From 518ae9c6f53269e2c6a2857a43dfaeb15ef8893e Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Thu, 16 Jan 2025 16:54:59 +0600 Subject: [PATCH] refactor: update title and message Signed-off-by: Nikita Pivkin --- checks/cloud/aws/ec2/no_public_egress_sgr.rego | 4 ++-- checks/cloud/aws/ec2/no_public_ingress_acl.rego | 4 ++-- checks/cloud/aws/ec2/no_public_ingress_sgr.rego | 4 ++-- checks/cloud/azure/network/disable_rdp_from_internet.rego | 4 ++-- checks/cloud/azure/network/no_public_egress.rego | 4 ++-- checks/cloud/azure/network/no_public_ingress.rego | 4 ++-- checks/cloud/azure/network/ssh_blocked_from_internet.rego | 4 ++-- checks/cloud/digitalocean/compute/no_public_egress.rego | 2 +- checks/cloud/digitalocean/compute/no_public_ingress.rego | 4 ++-- checks/cloud/google/compute/no_public_egress.rego | 4 ++-- checks/cloud/google/compute/no_public_ingress.rego | 4 ++-- checks/cloud/nifcloud/computing/no_public_ingress_sgr.rego | 4 ++-- checks/cloud/nifcloud/nas/no_public_ingress_nas_sgr.rego | 4 ++-- checks/cloud/nifcloud/rdb/no_public_ingress_db_sgr.rego | 4 ++-- checks/kubernetes/network/no_public_egress.rego | 4 ++-- checks/kubernetes/network/no_public_ingress.rego | 4 ++-- 16 files changed, 31 insertions(+), 31 deletions(-) diff --git a/checks/cloud/aws/ec2/no_public_egress_sgr.rego b/checks/cloud/aws/ec2/no_public_egress_sgr.rego index 5953149e..7e87c4be 100644 --- a/checks/cloud/aws/ec2/no_public_egress_sgr.rego +++ b/checks/cloud/aws/ec2/no_public_egress_sgr.rego @@ -1,5 +1,5 @@ # METADATA -# title: A security group rule should not allow egress to any IP address. +# title: A security group rule should not allow unrestricted egress to any IP address. # description: | # Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible. # scope: package @@ -42,7 +42,7 @@ deny contains res if { some block in rule.cidrs net.cidr_allows_all_ips(block.value) res := result.new( - "Security group rule allows egress to any IP address.", + "Security group rule allows unrestricted egress to any IP address.", block, ) } diff --git a/checks/cloud/aws/ec2/no_public_ingress_acl.rego b/checks/cloud/aws/ec2/no_public_ingress_acl.rego index 08422968..4f321b16 100644 --- a/checks/cloud/aws/ec2/no_public_ingress_acl.rego +++ b/checks/cloud/aws/ec2/no_public_ingress_acl.rego @@ -1,5 +1,5 @@ # METADATA -# title: Network ACLs should not allow ingress to SSH or RDP from any IP address. +# title: Network ACLs should not allow unrestricted ingress to SSH or RDP from any IP address. # description: | # The Network Access Control List (NACL) function provide stateless filtering of ingress and # egress network traffic to AWS resources. It is recommended that no NACL allows @@ -56,7 +56,7 @@ deny contains res if { some block in rule.cidrs net.cidr_allows_all_ips(block.value) res := result.new( - "Network ACL rule allows ingress from any IP address.", + "Network ACL rule allows unrestricted ingress from any IP address.", block, ) } diff --git a/checks/cloud/aws/ec2/no_public_ingress_sgr.rego b/checks/cloud/aws/ec2/no_public_ingress_sgr.rego index 2dc8f334..69d2532d 100644 --- a/checks/cloud/aws/ec2/no_public_ingress_sgr.rego +++ b/checks/cloud/aws/ec2/no_public_ingress_sgr.rego @@ -1,5 +1,5 @@ # METADATA -# title: Security groups should not allow ingress to SSH or RDP from any IP address. +# title: Security groups should not allow unrestricted ingress to SSH or RDP from any IP address. # description: | # Security groups provide stateful filtering of ingress and egress network traffic to AWS # resources. It is recommended that no security group allows unrestricted ingress access to @@ -53,7 +53,7 @@ deny contains res if { some block in rule.cidrs net.cidr_allows_all_ips(block.value) res := result.new( - "Security group rule allows ingress from any IP address.", + "Security group rule allows unrestricted ingress from any IP address.", block, ) } diff --git a/checks/cloud/azure/network/disable_rdp_from_internet.rego b/checks/cloud/azure/network/disable_rdp_from_internet.rego index 7a2342c9..d40aae31 100644 --- a/checks/cloud/azure/network/disable_rdp_from_internet.rego +++ b/checks/cloud/azure/network/disable_rdp_from_internet.rego @@ -1,5 +1,5 @@ # METADATA -# title: A security group should not allow ingress to the RDP port from any IP address. +# title: A security group should not allow unrestricted ingress to the RDP port from any IP address. # description: | # RDP access can be configured on either the network security group or in the network security group rule. # RDP access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any). Consider using the Azure Bastion Service. @@ -45,7 +45,7 @@ deny contains res if { some ip in rule.sourceaddresses net.cidr_allows_all_ips(ip.value) res := result.new( - "Security group rule allows ingress to RDP port from any IP address.", + "Security group rule allows unrestricted ingress to RDP port from any IP address.", ip, ) } diff --git a/checks/cloud/azure/network/no_public_egress.rego b/checks/cloud/azure/network/no_public_egress.rego index 33b1677e..ea0b7316 100644 --- a/checks/cloud/azure/network/no_public_egress.rego +++ b/checks/cloud/azure/network/no_public_egress.rego @@ -1,5 +1,5 @@ # METADATA -# title: A security rule should not allow egress to any IP address. +# title: A security rule should not allow unrestricted egress to any IP address. # description: | # Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible. # scope: package @@ -39,5 +39,5 @@ deny contains res if { rule.allow.value some addr in rule.destinationaddresses net.cidr_allows_all_ips(addr.value) - res := result.new("Security group rule allows egress to any IP address.", addr) + res := result.new("Security group rule allows unrestricted egress to any IP address.", addr) } diff --git a/checks/cloud/azure/network/no_public_ingress.rego b/checks/cloud/azure/network/no_public_ingress.rego index 249f4893..e84afa22 100644 --- a/checks/cloud/azure/network/no_public_ingress.rego +++ b/checks/cloud/azure/network/no_public_ingress.rego @@ -1,5 +1,5 @@ # METADATA -# title: A security group rule should not allow ingress from any IP address. +# title: A security group rule should not allow unrestricted ingress from any IP address. # description: | # Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible. # scope: package @@ -39,5 +39,5 @@ deny contains res if { rule.allow.value some addr in rule.sourceaddresses net.cidr_allows_all_ips(addr.value) - res := result.new("Security group rule allows ingress from any IP address.", addr) + res := result.new("Security group rule allows unrestricted ingress from any IP address.", addr) } diff --git a/checks/cloud/azure/network/ssh_blocked_from_internet.rego b/checks/cloud/azure/network/ssh_blocked_from_internet.rego index ac3d498c..39be23aa 100644 --- a/checks/cloud/azure/network/ssh_blocked_from_internet.rego +++ b/checks/cloud/azure/network/ssh_blocked_from_internet.rego @@ -1,5 +1,5 @@ # METADATA -# title: Security group should not allow ingress to SSH port from any IP address. +# title: Security group should not allow unrestricted ingress to SSH port from any IP address. # description: | # SSH access can be configured on either the network security group or in the network security group rule. # SSH access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any) @@ -43,7 +43,7 @@ deny contains res if { some ip in rule.sourceaddresses net.cidr_allows_all_ips(ip.value) res := result.new( - "Security group rule allows ingress to SSH port from any IP address.", + "Security group rule allows unrestricted ingress to SSH port from any IP address.", ip, ) } diff --git a/checks/cloud/digitalocean/compute/no_public_egress.rego b/checks/cloud/digitalocean/compute/no_public_egress.rego index e616c072..85028720 100644 --- a/checks/cloud/digitalocean/compute/no_public_egress.rego +++ b/checks/cloud/digitalocean/compute/no_public_egress.rego @@ -1,5 +1,5 @@ # METADATA -# title: A firewall rule should not allow egress to any IP address. +# title: A firewall rule should not allow unrestricted egress to any IP address. # description: | # Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible. # scope: package diff --git a/checks/cloud/digitalocean/compute/no_public_ingress.rego b/checks/cloud/digitalocean/compute/no_public_ingress.rego index 4de9e78f..ea36642f 100644 --- a/checks/cloud/digitalocean/compute/no_public_ingress.rego +++ b/checks/cloud/digitalocean/compute/no_public_ingress.rego @@ -1,5 +1,5 @@ # METADATA -# title: A firewall rule should not allow ingress from any IP address. +# title: A firewall rule should not allow unrestricted ingress from any IP address. # description: | # Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible. # scope: package @@ -36,7 +36,7 @@ deny contains res if { some address in input.digitalocean.compute.firewalls[_].inboundrules[_].sourceaddresses net.cidr_allows_all_ips(address.value) res := result.new( - "Firewall rule allows ingress from any IP address.", + "Firewall rule allows unrestricted ingress from any IP address.", address, ) } diff --git a/checks/cloud/google/compute/no_public_egress.rego b/checks/cloud/google/compute/no_public_egress.rego index 4b5065d6..9062f7ee 100644 --- a/checks/cloud/google/compute/no_public_egress.rego +++ b/checks/cloud/google/compute/no_public_egress.rego @@ -1,5 +1,5 @@ # METADATA -# title: A firewall rule should not allow egress to any IP address. +# title: A firewall rule should not allow unrestricted egress to any IP address. # description: | # Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible. # scope: package @@ -40,7 +40,7 @@ deny contains res if { some destination in rule.destinationranges net.cidr_allows_all_ips(destination.value) res := result.new( - "Firewall rule allows egress traffic to any IP address.", + "Firewall rule allows unrestricted egress to any IP address.", destination, ) } diff --git a/checks/cloud/google/compute/no_public_ingress.rego b/checks/cloud/google/compute/no_public_ingress.rego index 7b1a9b4d..b88a447b 100644 --- a/checks/cloud/google/compute/no_public_ingress.rego +++ b/checks/cloud/google/compute/no_public_ingress.rego @@ -1,5 +1,5 @@ # METADATA -# title: A firewall rule should not allow ingress from any IP address. +# title: A firewall rule should not allow unrestricted ingress from any IP address. # description: | # Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible. # scope: package @@ -45,7 +45,7 @@ deny contains res if { some source in rule.sourceranges net.cidr_allows_all_ips(source.value) res := result.new( - "Firewall rule allows ingress from any IP address.", + "Firewall rule allows unrestricted ingress from any IP address.", source, ) } diff --git a/checks/cloud/nifcloud/computing/no_public_ingress_sgr.rego b/checks/cloud/nifcloud/computing/no_public_ingress_sgr.rego index 53a53349..66f297be 100644 --- a/checks/cloud/nifcloud/computing/no_public_ingress_sgr.rego +++ b/checks/cloud/nifcloud/computing/no_public_ingress_sgr.rego @@ -1,5 +1,5 @@ # METADATA -# title: A security group rule should not allow ingress from any IP address. +# title: A security group rule should not allow unrestricted ingress from any IP address. # description: | # Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible. # @@ -41,7 +41,7 @@ deny contains res if { some rule in sg.ingressrules net.cidr_allows_all_ips(rule.cidr.value) res := result.new( - "Security group rule allows ingress from any IP address.", + "Security group rule allows unrestricted ingress from any IP address.", rule.cidr, ) } diff --git a/checks/cloud/nifcloud/nas/no_public_ingress_nas_sgr.rego b/checks/cloud/nifcloud/nas/no_public_ingress_nas_sgr.rego index 40525ec7..cf8484bf 100644 --- a/checks/cloud/nifcloud/nas/no_public_ingress_nas_sgr.rego +++ b/checks/cloud/nifcloud/nas/no_public_ingress_nas_sgr.rego @@ -1,5 +1,5 @@ # METADATA -# title: A security group rule should not allow ingress from any IP address. +# title: A security group rule should not allow unrestricted ingress from any IP address. # description: | # Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible. # scope: package @@ -38,5 +38,5 @@ deny contains res if { some sg in input.nifcloud.nas.nassecuritygroups some c in sg.cidrs net.cidr_allows_all_ips(c.value) - res := result.new("Security group rule allows ingress from any IP address.", c) + res := result.new("Security group rule allows unrestricted ingress from any IP address.", c) } diff --git a/checks/cloud/nifcloud/rdb/no_public_ingress_db_sgr.rego b/checks/cloud/nifcloud/rdb/no_public_ingress_db_sgr.rego index 37d5c404..e23d98d5 100644 --- a/checks/cloud/nifcloud/rdb/no_public_ingress_db_sgr.rego +++ b/checks/cloud/nifcloud/rdb/no_public_ingress_db_sgr.rego @@ -1,5 +1,5 @@ # METADATA -# title: A security group rule should not allow ingress traffic from any IP address. +# title: A security group rule should not allow unrestricted ingress traffic from any IP address. # description: | # Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible. # scope: package @@ -38,5 +38,5 @@ deny contains res if { some sg in input.nifcloud.rdb.dbsecuritygroups some c in sg.cidrs net.cidr_allows_all_ips(c.value) - res := result.new("Security group rule allows ingress traffic from any IP address.", c) + res := result.new("Security group rule allows unrestricted ingress from any IP address.", c) } diff --git a/checks/kubernetes/network/no_public_egress.rego b/checks/kubernetes/network/no_public_egress.rego index 0eea234f..7efb675f 100644 --- a/checks/kubernetes/network/no_public_egress.rego +++ b/checks/kubernetes/network/no_public_egress.rego @@ -1,5 +1,5 @@ # METADATA -# title: A network policy should not allow egress to any IP address. +# title: A network policy should not allow unrestricted egress to any IP address. # description: You should not expose infrastructure to the public internet except where explicitly required # scope: package # schemas: @@ -34,7 +34,7 @@ deny contains res if { some dest in policy.spec.egress.destinationcidrs net.cidr_allows_all_ips(dest.value) res := result.new( - "Network policy allows egress to any IP address.", + "Network policy allows unrestricted egress to any IP address.", dest, ) } diff --git a/checks/kubernetes/network/no_public_ingress.rego b/checks/kubernetes/network/no_public_ingress.rego index 740c34d8..b336a79b 100644 --- a/checks/kubernetes/network/no_public_ingress.rego +++ b/checks/kubernetes/network/no_public_ingress.rego @@ -1,5 +1,5 @@ # METADATA -# title: A network policy should not allow ingress from any IP address. +# title: A network policy should not allow unrestricted ingress from any IP address. # description: | # Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible. # scope: package @@ -35,7 +35,7 @@ deny contains res if { some source in policy.spec.ingress.sourcecidrs net.cidr_allows_all_ips(source.value) res := result.new( - "Network policy allows ingress from any IP address.", + "Network policy allows unrestricted ingress from any IP address.", source, ) }