refactor(checks): unify CIDR related checks

Signed-off-by: Nikita Pivkin <[email protected]>

avd_docs/azure/network/AVD-AZU-0047/docs.md

@@ -1,6 +1,5 @@
 
-Network security rules should not use very broad subnets.
-Where possible, segments should be broken into smaller subnets.
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
 
 ### Impact

avd_docs/azure/network/AVD-AZU-0051/docs.md

@@ -1,6 +1,5 @@
 
-Network security rules should not use very broad subnets.
-Where possible, segments should be broken into smaller subnets.
+Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
 
 ### Impact

avd_docs/digitalocean/compute/AVD-DIG-0001/docs.md

@@ -1,5 +1,5 @@
 
-Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
 
 ### Impact

avd_docs/digitalocean/compute/AVD-DIG-0003/docs.md

@@ -1,5 +1,5 @@
 
-Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
 
 ### Impact

avd_docs/google/compute/AVD-GCP-0027/docs.md

@@ -1,6 +1,5 @@
 
-Network security rules should not use very broad subnets.
-Where possible, segments should be broken into smaller subnets and avoid using the <code>/0</code> subnet.
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
 
 ### Impact

avd_docs/google/compute/AVD-GCP-0035/docs.md

@@ -1,6 +1,5 @@
 
-Network security rules should not use very broad subnets.
-Where possible, segments should be broken into smaller subnets and avoid using the <code>/0</code> subnet.
+Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
 
 ### Impact

avd_docs/kubernetes/network/AVD-KUBE-0001/docs.md

@@ -1,5 +1,6 @@
 
-You should not expose infrastructure to the public internet except where explicitly required
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
+
 
 ### Impact
 <!-- Add Impact here -->

avd_docs/nifcloud/computing/AVD-NIF-0001/docs.md

@@ -1,5 +1,5 @@
 
-Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
 When publishing web applications, use a load balancer instead of publishing directly to instances.
 

avd_docs/nifcloud/nas/AVD-NIF-0014/docs.md

@@ -1,5 +1,5 @@
 
-Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
 
 ### Impact

avd_docs/nifcloud/rdb/AVD-NIF-0011/docs.md

@@ -1,5 +1,5 @@
 
-Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
 
 ### Impact

checks/cloud/aws/ec2/no_public_egress_sgr.rego

@@ -1,5 +1,5 @@
 # METADATA
-# title: An egress security group rule allows traffic to /0.
+# title: A security group rule should not allow unrestricted egress traffic to the public internet.
 # description: |
 #   Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 # scope: package
@@ -42,7 +42,7 @@ deny contains res if {
 	some block in rule.cidrs
 	net.cidr_allows_all_ips(block.value)
 	res := result.new(
-		"Security group rule allows egress to multiple public internet addresses.",
+		"Security group rule allows unrestricted egress traffic to the public internet.",
 		block,
 	)
 }

checks/cloud/aws/ec2/no_public_ingress_acl.rego

@@ -1,5 +1,5 @@
 # METADATA
-# title: Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389.
+# title: Network ACLs should not allow ingress from the public internet to port 22 or port 3389.
 # description: |
 #   The Network Access Control List (NACL) function provide stateless filtering of ingress and
 #   egress network traffic to AWS resources. It is recommended that no NACL allows
@@ -56,7 +56,7 @@ deny contains res if {
 	some block in rule.cidrs
 	net.cidr_allows_all_ips(block.value)
 	res := result.new(
-		"Network ACL rule allows ingress from public internet.",
+		"Network ACL rule allows unrestricted ingress traffic from the public internet.",
 		block,
 	)
 }

checks/cloud/aws/ec2/no_public_ingress_sgr.rego

@@ -53,7 +53,7 @@ deny contains res if {
 	some block in rule.cidrs
 	net.cidr_allows_all_ips(block.value)
 	res := result.new(
-		"Security group rule allows ingress from public internet.",
+		"Security group rule allows unrestricted ingress traffic from the public internet.",
 		block,
 	)
 }

checks/cloud/aws/eks/no_public_cluster_access_to_cidr.rego

@@ -30,11 +30,13 @@ package builtin.aws.eks.aws0041
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some cluster in input.aws.eks.clusters
 	cluster.publicaccessenabled.value == true
 	some c in cluster.publicaccesscidrs
-	cidr.is_public(c.value)
-	message := sprintf("Cluster allows access from a public CIDR: %s", [c.value])
+	net.cidr_allows_all_ips(c.value)
+	message := sprintf("Cluster allows unrestricted access from a public CIDR: %s", [c.value])
 	res := result.new(message, c)
 }

checks/cloud/azure/network/disable_rdp_from_internet.rego

@@ -32,6 +32,8 @@ package builtin.azure.network.azure0048
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some group in input.azure.network.securitygroups
 	some rule in group.rules
@@ -41,10 +43,9 @@ deny contains res if {
 	some ports in rule.destinationports
 	port_range_includes(ports.start, ports.end, 3389)
 	some ip in rule.sourceaddresses
-	cidr.is_public(ip.value)
-	cidr.count_addresses(ip.value) > 1
+	net.cidr_allows_all_ips(ip.value)
 	res := result.new(
-		"Security group rule allows ingress to RDP port from multiple public internet addresses.",
+		"Security group rule allows ingress traffic to RDP port from the public internet.",
 		ip,
 	)
 }

checks/cloud/azure/network/no_public_egress.rego

@@ -1,8 +1,7 @@
 # METADATA
-# title: An outbound network security rule allows traffic to /0.
+# title: A security rule should not allow unrestricted egress traffic to the public internet.
 # description: |
-#   Network security rules should not use very broad subnets.
-#   Where possible, segments should be broken into smaller subnets.
+#   Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 # scope: package
 # schemas:
 #   - input: schema["cloud"]
@@ -40,5 +39,5 @@ deny contains res if {
 	rule.allow.value
 	some addr in rule.destinationaddresses
 	net.cidr_allows_all_ips(addr.value)
-	res := result.new("Security group rule allows egress to public internet.", addr)
+	res := result.new("Security group rule allows unrestricted egress traffic to the public internet.", addr)
 }

checks/cloud/azure/network/no_public_ingress.rego

@@ -1,8 +1,7 @@
 # METADATA
-# title: An inbound network security rule allows traffic from /0.
+# title: A security group rule should not allow unrestricted ingress from the public internet.
 # description: |
-#   Network security rules should not use very broad subnets.
-#   Where possible, segments should be broken into smaller subnets.
+#   Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 # scope: package
 # schemas:
 #   - input: schema["cloud"]
@@ -31,13 +30,14 @@ package builtin.azure.network.azure0047
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some group in input.azure.network.securitygroups
 	some rule in group.rules
 	not rule.outbound.value
 	rule.allow.value
 	some addr in rule.sourceaddresses
-	cidr.is_public(addr.value)
-	cidr.count_addresses(addr.value) > 1
-	res := result.new("Security group rule allows ingress from public internet.", addr)
+	net.cidr_allows_all_ips(addr.value)
+	res := result.new("Security group rule allows unrestricted ingress from the public internet.", addr)
 }

checks/cloud/azure/network/ssh_blocked_from_internet.rego

@@ -1,5 +1,5 @@
 # METADATA
-# title: SSH access should not be accessible from the Internet, should be blocked on port 22
+# title: Security group should not allow ingress traffic from the public internet to SSH port.
 # description: |
 #   SSH access can be configured on either the network security group or in the network security group rule.
 #   SSH access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any)
@@ -30,6 +30,8 @@ package builtin.azure.network.azure0050
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some group in input.azure.network.securitygroups
 	some rule in group.rules
@@ -39,10 +41,9 @@ deny contains res if {
 	some ports in rule.destinationports
 	port_range_includes(ports.start, ports.end, 22)
 	some ip in rule.sourceaddresses
-	cidr.is_public(ip.value)
-	cidr.count_addresses(ip.value) > 1
+	net.cidr_allows_all_ips(ip.value)
 	res := result.new(
-		"Security group rule allows ingress to SSH port from multiple public internet addresses.",
+		"Security group rule allows ingress traffic to SSH port from the public internet.",
 		ip,
 	)
 }

checks/cloud/digitalocean/compute/no_public_egress.rego

@@ -1,7 +1,7 @@
 # METADATA
-# title: The firewall has an outbound rule with open access
+# title: A firewall rule should not allow unrestricted egress traffic to the public internet.
 # description: |
-#   Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+#   Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 # scope: package
 # schemas:
 #   - input: schema["cloud"]
@@ -30,12 +30,13 @@ package builtin.digitalocean.compute.digitalocean0003
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some address in input.digitalocean.compute.firewalls[_].outboundrules[_].destinationaddresses
-	cidr.is_public(address.value)
-	cidr.count_addresses(address.value) > 1
+	net.cidr_allows_all_ips(address.value)
 	res := result.new(
-		"Egress rule allows access to multiple public addresses.",
+		"Firewall rule allows unrestricted egress traffic to the public internet.",
 		address,
 	)
 }

checks/cloud/digitalocean/compute/no_public_ingress.rego

@@ -1,7 +1,7 @@
 # METADATA
-# title: The firewall has an inbound rule with open access
+# title: A firewall rule not allow unrestricted ingress traffic from the public internet.
 # description: |
-#   Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
+#   Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 # scope: package
 # schemas:
 #   - input: schema["cloud"]
@@ -30,12 +30,13 @@ package builtin.digitalocean.compute.digitalocean0001
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some address in input.digitalocean.compute.firewalls[_].inboundrules[_].sourceaddresses
-	cidr.is_public(address.value)
-	cidr.count_addresses(address.value) > 1
+	net.cidr_allows_all_ips(address.value)
 	res := result.new(
-		"Ingress rule allows access from multiple public addresses.",
+		"Firewall rule allows unrestricted ingress traffic from the public internet.",
 		address,
 	)
 }

checks/cloud/google/compute/no_public_egress.rego

@@ -1,8 +1,7 @@
 # METADATA
-# title: An outbound firewall rule allows traffic to /0.
+# title: A firewall rule should not allow unrestricted egress traffic to the public internet.
 # description: |
-#   Network security rules should not use very broad subnets.
-#   Where possible, segments should be broken into smaller subnets and avoid using the <code>/0</code> subnet.
+#   Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 # scope: package
 # schemas:
 #   - input: schema["cloud"]
@@ -41,7 +40,7 @@ deny contains res if {
 	some destination in rule.destinationranges
 	net.cidr_allows_all_ips(destination.value)
 	res := result.new(
-		"Firewall rule allows egress traffic to multiple addresses on the public internet.",
+		"Firewall rule allows unrestricted egress traffic to the public internet.",
 		destination,
 	)
 }

checks/cloud/google/compute/no_public_ingress.rego

@@ -1,8 +1,7 @@
 # METADATA
-# title: An inbound firewall rule allows traffic from /0.
+# title: A firewall rule should not allow unrestricted ingress traffic from the public internet.
 # description: |
-#   Network security rules should not use very broad subnets.
-#   Where possible, segments should be broken into smaller subnets and avoid using the <code>/0</code> subnet.
+#   Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 # scope: package
 # schemas:
 #   - input: schema["cloud"]
@@ -32,6 +31,8 @@ package builtin.google.compute.google0027
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some network in input.google.compute.networks
 	count(object.get(network.firewall, "sourcetags", [])) == 0
@@ -40,11 +41,11 @@ deny contains res if {
 	some rule in network.firewall.ingressrules
 	rule.firewallrule.isallow.value
 	rule.firewallrule.enforced.value
+
 	some source in rule.sourceranges
-	cidr.is_public(source.value)
-	cidr.count_addresses(source.value) > 1
+	net.cidr_allows_all_ips(source.value)
 	res := result.new(
-		"Firewall rule allows ingress traffic from multiple addresses on the public internet.",
+		"Firewall rule allows unrestricted ingress traffic from the public internet.",
 		source,
 	)
 }

checks/cloud/google/gke/no_public_control_plane.rego

@@ -28,10 +28,12 @@ package builtin.google.gke.google0053
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some cluster in input.google.gke.clusters
 	isManaged(cluster)
 	some block in cluster.masterauthorizednetworks.cidrs
-	cidr.is_public(block.value)
+	net.cidr_allows_all_ips(block.value)
 	res := result.new("Cluster exposes control plane to the public internet.", block)
 }

checks/cloud/google/sql/no_public_access.rego

@@ -30,6 +30,8 @@ package builtin.google.sql.google0017
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some instance in input.google.sql.instances
 	instance.settings.ipconfiguration.enableipv4.value == true
@@ -42,7 +44,7 @@ deny contains res if {
 deny contains res if {
 	some instance in input.google.sql.instances
 	some network in instance.settings.ipconfiguration.authorizednetworks
-	cidr.is_public(network.cidr.value)
+	net.cidr_allows_all_ips(network.cidr.value)
 	res := result.new(
 		"Database instance allows access from the public internet.",
 		network.cidr,

checks/cloud/nifcloud/computing/no_public_ingress_sgr.rego

@@ -1,7 +1,7 @@
 # METADATA
-# title: An ingress security group rule allows traffic from /0.
+# title: A security group rule should not allow unrestricted ingress traffic from the public internet.
 # description: |
-#   Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+#   Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 #
 #   When publishing web applications, use a load balancer instead of publishing directly to instances.
 # scope: package
@@ -34,10 +34,14 @@ package builtin.nifcloud.computing.nifcloud0001
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some sg in input.nifcloud.computing.securitygroups
 	some rule in sg.ingressrules
-	cidr.is_public(rule.cidr.value)
-	cidr.count_addresses(rule.cidr.value) > 1
-	res := result.new("Security group rule allows ingress from public internet.", rule.cidr)
+	net.cidr_allows_all_ips(rule.cidr.value)
+	res := result.new(
+		"Security group rule allows unrestricted ingress traffic from the public internet.",
+		rule.cidr,
+	)
 }