prancer-io / prancer-compliance-test Goto Github PK
View Code? Open in Web Editor NEWThis repository includes cloud security policies for IaC and live resources.
Home Page: https://www.prancer.io
This repository includes cloud security policies for IaC and live resources.
Home Page: https://www.prancer.io
on the following rule (registrieswebhooks.rego) we have a empty body
acr_webhooks_miss_err = "Container registy webhook attribute service_uri missing in the resource" {
}
and because of that, we faced this error:
found empty body
Please look into the ARM template at https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/locks?tabs=json
this section should a child resource block of existing resource group's resources in the same template.
Rule is checking "microsoft.authorization/locks" 's id property with name 'resourcegroups' which is totally wrong
instead it should check if there is a parent resource group resource exist or can use the scope
property.
The title of the Policy should change to: Activity log alerts should be enabled
and provide an accurate description
this policy is about enabling the activity log alerts:
Indicates whether this activity log alert is enabled. If an activity log alert is not enabled, then none of its actions will be activated.
Please look into file https://github.com/prancer-io/prancer-compliance-test/blob/master/azure/iac/securitycontacts.rego
the regular expression is currently matching only a single email address on resource.properties.emails
but as per SecurityContactProperties -> emails
at https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts?tabs=json emails
can have multiple email address though its not defined what will be the separator for this, assuming semicolon (;) but need to confirm by researching.
The regular expression need to match multiple email address.
this can be handy for logic buildup (syntax may vary): https://stackoverflow.com/questions/9809357/regex-for-validating-multiple-e-mail-addresses
at first, according the conditions had written in this storageaccounts.rego file (id = PR-AZR-0092-ARM); we have multiple outputs and because of that we faced this error: complete rules must not produce multiple outputs
and we need two different variables for checking attribute supportsHttpsTrafficOnly
because of API version
in latest API from 2019-04-01, supportsHttpsTrafficOnly is true by default if not exist
and
in older API before 2019-04-01, supportsHttpsTrafficOnly is false by default if not exist
As I try to add kubernetes type for post deployment in prancer, I found we are not able to get snapshots type from related function.
file master_snapshot.py line 104:
snapshot_data = mastersnapshot_fns[snapshot_type](mastersnapshot)
file snapshot.py line 86:
snapshot_data = snapshot_fns[snapshot_type](snapshot, container)
None of mastersnapshot,snapshot and container params include snapshot type which declared in snapshot configuration or master snapshot configuration file.
Actually should pass snapshot type as param too, So there is no need to find it from fields as it exist like below example in file snapshot_google.py line 408:
if 'masterSnapshotId' in node: snapshot_data[node['snapshotId']] = node['masterSnapshotId'] else: snapshot_data[node['snapshotId']] = False if error_str else True else: node['status'] = 'inactive' elif 'masterSnapshotId' in node: data = get_all_nodes
prancer version : 1.0.39
on blobservices.rego file (azure-iac) we need 2 different attribute for checking existence and the value
for example we can use azure_attribute_absence
and azure_issue
we are doing that to can specify kind of the error
keys
, secrets
and certificates
are optional in the ARM template:
https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults?tabs=json
Other than the count
test, we should also if they exist in the template.
master-compliance has duplicate test case PR-AWS-0151-CFR.
I was trying to run masterTestId: "TEST_DB_ADMINISTRATORS"
from master-compliance-test.json
.
in related rego file at azure\terraform\dbadministrators.rego
under azure_issue
rule
re_match(concat("", ["^.*\\.", resource.name, "\\..*$"]), r.properties.server_name);
is not matching the server name correctly between azurerm_sql_server
and azurerm_sql_active_directory_administrator
Regular expression is not correct and it is always returning false event if there is a matching input as well as resource.name
should be resource.properties.name
For example : i have azurerm_sql_server
name in terraform as prancer-sql-server2
which should be the resource.properties.name
and r.properties.server_name
should have the same name if we need to do a successful match, otherwise match will fail.
So, if we do the OPA run console to a do a test quickly and put re_match(concat("", ["^.*\\.", "prancer-sql-server2", "\\..*$"]), "prancer-sql-server2")
it is returning false but it should return true. which clearly demonstrate the regex is not correct.
There is a true == false
at the end of the rule which is actually returning the output and by forcing we are making the rule to send false output which is a pass case scenario here.
on the following rego file:
https://github.com/prancer-io/prancer-compliance-test/blob/master/azure/iac/Redis.rego
we used these conditions:
default enableSslPort = null
# default is false
azure_attribute_absence ["enableSslPort"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.cache/redis"
not resource.properties.enableNonSslPort
}
azure_issue ["enableSslPort"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.cache/redis"
resource.properties.enableNonSslPort != false
}
enableSslPort {
azure_attribute_absence["enableSslPort"]
}
enableSslPort {
lower(input.resources[_].type) == "microsoft.cache/redis"
not azure_issue["servenableSslPorterRole"]
}
enableSslPort = false {
azure_issue["enableSslPort"]
}
enableSslPort_err = "Redis cache is currently allowing unsecure connection via a non ssl port opened" {
azure_issue["enableSslPort"]
}
and we use this variable enableSslPort
for that except this below part:
not azure_issue["servenableSslPorterRole"]
so servenableSslPorterRole
should changes to enableSslPort
Prancer basic new version is released with an upgraded version of python-hcl2.
Update the terraform rego files based on the updated JSON structure of generated terraform snapshots.
There is one extra error variable for all of rego files
for example in below rego file:
https://github.com/prancer-io/prancer-compliance-test/blob/master/azure/iac/activitylogalerts.rego
alerts_err = "Send me emails about alerts is set to OFF in Security Center" {
azure_issue["alerts"]
}
alerts_miss_err = "Activitylog alerts attribute enabled missing in the resource" {
azure_attribute_absence["alerts"]
}
we have two variables for calling the errors but in our master compliance files, we just call the first one
https://github.com/prancer-io/prancer-compliance-test/blob/master/azure/iac/master-compliance-test.json
{
"evals": [
{
"id": "PR-AZR-0090-ARM",
"eval": "data.rule.alerts",
"message": "data.rule.alerts_err",
"remediationDescription" : ""
"remediationFunction": ""
}
]
}
In my opinion we can use same variable for both errors
for example:
alerts_err = "Send me emails about alerts is set to OFF in Security Center" {
azure_issue["alerts"]
}
alerts_err = "Activitylog alerts attribute enabled missing in the resource" {
azure_attribute_absence["alerts"]
}
secrets.rego considering normal string as a secret. and failing the test case also title for the issue is wrong in rego file.
According to the document of the following arm template , it should first check for "publicNetworkAccess" and then the "publicNetworkAccess" value should be "disabled"
https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers
so we need to use this condition as well:
azure_attribute_absence["sql_public_access"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.sql/servers"
resource.properties.publicNetworkAccess
}
also sql-server.rego didn't exist on master-compliance-test
In this following arm template:
https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/keys
we should check existence of expiration of key vault keys and make sure the value of that is not empty
Rule PR-AWS-0067-CFR : AWS Elastic Load Balancer (ELB) has a security group with no inbound rules.
It should check whether securityGroup has INBOUND rules or not, but It only checks the availability or count of securityGroup.
Also rule Id is mismatch with master-complinace Id.
https://docs.microsoft.com/en-us/azure/templates/microsoft.databricks/workspaces?tabs=json
We should have policies for Azure Databricks, both the ARM template and Terraform
If the addonProfiles.httpApplicationRouting
does not exist, it means it is disabled. the test should pass
According to the document of the following arm template, it should first check for "state" and then the "state" value should be "disabled"
https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/securityalertpolicies
so we need to use this condition as well:
azure_attribute_absence["sql_instance_security_alert_disabled"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.sql/managedinstances/securityalertpolicies"
not resource.properties.state
}
also sql_alert_policy.rego didn't exist on master-compliance-test
The aws_acm_certificate
resource in terraform can work in three modes:
a. Create an amazon issued certificate
b. Importing an existing certificate
c. Creating a private CA issued certificate
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate
for scenario a & c “domain name” is a required field on which the compliance test is based that:
https://github.com/prancer-io/prancer-compliance-test/blob/master/aws/terraform/master-compliance-test.json
The rego file should be changed to cover scenario b as well.
with the current configuration in the rego file, scenario b always fails for this test which is not correct.
We faced an issue when we want to check the existence of a variable and check the value of that has been false
for example on the following policy, at first, we want to check the existence of "enableNonSslPort" and after that, check the value of enableNonSslPort is "false"
https://gsl.dome9.com/D9.AZU.CRY.05.html
so for this arm template https://docs.microsoft.com/en-us/azure/templates/microsoft.cache/redis, when we want to check existence of enableNonSslPort, we used this condition normally :
azure_attribute_absence["enableNonSslPort"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.cache/redis"
resource.properties.enableNonSslPort
}
So according to rules of Open Policy Agent, in this case <resource.properties.enableNonSslPort> checkes
( resource.properties.enableNonSslPort exists ) and ( resource.properties.enableNonSslPort != False )
https://www.openpolicyagent.org/docs/latest/policy-reference/#objects
So the result of this test always failed and if we want to have a passed result, enableNonSslPort must be exists and the value of that must be True and this is opposite of the policy
PR-AWS-0144-CFR : AWS S3 CloudTrail buckets for which access logging is disabled.
As per the AWS documentation, there is no attribute "logging" available in the "statement"
I was trying to run masterTestId: "TEST_DB_AUDITING_DB_SETTINGS_1"
from master-compliance-test.json
.
in related rego file at azure\terraform\dbauditingdbsettings.rego
under azure_issue
rule
re_match(concat("", ["^.*\\.", resource.name, "\\..*$"]), r.properties.database_id);
is not matching the db name correctly between azurerm_mssql_database
and azurerm_mssql_database_extended_auditing_policy
Regular expression is not correct and it is always returning false event if there is a matching input as well as resource.name
should be resource.properties.name
For example : i have azurerm_mssql_database
name in terraform as prancer-sql-db
which should be the resource.properties.name
and r.properties.database_id
should have the sql db id with format "/subscriptions/{subscription_Id}/resourceGroups/{rg_name}/providers/Microsoft.Sql/servers/{sql_server_name}/databases/prancer-sql-db"
. we can see it has the db name at the end. if we need to do a successful match we need to parse the db name out of the r.properties.database_id
and match with resource.properties.name
, otherwise match will fail.
So, if we do the OPA run console to a do a test quickly and put re_match(concat("", ["^.*\\.", "prancer-sql-db", "\\..*$"]), "/subscriptions/subscription_Id/resourceGroups/rg_name/providers/Microsoft.Sql/servers/sql_server_name/databases/prancer-sql-db")
it is returning false but it should return true. which clearly demonstrate the regex is not correct.
There is a true == false
at the end of the rule which is actually returning the output and by forcing we are making the rule to send false output which is a pass case scenario here.
In Azure->terraform->keyvaultsecrets.rego azurerm_key_vault_secret
expiration is compared by count(resource.properties.expiration_date) = 0
which is clearly an assignment to 0,
this should be count(resource.properties.expiration_date) == 0
Also count
function is only checking the length of characters in the variable expiration_date
. other then null
if some one type 'abcd'
instead of valid date, this count
will treat this as a valid date, which is invalid as well.
we have duplicate test cases on master compliance on Azure-IaC
on master compliance test we have this test case:
{
"masterTestId": "TEST_SQL_SERVER_ALERT_1",
"masterSnapshotId": [
"ARM_TEMPLATE_SNAPSHOT"
],
"type": "rego",
"rule": "file(sql_alert_policy.rego)",
"evals": [
{
"id": "PR-AZR-0102-ARM",
"eval": "data.rule.sql_logical_server_alert",
"message": "data.rule.sql_logical_server_alert_err",
"remediationDescription": "In Resource of type \"Microsoft.sql/servers/securityalertpolicies\" make sure properties.state exists and value is set to \"Enabled\" . \n Please visit https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/securityalertpolicies.",
"remediationFunction": "PR_AZR_0102_ARM.py"
}
],
"severity": "Medium",
"title": "Ensure Security Alert is enabled on Azure SQL Logical Server",
"description": "Advanced data security should be enabled on your SQL servers.",
"tags": [
{
"cloud": "git",
"compliance": [],
"service": [
"arm"
]
}
]
}
and
{
"masterTestId": "TEST_SQL_SERVER_ALERT",
"masterSnapshotId": [
"ARM_TEMPLATE_SNAPSHOT"
],
"type": "rego",
"rule": "file(sql_alert_policy.rego)",
"evals": [
{
"id": "PR-AZR-0102-ARM",
"eval": "data.rule.sql_server_alert",
"message": "data.rule.sql_server_alert_err",
"remediationDescription": "Make sure you are following the ARM template guidelines for vpn gateway from this URL : https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/securityalertpolicies",
"remediationFunction": "PR_AZR_0102_ARM.py"
}
],
"severity": "Medium",
"title": "Advanced data security should be enabled on your SQL servers.",
"description": "Advanced data security should be enabled on your SQL servers.",
"tags": [
{
"cloud": "git",
"compliance": [
"NIST 800"
],
"service": [
"arm"
]
}
]
}
and
{
"masterTestId": "TEST_SQL_MANAGED_INSTANCE_ALERT",
"masterSnapshotId": [
"ARM_TEMPLATE_SNAPSHOT"
],
"type": "rego",
"rule": "file(sql_alert_policy.rego)",
"evals": [
{
"id": "PR-AZR-0102-ARM",
"eval": "data.rule.sql_managed_instance_alert",
"message": "data.rule.sql_managed_instance_alert_err",
"remediationDescription": "Make sure you are following the ARM template guidelines for vpn gateway from this URL : https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/managedinstances/securityalertpolicies",
"remediationFunction": "PR_AZR_0102_ARM.py"
}
],
"severity": "Medium",
"title": "Advanced data security should be enabled on your SQL servers.",
"description": "Advanced data security should be enabled on your SQL servers.",
"tags": [
{
"cloud": "git",
"compliance": [
"NIST 800"
],
"service": [
"arm"
]
}
]
}
as you can see we have 3 test cases with "id": "PR-AZR-0102-ARM"
and except the first one, we have the other ones with different ID
and in a few test cases id
and remediationFunction
aren't match
Terraform rego rule not validating for boolean value defined in string
rule get passed if the value is a blank list
rule get passed if the value is defined as null
aws_redshift_parameter_group property name should be parameter
not parameters
Master snapshot configuration file for the Azure cloud should be updated to include these two new resource types:
"type": "Microsoft.Sql/servers/administrators"
and
"type": "Microsoft.Sql/managedInstances/administrators"
These resource types are related to the Azure AD authentication for Azure SQL policies.
we need a master test and master snapshot for AWS >>> ACK that we can use our rego files
on the following rego file:
https://github.com/prancer-io/prancer-compliance-test/blob/master/azure/iac/Redis.rego
we used these conditions:
azure_attribute_absence ["serverRole"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.cache/redis/linkedservers"
not resource.properties.serverRole
}
azure_issue ["serverRole"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.cache/redis/linkedservers"
lower(resource.properties.serverRole) != "secondary"
}
serverRole {
lower(input.resources[_].type) == "microsoft.cache/redis/linkedservers"
not azure_attribute_absence["serverRole"]
not azure_issue["serverRole"]
}
serverRole = false {
azure_attribute_absence["serverRole"]
}
serverRole = false {
azure_issue["serverRole"]
}
serverRole_miss_err = "Azure Redis Cache linked server property 'serverRole' is missing from the resource" {
azure_attribute_absence["serverRole"]
}
serverRole_err = "Azure Redis Cache linked backup server currently does not have secondary role." {
azure_issue["serverRole"]
}
but in this case, we need to make sure Microsoft.cache/Redis exists in the same template first
so we need to use this condition as well:
azure_attribute_absence ["serverRole"] {
count([c | input.resources[_].type == "microsoft.cache/redis"; c := 1]) != count([c | input.resources[_].type == "microsoft.cache/redis/linkedservers"; c := 1])
}
In the following arm template
https://docs.microsoft.com/en-us/azure/templates/Microsoft.Cache/redis
we should ensure that the Redis cache accepts only SSL connections
so enableNonSslPort
in the arm template should not exists or the value of that must be false
For better security, Azure SQL should have Azure AD authentication enabled instead of local accounts.
We need to cover this policy both for Azure SQL and Azure SQL Managed Instances.
ARM template reference:
https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2019-06-01-preview/servers/administrators?tabs=json
Azure policy to help with the development:
{
"if": {
"field": "type",
"equals": "Microsoft.Sql/managedInstances"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Sql/managedInstances/administrators",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Sql/managedInstances/administrators/administratorType",
"equals": "ActiveDirectory"
}
]
}
}
}
}
Azure SQL:
{
"if": {
"field": "type",
"equals": "Microsoft.Sql/servers"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Sql/servers/administrators",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Sql/servers/administrators/administratorType",
"equals": "ActiveDirectory"
}
]
}
}
}
}
We need to have the rego file both for the cloud and IaC
The current Rego file is checking for aws_security_group_rule
for blocked inbound / outbound rules:
https://github.com/prancer-io/prancer-compliance-test/blob/master/aws/terraform/securitygroup.rego
which is based on terraform best practices.
But also it is possible to write a single ingress/egress rule for aws_security_group
as well:
resource "aws_security_group" "allow_tls" {
name = "allow_tls"
description = "Allow TLS inbound traffic"
vpc_id = aws_vpc.main.id
ingress {
description = "TLS from VPC"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
tags = {
Name = "allow_tls"
}
}
We need to cover inline ingress/egress in the rego rule as well.
In the following arm template:
https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2014-04-01/servers/administrators
we should Avoid using names like 'Admin' or 'Administrator' for an Azure SQL Server
so the value of login
in the arm template should not 'admin' or 'Administrator'
in following rule we have multiple outputs:
# PR-AZR-0092-TRF
#
default storage_secure = null
azure_attribute_absence["storage_secure"] {
resource := input.resources[_]
lower(resource.type) == "azurerm_storage_account"
# Defaults to true if property not available
not resource.properties.enable_https_traffic_only
}
azure_issue["storage_secure"] {
resource := input.resources[_]
lower(resource.type) == "azurerm_storage_account"
resource.properties.enable_https_traffic_only != true
}
storage_secure {
lower(input.resources[_].type) == "azurerm_storage_account"
not azure_attribute_absence["storage_secure"]
not azure_issue["storage_secure"]
}
storage_secure {
azure_attribute_absence["storage_secure"]
}
storage_secure = false {
azure_issue["storage_secure"]
}
storage_secure_err = "Storage Accounts https based secure transfer is not enabled" {
azure_issue["storage_secure"]
}
according to this rule, storage_secure
have multiple outputs and because of that, we faced this error:
complete rules must not produce multiple outputs
The value of remediationDescription
and remediationFunction
is not set in following terraform compliance configuration files.
Also provide new test cases for following resources:
for rule PR-AWS-0046-CFR if AssociatePublicIpAddress is not defined then its default value is true.
And opa evaluate not defined
value and false
equally. so for the rule, we need to check whether AssociatePublicIpAddress has the value true or not defined. but these are both are opposite scenarios for opa.
so we can't validate both conditions.
We need to add a new test to check if allowBlobPublicAccess
is disabled
if it is enabled or the property does not exist, we should fail the test:
https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json
We need the test for both IaC and Terraform
This is a sample template for Azure SQL Server:
https://github.com/Azure/azure-quickstart-templates/tree/67165c0ebba1936edabe19bcf92578946a9895ea/quickstarts/microsoft.sql/sql-logical-server
alert setting snippet from the file:
{
"condition": "[parameters('enableADS')]",
"type": "securityAlertPolicies",
"apiVersion": "2020-02-02-preview",
"name": "Default",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
],
"properties": {
"state": "Enabled",
"emailAccountAdmins": true
}
}
In this rego file, there is a problem:
https://github.com/prancer-io/prancer-compliance-test/blob/master/azure/iac/sql_alert_policy.rego
in this section of the file:
default sql_managed_instance_alert = null
azure_sql_security_alert_disabled["sql_instance_security_alert_disabled"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.sql/managedInstances"
sql_resources := resource.resources[_]
lower(sql_resources.type) == "securityalertpolicies"
sql_resources.properties.state == "Disabled"
}
azure_sql_security_alert_disabled["sql_instance_security_alert_disabled"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.sql/managedInstances/securityalertpolicies"
resource.properties.state == "Disabled"
}
sql_managed_instance_alert {
not azure_sql_security_alert_disabled["sql_instance_security_alert_disabled"]
}
sql_managed_instance_alert = false {
azure_sql_security_alert_disabled["sql_instance_security_alert_disabled"]
}
sql_managed_instance_alert_err = "Security alert for SQL managed instance is Disabled" {
azure_sql_security_alert_disabled["sql_instance_security_alert_disabled"]
}
When you run the template and the rego snippet, it shows the result as true
:
./opa eval -i sample.json -d test.rego "data.rule.sql_managed_instance_alert"
{
"result": [
{
"expressions": [
{
"value": {
"sql_managed_instance_alert": true
},
"text": "data.rule.sql_managed_instance_alert",
"location": {
"row": 1,
"col": 1
}
}
]
}
]
}
Because the type of the resource is "type": "Microsoft.Sql/servers"
, we expect the result to be null
the equivalent Azure policy can be read here:
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json
according to the following docs of arm template, Virtual Machine where isScaleSetVm=false should have availabilitySet
https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines
https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachinescalesets/virtualmachines
so we should check
azure_issue["vm_aset"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.compute/virtualmachines"
not resource.properties.availabilitySet
}
instead of
azure_issue["vm_aset"] {
resource := input.resources[_]
lower(resource.type) == "microsoft.compute/virtualmachinescalesets/virtualmachines"
not resource.properties.availabilitySet
}
in databricks.rego databrics_workspace_has_public_ip_disabled_metadata
called twice
and according to rules of OPA, we faced this error
rule named databrics_workspace_has_public_ip_disabled_metadata redeclared
so we should change the name one of them
there is a problem with the Azure rego policy for the storage account.
this is our rego file in IaC:
https://github.com/prancer-io/prancer-compliance-test/blob/kcc-google/azure/iac/storageaccounts.rego
check the supportsHttpsTrafficOnly part
the test is different based on the API version because it seems the api is changed at some time
this is the equivalent Azure policy for the same test:
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"anyOf": [
{
"allOf": [
{
"value": "[requestContext().apiVersion]",
"less": "2019-04-01"
},
{
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"exists": "false"
}
]
},
{
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"equals": "false"
}
]
}
]
We need to fix this both for Azure IaC and Cloud
in aks.rego aks_rbac_metadata
called twice
and according to rules of OPA, we faced this error
rule named aks_rbac_metadata redeclared at /tmp/tmpqhkh10wy/azure/terraform/aks.rego:399
so we should change one of the name
We need to ensure that SQL Server Auditing is Enabled for Azure >>> IaC
for example in the following arm template, we should check properties.state
exists and check the value of that is set to Enabled
https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2021-02-01-preview/servers/auditingsettings
for more information please see this: https://gsl.dome9.com/D9.AZU.MON.49.html
We need to have a new rule, to test for the AKS Azure AD enabled RBAC. this is different than the old RBAC rule we already have. the criteria should be based on the following parameters:
"aadProfileConfiguration": {
"managed": "[parameters('aadProfileManaged')]",
"enableAzureRBAC": "[parameters('aadProfileEnableAzureRBAC')]",
"adminGroupObjectIDs": "[parameters('aadProfileAdminGroupObjectIDs')]",
"tenantID": "[parameters('aadProfileTenantId')]"
}
In file https://github.com/prancer-io/prancer-compliance-test/blob/master/azure/terraform/vnetsubnets.rego re_match(concat("", ["^.*\\.", resource.name, "\\..*$"]), r.properties.subnet_id);
is incorrect and need to match with resource.id
as per https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_network_security_group_association
matching with id is impossible during compile time as id will only available from tf output file.
We need to find some other way to match the subnet association with vnet.
PR-AWS-0158-CFR : AWS SSM Parameter is not encrypted
As per the documentation, the "SecureString" does not support for the property type.
In some terraform rego files, the language of some rules noted as 'AWS Cloud Formation'. but it should be 'Terraform'
aws/terraform/api_gateway.rego
"Policy Code": "PR-AWS-0203-TRF",
"Type": "IaC",
"Product": "AWS",
"Language": "AWS Cloud formation"
,
"Policy Title": "AWS API gateway request parameter is not validated",
"Policy Description": "This policy identifies the AWS API gateways for with the request parameters are not validated. It is recommended to validate the request parameters in the URI, query string, and headers of an incoming request to focus on the validation efforts specific to your application.\n",
"Resource Type": "",
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.