+	"version": 2
+}
@@ -0,0 +1,20 @@
+{
+	"name": "networkPort5500ExposedToPublicAz",
+	"file": "networkPortExposedToPublicAz.rego",
+	"policy_type": "azure",
+	"resource_type": "azurerm_network_security_rule",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "networkPort5500ExposedToPublicAz",
+		"portNumber": 5500,
+		"prefix": "",
+		"protocol": "Tcp",
+		"suffix": ""
+	},
+	"severity": "MEDIUM",
+	"description": "Ensure VNC Listener (Tcp:5500) is not exposed to public for Azure Network Security Rule",
+	"reference_id": "AC_AZURE_0426",
+	"id": "AC_AZURE_0426",
+	"category": "Infrastructure Security",
+	"version": 2
+}