Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckAllThreatAlertsEnabled = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0028", Provider: providers.AzureProvider, Service: "database", ShortCode: "all-threat-alerts-enabled", Summary: "No threat detections are set", Impact: "Disabling threat alerts means you are not getting the full benefit of server security protection", Resolution: "Use all provided threat alerts", Explanation: `SQL Server can alert for security issues including SQL Injection, vulnerabilities, access anomalies and data exfiltration. Ensure none of these are disabled to benefit from the best protection`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformAllThreatAlertsEnabledGoodExamples, BadExamples: terraformAllThreatAlertsEnabledBadExamples, Links: terraformAllThreatAlertsEnabledLinks, RemediationMarkdown: terraformAllThreatAlertsEnabledRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, server := range s.Azure.Database.MSSQLServers { for _, policy := range server.SecurityAlertPolicies { if len(policy.DisabledAlerts) > 0 { results.Add( "Server has a security alert policy which disables alerts.", policy.DisabledAlerts[0], ) } else { results.AddPassed(&policy) } } } return }, )
View Source
var CheckEnableAudit = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0027", Provider: providers.AzureProvider, Service: "database", ShortCode: "enable-audit", Summary: "Auditing should be enabled on Azure SQL Databases", Impact: "Auditing provides valuable information about access and usage", Resolution: "Enable auditing on Azure SQL databases", Explanation: `Auditing helps you maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.`, Links: []string{ "https://docs.microsoft.com/en-us/azure/azure-sql/database/auditing-overview", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableAuditGoodExamples, BadExamples: terraformEnableAuditBadExamples, Links: terraformEnableAuditLinks, RemediationMarkdown: terraformEnableAuditRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, server := range s.Azure.Database.MSSQLServers { if len(server.ExtendedAuditingPolicies) == 0 && server.Metadata.IsManaged() { results.Add( "Server does not have an extended audit policy configured.", &server, ) } else { results.AddPassed(&server) } } return }, )
View Source
var CheckEnableSslEnforcement = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0020", Provider: providers.AzureProvider, Service: "database", ShortCode: "enable-ssl-enforcement", Summary: "SSL should be enforced on database connections where applicable", Impact: "Insecure connections could lead to data loss and other vulnerabilities", Resolution: "Enable SSL enforcement", Explanation: `SSL connections should be enforced were available to ensure secure transfer and reduce the risk of compromising data in flight.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableSslEnforcementGoodExamples, BadExamples: terraformEnableSslEnforcementBadExamples, Links: terraformEnableSslEnforcementLinks, RemediationMarkdown: terraformEnableSslEnforcementRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, server := range s.Azure.Database.MariaDBServers { if server.Metadata.IsUnmanaged() { continue } if server.EnableSSLEnforcement.IsFalse() { results.Add( "Database server does not have enforce SSL.", server.EnableSSLEnforcement, ) } else { results.AddPassed(&server) } } for _, server := range s.Azure.Database.MySQLServers { if server.Metadata.IsUnmanaged() { continue } if server.EnableSSLEnforcement.IsFalse() { results.Add( "Database server does not have enforce SSL.", server.EnableSSLEnforcement, ) } else { results.AddPassed(&server) } } for _, server := range s.Azure.Database.PostgreSQLServers { if server.Metadata.IsUnmanaged() { continue } if server.EnableSSLEnforcement.IsFalse() { results.Add( "Database server does not have enforce SSL.", server.EnableSSLEnforcement, ) } else { results.AddPassed(&server) } } return }, )
View Source
var CheckNoPublicAccess = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0022", Provider: providers.AzureProvider, Service: "database", ShortCode: "no-public-access", Summary: "Ensure databases are not publicly accessible", Impact: "Publicly accessible database could lead to compromised data", Resolution: "Disable public access to database when not required", Explanation: `Database resources should not publicly available. You should limit all access to the minimum that is required for your application to function.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicAccessGoodExamples, BadExamples: terraformNoPublicAccessBadExamples, Links: terraformNoPublicAccessLinks, RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, server := range s.Azure.Database.MariaDBServers { if server.Metadata.IsUnmanaged() { continue } if server.EnablePublicNetworkAccess.IsTrue() { results.Add( "Database server has public network access enabled.", server.EnablePublicNetworkAccess, ) } else { results.AddPassed(&server) } } for _, server := range s.Azure.Database.MSSQLServers { if server.Metadata.IsUnmanaged() { continue } if server.EnablePublicNetworkAccess.IsTrue() { results.Add( "Database server has public network access enabled.", server.EnablePublicNetworkAccess, ) } else { results.AddPassed(&server) } } for _, server := range s.Azure.Database.MySQLServers { if server.Metadata.IsUnmanaged() { continue } if server.EnablePublicNetworkAccess.IsTrue() { results.Add( "Database server has public network access enabled.", server.EnablePublicNetworkAccess, ) } else { results.AddPassed(&server) } } for _, server := range s.Azure.Database.PostgreSQLServers { if server.Metadata.IsUnmanaged() { continue } if server.EnablePublicNetworkAccess.IsTrue() { results.Add( "Database server has public network access enabled.", server.EnablePublicNetworkAccess, ) } else { results.AddPassed(&server) } } return }, )
View Source
var CheckNoPublicFirewallAccess = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0029", Provider: providers.AzureProvider, Service: "database", ShortCode: "no-public-firewall-access", Summary: "Ensure database firewalls do not permit public access", Impact: "Publicly accessible databases could lead to compromised data", Resolution: "Don't use wide ip ranges for the sql firewall", Explanation: `Azure services can be allowed access through the firewall using a start and end IP address of 0.0.0.0. No other end ip address should be combined with a start of 0.0.0.0`, Links: []string{ "https://docs.microsoft.com/en-us/rest/api/sql/2021-02-01-preview/firewall-rules/create-or-update", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicFirewallAccessGoodExamples, BadExamples: terraformNoPublicFirewallAccessBadExamples, Links: terraformNoPublicFirewallAccessLinks, RemediationMarkdown: terraformNoPublicFirewallAccessRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, server := range s.Azure.Database.MariaDBServers { for _, rule := range server.FirewallRules { if allowingAzureServices(rule) { continue } if (cidr.IsPublic(rule.StartIP.Value()) || cidr.IsPublic(rule.EndIP.Value())) && rule.StartIP.NotEqualTo(rule.EndIP.Value()) { results.Add( "Firewall rule allows public internet access to a database server.", rule.StartIP, ) } else { results.AddPassed(&rule) } } } for _, server := range s.Azure.Database.MSSQLServers { for _, rule := range server.FirewallRules { if allowingAzureServices(rule) { continue } if (cidr.IsPublic(rule.StartIP.Value()) || cidr.IsPublic(rule.EndIP.Value())) && rule.StartIP.NotEqualTo(rule.EndIP.Value()) { results.Add( "Firewall rule allows public internet access to a database server.", rule.StartIP, ) } else { results.AddPassed(&rule) } } } for _, server := range s.Azure.Database.MySQLServers { for _, rule := range server.FirewallRules { if allowingAzureServices(rule) { continue } if (cidr.IsPublic(rule.StartIP.Value()) || cidr.IsPublic(rule.EndIP.Value())) && rule.StartIP.NotEqualTo(rule.EndIP.Value()) { results.Add( "Firewall rule allows public internet access to a database server.", rule.StartIP, ) } else { results.AddPassed(&rule) } } } for _, server := range s.Azure.Database.PostgreSQLServers { for _, rule := range server.FirewallRules { if allowingAzureServices(rule) { continue } if (cidr.IsPublic(rule.StartIP.Value()) || cidr.IsPublic(rule.EndIP.Value())) && rule.StartIP.NotEqualTo(rule.EndIP.Value()) { results.Add( "Firewall rule allows public internet access to a database server.", rule.StartIP, ) } else { results.AddPassed(&rule) } } } return }, )
View Source
var CheckPostgresConfigurationLogCheckpoints = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0024", Provider: providers.AzureProvider, Service: "database", ShortCode: "postgres-configuration-log-checkpoints", Summary: "Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server", Impact: "No error and query logs generated on checkpoint", Resolution: "Enable checkpoint logging", Explanation: `Postgresql can generate logs for checkpoints to improve visibility for audit and configuration issue resolution.`, Links: []string{ "https://docs.microsoft.com/en-us/azure/postgresql/concepts-server-logs#configure-logging", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformPostgresConfigurationLogCheckpointsGoodExamples, BadExamples: terraformPostgresConfigurationLogCheckpointsBadExamples, Links: terraformPostgresConfigurationLogCheckpointsLinks, RemediationMarkdown: terraformPostgresConfigurationLogCheckpointsRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, server := range s.Azure.Database.PostgreSQLServers { if server.Metadata.IsUnmanaged() { continue } if server.Config.LogCheckpoints.IsFalse() { results.Add( "Database server is not configured to log checkpoints.", server.Config.LogCheckpoints, ) } else { results.AddPassed(&server.Config) } } return }, )
View Source
var CheckPostgresConfigurationLogConnectionThrottling = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0021", Provider: providers.AzureProvider, Service: "database", ShortCode: "postgres-configuration-connection-throttling", Summary: "Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server", Impact: "No log information to help diagnosing connection contention issues", Resolution: "Enable connection throttling logging", Explanation: `Postgresql can generate logs for connection throttling to improve visibility for audit and configuration issue resolution.`, Links: []string{ "https://docs.microsoft.com/en-us/azure/postgresql/concepts-server-logs#configure-logging", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformPostgresConfigurationConnectionThrottlingGoodExamples, BadExamples: terraformPostgresConfigurationConnectionThrottlingBadExamples, Links: terraformPostgresConfigurationConnectionThrottlingLinks, RemediationMarkdown: terraformPostgresConfigurationConnectionThrottlingRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, server := range s.Azure.Database.PostgreSQLServers { if server.Metadata.IsUnmanaged() { continue } if server.Config.ConnectionThrottling.IsFalse() { results.Add( "Database server is not configured to throttle connections.", server.Config.ConnectionThrottling, ) } else { results.AddPassed(&server.Config) } } return }, )
View Source
var CheckPostgresConfigurationLogConnections = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0019", Provider: providers.AzureProvider, Service: "database", ShortCode: "postgres-configuration-log-connections", Summary: "Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server", Impact: "No visibility of successful connections", Resolution: "Enable connection logging", Explanation: `Postgresql can generate logs for successful connections to improve visibility for audit and configuration issue resolution.`, Links: []string{ "https://docs.microsoft.com/en-us/azure/postgresql/concepts-server-logs#configure-logging", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformPostgresConfigurationLogConnectionsGoodExamples, BadExamples: terraformPostgresConfigurationLogConnectionsBadExamples, Links: terraformPostgresConfigurationLogConnectionsLinks, RemediationMarkdown: terraformPostgresConfigurationLogConnectionsRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, server := range s.Azure.Database.PostgreSQLServers { if server.Metadata.IsUnmanaged() { continue } if server.Config.LogConnections.IsFalse() { results.Add( "Database server is not configured to log connections.", server.Config.LogConnections, ) } else { results.AddPassed(&server.Config) } } return }, )
View Source
var CheckRetentionPeriodSet = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0025", Provider: providers.AzureProvider, Service: "database", ShortCode: "retention-period-set", Summary: "Database auditing rentention period should be longer than 90 days", Impact: "Short logging retention could result in missing valuable historical information", Resolution: "Set retention periods of database auditing to greater than 90 days", Explanation: `When Auditing is configured for a SQL database, if the retention period is not set, the retention will be unlimited. If the retention period is to be explicitly set, it should be set for no less than 90 days.`, Links: []string{ "https://docs.microsoft.com/en-us/azure/azure-sql/database/auditing-overview", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformRetentionPeriodSetGoodExamples, BadExamples: terraformRetentionPeriodSetBadExamples, Links: terraformRetentionPeriodSetLinks, RemediationMarkdown: terraformRetentionPeriodSetRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, server := range s.Azure.Database.MSSQLServers { for _, policy := range server.ExtendedAuditingPolicies { if policy.RetentionInDays.LessThan(90) && policy.RetentionInDays.NotEqualTo(0) { results.Add( "Server has a retention period of less than 90 days.", policy.RetentionInDays, ) } else { results.AddPassed(&policy) } } } return }, )
View Source
var CheckSecureTlsPolicy = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0026", Provider: providers.AzureProvider, Service: "database", ShortCode: "secure-tls-policy", Summary: "Databases should have the minimum TLS set for connections", Impact: "Outdated TLS policies increase exposure to known issues", Resolution: "Use the most modern TLS policies available", Explanation: `You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformSecureTlsPolicyGoodExamples, BadExamples: terraformSecureTlsPolicyBadExamples, Links: terraformSecureTlsPolicyLinks, RemediationMarkdown: terraformSecureTlsPolicyRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, server := range s.Azure.Database.MSSQLServers { if server.Metadata.IsUnmanaged() { continue } if server.MinimumTLSVersion.NotEqualTo("1.2") { results.Add( "Database server does not require a secure TLS version.", server.MinimumTLSVersion, ) } else { results.AddPassed(&server) } } for _, server := range s.Azure.Database.MySQLServers { if server.Metadata.IsUnmanaged() { continue } if server.MinimumTLSVersion.NotEqualTo("TLS1_2") { results.Add( "Database server does not require a secure TLS version.", server.MinimumTLSVersion, ) } else { results.AddPassed(&server) } } for _, server := range s.Azure.Database.PostgreSQLServers { if server.Metadata.IsUnmanaged() { continue } if server.MinimumTLSVersion.NotEqualTo("TLS1_2") { results.Add( "Database server does not require a secure TLS version.", server.MinimumTLSVersion, ) } else { results.AddPassed(&server) } } return }, )
View Source
var CheckThreatAlertEmailSet = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0018", Provider: providers.AzureProvider, Service: "database", ShortCode: "threat-alert-email-set", Summary: "At least one email address is set for threat alerts", Impact: "Nobody will be promptly alerted in the case of a threat being detected", Resolution: "Provide at least one email address for threat alerts", Explanation: `SQL Server sends alerts for threat detection via email, if there are no email addresses set then mitigation will be delayed.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformThreatAlertEmailSetGoodExamples, BadExamples: terraformThreatAlertEmailSetBadExamples, Links: terraformThreatAlertEmailSetLinks, RemediationMarkdown: terraformThreatAlertEmailSetRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, server := range s.Azure.Database.MSSQLServers { for _, policy := range server.SecurityAlertPolicies { if len(policy.EmailAddresses) == 0 { results.Add( "Security alert policy does not include any email addresses for notification.", &policy, ) } else { results.AddPassed(&policy) } } } return }, )
View Source
var CheckThreatAlertEmailToOwner = rules.Register( scan.Rule{ AVDID: "AVD-AZU-0023", Provider: providers.AzureProvider, Service: "database", ShortCode: "threat-alert-email-to-owner", Summary: "Security threat alerts go to subcription owners and co-administrators", Impact: "Administrators and subscription owners may have a delayed response", Resolution: "Enable email to subscription owners", Explanation: `Subscription owners should be notified when there are security alerts. By ensuring the administrators of the account have been notified they can quickly assist in any required remediation`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformThreatAlertEmailToOwnerGoodExamples, BadExamples: terraformThreatAlertEmailToOwnerBadExamples, Links: terraformThreatAlertEmailToOwnerLinks, RemediationMarkdown: terraformThreatAlertEmailToOwnerRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, server := range s.Azure.Database.MSSQLServers { for _, policy := range server.SecurityAlertPolicies { if policy.EmailAccountAdmins.IsFalse() { results.Add( "Security alert policy does not alert account admins.", policy.EmailAccountAdmins, ) } else { results.AddPassed(&policy) } } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
¶
- all_threat_alerts_enabled.go
- all_threat_alerts_enabled.tf.go
- enable_audit.go
- enable_audit.tf.go
- enable_ssl_enforcement.go
- enable_ssl_enforcement.tf.go
- no_public_access.go
- no_public_access.tf.go
- no_public_firewall_access.go
- no_public_firewall_access.tf.go
- postgres_configuration_connection_throttling.go
- postgres_configuration_connection_throttling.tf.go
- postgres_configuration_log_checkpoints.go
- postgres_configuration_log_checkpoints.tf.go
- postgres_configuration_log_connections.go
- postgres_configuration_log_connections.tf.go
- retention_period_set.go
- retention_period_set.tf.go
- secure_tls_policy.go
- secure_tls_policy.tf.go
- threat_alert_email_set.go
- threat_alert_email_set.tf.go
- threat_alert_email_to_owner.go
- threat_alert_email_to_owner.tf.go
Click to show internal directories.
Click to hide internal directories.