Merge pull request #201 from nikpivkin/go2rego-azure-3

refactor(checks): migrate Azure datafactory, datalake, keyvault to Rego
aquasecurity · Aug 21, 2024 · 4a9ec77 · 4a9ec77
2 parents b94dae8 + 3502e85
commit 4a9ec77
Show file tree

Hide file tree

Showing 40 changed files with 805 additions and 523 deletions.
diff --git a/avd_docs/azure/datafactory/AVD-AZU-0035/docs.md b/avd_docs/azure/datafactory/AVD-AZU-0035/docs.md
@@ -3,8 +3,9 @@ Data Factory has public access set to true by default.
 
 Disabling public network access is applicable only to the self-hosted integration runtime, not to Azure Integration Runtime and SQL Server Integration Services (SSIS) Integration Runtime.
 
+
 ### Impact
-Data factory is publicly accessible
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/datalake/AVD-AZU-0036/docs.md b/avd_docs/azure/datalake/AVD-AZU-0036/docs.md
@@ -1,8 +1,9 @@
 
 Datalake storage encryption defaults to Enabled, it shouldn't be overridden to Disabled.
 
+
 ### Impact
-Data could be read if compromised
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/keyvault/AVD-AZU-0013/docs.md b/avd_docs/azure/keyvault/AVD-AZU-0013/docs.md
@@ -1,10 +1,11 @@
 
-Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. 
+Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault.
 
 The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.
 
+
 ### Impact
-Without a network ACL the key vault is freely accessible
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/keyvault/AVD-AZU-0014/docs.md b/avd_docs/azure/keyvault/AVD-AZU-0014/docs.md
@@ -3,8 +3,9 @@ Expiration Date is an optional Key Vault Key behavior and is not set by default.
 
 Set when the resource will be become inactive.
 
+
 ### Impact
-Long life keys increase the attack surface when compromised
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/keyvault/AVD-AZU-0015/docs.md b/avd_docs/azure/keyvault/AVD-AZU-0015/docs.md
@@ -3,8 +3,9 @@ Content Type is an optional Key Vault Secret behavior and is not enabled by defa
 
 Clients may specify the content type of a secret to assist in interpreting the secret data when it's retrieved. The maximum length of this field is 255 characters. There are no pre-defined values. The suggested usage is as a hint for interpreting the secret data.
 
+
 ### Impact
-The secret's type is unclear without a content type
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/keyvault/AVD-AZU-0016/docs.md b/avd_docs/azure/keyvault/AVD-AZU-0016/docs.md
@@ -3,8 +3,9 @@ Purge protection is an optional Key Vault behavior and is not enabled by default
 
 Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI or PowerShell.
 
+
 ### Impact
-Keys could be purged from the vault without protection
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/keyvault/AVD-AZU-0017/docs.md b/avd_docs/azure/keyvault/AVD-AZU-0017/docs.md
@@ -3,8 +3,9 @@ Expiration Date is an optional Key Vault Secret behavior and is not set by defau
 
 Set when the resource will be become inactive.
 
+
 ### Impact
-Long life secrets increase the opportunity for compromise
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/checks/cloud/azure/datafactory/no_public_access.go b/checks/cloud/azure/datafactory/no_public_access.go
@@ -29,7 +29,8 @@ Disabling public network access is applicable only to the self-hosted integratio
 			Links:               terraformNoPublicAccessLinks,
 			RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown,
 		},
-		Severity: severity.Critical,
+		Severity:   severity.Critical,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, factory := range s.Azure.DataFactory.DataFactories {

diff --git a/checks/cloud/azure/datafactory/no_public_access.rego b/checks/cloud/azure/datafactory/no_public_access.rego
@@ -0,0 +1,42 @@
+# METADATA
+# title: Data Factory should have public access disabled, the default is enabled.
+# description: |
+#   Data Factory has public access set to true by default.
+#
+#   Disabling public network access is applicable only to the self-hosted integration runtime, not to Azure Integration Runtime and SQL Server Integration Services (SSIS) Integration Runtime.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.microsoft.com/en-us/azure/data-factory/data-movement-security-considerations#hybrid-scenarios
+# custom:
+#   id: AVD-AZU-0035
+#   avd_id: AVD-AZU-0035
+#   provider: azure
+#   service: datafactory
+#   severity: CRITICAL
+#   short_code: no-public-access
+#   recommended_action: Set public access to disabled for Data Factory
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: datafactory
+#             provider: azure
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/data_factory#public_network_enabled
+#     good_examples: checks/cloud/azure/datafactory/no_public_access.tf.go
+#     bad_examples: checks/cloud/azure/datafactory/no_public_access.tf.go
+package builtin.azure.datafactory.azure0035
+
+import rego.v1
+
+deny contains res if {
+	some factory in input.azure.datafactory.datafactories
+	factory.enablepublicnetwork.value == true
+	res := result.new(
+		"Data factory allows public network access.",
+		factory.enablepublicnetwork,
+	)
+}
diff --git a/checks/cloud/azure/datafactory/no_public_access_test.go b/checks/cloud/azure/datafactory/no_public_access_test.go
diff --git a/checks/cloud/azure/datafactory/no_public_access_test.rego b/checks/cloud/azure/datafactory/no_public_access_test.rego
@@ -0,0 +1,18 @@
+package builtin.azure.datafactory.azure0035_test
+
+import rego.v1
+
+import data.builtin.azure.datafactory.azure0035 as check
+import data.lib.test
+
+test_deny_datafactory_public_access_enabled if {
+	res := check.deny with input as build_input(true)
+	count(res) == 1
+}
+
+test_allow_datafactory_public_access_disabled if {
+	res := check.deny with input as build_input(false)
+	count(res) == 0
+}
+
+build_input(enabled) := {"azure": {"datafactory": {"datafactories": [{"enablepublicnetwork": {"value": enabled}}]}}}
diff --git a/checks/cloud/azure/datalake/enable_at_rest_encryption.go b/checks/cloud/azure/datalake/enable_at_rest_encryption.go
@@ -27,7 +27,8 @@ var CheckEnableAtRestEncryption = rules.Register(
 			Links:               terraformEnableAtRestEncryptionLinks,
 			RemediationMarkdown: terraformEnableAtRestEncryptionRemediationMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, store := range s.Azure.DataLake.Stores {

diff --git a/checks/cloud/azure/datalake/enable_at_rest_encryption.rego b/checks/cloud/azure/datalake/enable_at_rest_encryption.rego
@@ -0,0 +1,40 @@
+# METADATA
+# title: Unencrypted data lake storage.
+# description: |
+#   Datalake storage encryption defaults to Enabled, it shouldn't be overridden to Disabled.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-security-overview
+# custom:
+#   id: AVD-AZU-0036
+#   avd_id: AVD-AZU-0036
+#   provider: azure
+#   service: datalake
+#   severity: HIGH
+#   short_code: enable-at-rest-encryption
+#   recommended_action: Enable encryption of data lake storage
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: datalake
+#             provider: azure
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/data_lake_store
+#     good_examples: checks/cloud/azure/datalake/enable_at_rest_encryption.tf.go
+#     bad_examples: checks/cloud/azure/datalake/enable_at_rest_encryption.tf.go
+package builtin.azure.datalake.azure0036
+
+import rego.v1
+
+deny contains res if {
+	some store in input.azure.datalake.stores
+	not store.enableencryption.value
+	res := result.new(
+		"Data lake store is not encrypted.",
+		object.get(store, "enableencryption", store),
+	)
+}
diff --git a/checks/cloud/azure/datalake/enable_at_rest_encryption_test.go b/checks/cloud/azure/datalake/enable_at_rest_encryption_test.go
diff --git a/checks/cloud/azure/datalake/enable_at_rest_encryption_test.rego b/checks/cloud/azure/datalake/enable_at_rest_encryption_test.rego
@@ -0,0 +1,18 @@
+package builtin.azure.datalake.azure0036_test
+
+import rego.v1
+
+import data.builtin.azure.datalake.azure0036 as check
+import data.lib.test
+
+test_deny_unencrypted_data_lake_store if {
+	res := check.deny with input as build_input(false)
+	count(res) == 1
+}
+
+test_allow_encrypted_data_lake_store if {
+	res := check.deny with input as build_input(true)
+	count(res) == 0
+}
+
+build_input(enable) := {"azure": {"datalake": {"stores": [{"enableencryption": {"value": enable}}]}}}
diff --git a/checks/cloud/azure/keyvault/content_type_for_secret.go b/checks/cloud/azure/keyvault/content_type_for_secret.go
@@ -29,7 +29,8 @@ Clients may specify the content type of a secret to assist in interpreting the s
 			Links:               terraformContentTypeForSecretLinks,
 			RemediationMarkdown: terraformContentTypeForSecretRemediationMarkdown,
 		},
-		Severity: severity.Low,
+		Severity:   severity.Low,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, vault := range s.Azure.KeyVault.Vaults {