diff --git a/avd_docs/azure/network/AVD-AZU-0047/docs.md b/avd_docs/azure/network/AVD-AZU-0047/docs.md
index 420dcd15..e9bc11e9 100644
--- a/avd_docs/azure/network/AVD-AZU-0047/docs.md
+++ b/avd_docs/azure/network/AVD-AZU-0047/docs.md
@@ -1,6 +1,5 @@
-Network security rules should not use very broad subnets.
-Where possible, segments should be broken into smaller subnets.
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
### Impact
diff --git a/avd_docs/azure/network/AVD-AZU-0051/docs.md b/avd_docs/azure/network/AVD-AZU-0051/docs.md
index 420dcd15..90655620 100644
--- a/avd_docs/azure/network/AVD-AZU-0051/docs.md
+++ b/avd_docs/azure/network/AVD-AZU-0051/docs.md
@@ -1,6 +1,5 @@
-Network security rules should not use very broad subnets.
-Where possible, segments should be broken into smaller subnets.
+Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
### Impact
diff --git a/avd_docs/digitalocean/compute/AVD-DIG-0001/docs.md b/avd_docs/digitalocean/compute/AVD-DIG-0001/docs.md
index 85767142..ac5fb644 100644
--- a/avd_docs/digitalocean/compute/AVD-DIG-0001/docs.md
+++ b/avd_docs/digitalocean/compute/AVD-DIG-0001/docs.md
@@ -1,5 +1,5 @@
-Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
### Impact
diff --git a/avd_docs/digitalocean/compute/AVD-DIG-0003/docs.md b/avd_docs/digitalocean/compute/AVD-DIG-0003/docs.md
index 800ace9e..85767142 100644
--- a/avd_docs/digitalocean/compute/AVD-DIG-0003/docs.md
+++ b/avd_docs/digitalocean/compute/AVD-DIG-0003/docs.md
@@ -1,5 +1,5 @@
-Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
### Impact
diff --git a/avd_docs/google/compute/AVD-GCP-0027/docs.md b/avd_docs/google/compute/AVD-GCP-0027/docs.md
index 62a5af84..4fcabc36 100644
--- a/avd_docs/google/compute/AVD-GCP-0027/docs.md
+++ b/avd_docs/google/compute/AVD-GCP-0027/docs.md
@@ -1,6 +1,5 @@
-Network security rules should not use very broad subnets.
-Where possible, segments should be broken into smaller subnets and avoid using the /0 subnet.
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
### Impact
diff --git a/avd_docs/google/compute/AVD-GCP-0035/docs.md b/avd_docs/google/compute/AVD-GCP-0035/docs.md
index 62a5af84..a9532967 100644
--- a/avd_docs/google/compute/AVD-GCP-0035/docs.md
+++ b/avd_docs/google/compute/AVD-GCP-0035/docs.md
@@ -1,6 +1,5 @@
-Network security rules should not use very broad subnets.
-Where possible, segments should be broken into smaller subnets and avoid using the /0 subnet.
+Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
### Impact
diff --git a/avd_docs/kubernetes/network/AVD-KUBE-0001/docs.md b/avd_docs/kubernetes/network/AVD-KUBE-0001/docs.md
index eb36c092..60177a25 100644
--- a/avd_docs/kubernetes/network/AVD-KUBE-0001/docs.md
+++ b/avd_docs/kubernetes/network/AVD-KUBE-0001/docs.md
@@ -1,5 +1,6 @@
-You should not expose infrastructure to the public internet except where explicitly required
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
+
### Impact
diff --git a/avd_docs/nifcloud/computing/AVD-NIF-0001/docs.md b/avd_docs/nifcloud/computing/AVD-NIF-0001/docs.md
index 826ef762..dcbaaa37 100644
--- a/avd_docs/nifcloud/computing/AVD-NIF-0001/docs.md
+++ b/avd_docs/nifcloud/computing/AVD-NIF-0001/docs.md
@@ -1,5 +1,5 @@
-Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
When publishing web applications, use a load balancer instead of publishing directly to instances.
diff --git a/avd_docs/nifcloud/nas/AVD-NIF-0014/docs.md b/avd_docs/nifcloud/nas/AVD-NIF-0014/docs.md
index 761280d4..f67690b9 100644
--- a/avd_docs/nifcloud/nas/AVD-NIF-0014/docs.md
+++ b/avd_docs/nifcloud/nas/AVD-NIF-0014/docs.md
@@ -1,5 +1,5 @@
-Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
### Impact
diff --git a/avd_docs/nifcloud/rdb/AVD-NIF-0011/docs.md b/avd_docs/nifcloud/rdb/AVD-NIF-0011/docs.md
index cb78236f..ef343705 100644
--- a/avd_docs/nifcloud/rdb/AVD-NIF-0011/docs.md
+++ b/avd_docs/nifcloud/rdb/AVD-NIF-0011/docs.md
@@ -1,5 +1,5 @@
-Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
### Impact
diff --git a/checks/cloud/aws/ec2/no_public_egress_sgr.rego b/checks/cloud/aws/ec2/no_public_egress_sgr.rego
index f81d1f25..5953149e 100644
--- a/checks/cloud/aws/ec2/no_public_egress_sgr.rego
+++ b/checks/cloud/aws/ec2/no_public_egress_sgr.rego
@@ -1,5 +1,5 @@
# METADATA
-# title: An egress security group rule allows traffic to /0.
+# title: A security group rule should not allow egress to any IP address.
# description: |
# Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
# scope: package
@@ -35,13 +35,14 @@ package builtin.aws.ec2.aws0104
import rego.v1
+import data.lib.net
+
deny contains res if {
some rule in input.aws.ec2.securitygroups[_].egressrules
some block in rule.cidrs
- cidr.is_public(block.value)
- cidr.count_addresses(block.value) > 1
+ net.cidr_allows_all_ips(block.value)
res := result.new(
- "Security group rule allows egress to multiple public internet addresses.",
+ "Security group rule allows egress to any IP address.",
block,
)
}
diff --git a/checks/cloud/aws/ec2/no_public_egress_sgr_test.rego b/checks/cloud/aws/ec2/no_public_egress_sgr_test.rego
index f8d3df17..eca08c49 100644
--- a/checks/cloud/aws/ec2/no_public_egress_sgr_test.rego
+++ b/checks/cloud/aws/ec2/no_public_egress_sgr_test.rego
@@ -12,7 +12,11 @@ test_deny_sg_with_public_egress if {
}
test_allow_sg_without_private_egress if {
- inp := {"aws": {"ec2": {"securitygroups": [{"egressrules": [{"cidrs": [{"value": "10.0.0.0/16"}]}]}]}}}
+ inp := {"aws": {"ec2": {"securitygroups": [{"egressrules": [{"cidrs": [
+ {"value": "10.0.0.0/8"},
+ {"value": "192.168.164.0/23"},
+ {"value": "22.0.0.0/8"},
+ ]}]}]}}}
test.assert_empty(check.deny) with input as inp
}
diff --git a/checks/cloud/aws/ec2/no_public_ingress_acl.rego b/checks/cloud/aws/ec2/no_public_ingress_acl.rego
index 186b5d9e..08422968 100644
--- a/checks/cloud/aws/ec2/no_public_ingress_acl.rego
+++ b/checks/cloud/aws/ec2/no_public_ingress_acl.rego
@@ -1,5 +1,5 @@
# METADATA
-# title: Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389.
+# title: Network ACLs should not allow ingress to SSH or RDP from any IP address.
# description: |
# The Network Access Control List (NACL) function provide stateless filtering of ingress and
# egress network traffic to AWS resources. It is recommended that no NACL allows
@@ -56,7 +56,7 @@ deny contains res if {
some block in rule.cidrs
net.cidr_allows_all_ips(block.value)
res := result.new(
- "Network ACL rule allows ingress from public internet.",
+ "Network ACL rule allows ingress from any IP address.",
block,
)
}
diff --git a/checks/cloud/aws/ec2/no_public_ingress_sgr.rego b/checks/cloud/aws/ec2/no_public_ingress_sgr.rego
index 5f20f3db..2dc8f334 100644
--- a/checks/cloud/aws/ec2/no_public_ingress_sgr.rego
+++ b/checks/cloud/aws/ec2/no_public_ingress_sgr.rego
@@ -1,5 +1,5 @@
# METADATA
-# title: Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 or port 3389.
+# title: Security groups should not allow ingress to SSH or RDP from any IP address.
# description: |
# Security groups provide stateful filtering of ingress and egress network traffic to AWS
# resources. It is recommended that no security group allows unrestricted ingress access to
@@ -53,7 +53,7 @@ deny contains res if {
some block in rule.cidrs
net.cidr_allows_all_ips(block.value)
res := result.new(
- "Security group rule allows ingress from public internet.",
+ "Security group rule allows ingress from any IP address.",
block,
)
}
diff --git a/checks/cloud/azure/network/disable_rdp_from_internet.rego b/checks/cloud/azure/network/disable_rdp_from_internet.rego
index ac1ef265..7a2342c9 100644
--- a/checks/cloud/azure/network/disable_rdp_from_internet.rego
+++ b/checks/cloud/azure/network/disable_rdp_from_internet.rego
@@ -1,5 +1,5 @@
# METADATA
-# title: RDP access should not be accessible from the Internet, should be blocked on port 3389
+# title: A security group should not allow ingress to the RDP port from any IP address.
# description: |
# RDP access can be configured on either the network security group or in the network security group rule.
# RDP access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any). Consider using the Azure Bastion Service.
@@ -32,6 +32,8 @@ package builtin.azure.network.azure0048
import rego.v1
+import data.lib.net
+
deny contains res if {
some group in input.azure.network.securitygroups
some rule in group.rules
@@ -41,10 +43,9 @@ deny contains res if {
some ports in rule.destinationports
port_range_includes(ports.start, ports.end, 3389)
some ip in rule.sourceaddresses
- cidr.is_public(ip.value)
- cidr.count_addresses(ip.value) > 1
+ net.cidr_allows_all_ips(ip.value)
res := result.new(
- "Security group rule allows ingress to RDP port from multiple public internet addresses.",
+ "Security group rule allows ingress to RDP port from any IP address.",
ip,
)
}
diff --git a/checks/cloud/azure/network/no_public_egress.rego b/checks/cloud/azure/network/no_public_egress.rego
index 6e095282..33b1677e 100644
--- a/checks/cloud/azure/network/no_public_egress.rego
+++ b/checks/cloud/azure/network/no_public_egress.rego
@@ -1,8 +1,7 @@
# METADATA
-# title: An outbound network security rule allows traffic to /0.
+# title: A security rule should not allow egress to any IP address.
# description: |
-# Network security rules should not use very broad subnets.
-# Where possible, segments should be broken into smaller subnets.
+# Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
# scope: package
# schemas:
# - input: schema["cloud"]
@@ -31,12 +30,14 @@ package builtin.azure.network.azure0051
import rego.v1
+import data.lib.net
+
deny contains res if {
some group in input.azure.network.securitygroups
some rule in group.rules
rule.outbound.value
rule.allow.value
some addr in rule.destinationaddresses
- cidr.is_public(addr.value)
- res := result.new("Security group rule allows egress to public internet.", addr)
+ net.cidr_allows_all_ips(addr.value)
+ res := result.new("Security group rule allows egress to any IP address.", addr)
}
diff --git a/checks/cloud/azure/network/no_public_egress_test.rego b/checks/cloud/azure/network/no_public_egress_test.rego
index cb61d036..32f5c782 100644
--- a/checks/cloud/azure/network/no_public_egress_test.rego
+++ b/checks/cloud/azure/network/no_public_egress_test.rego
@@ -16,6 +16,17 @@ test_deny_outbound_rule_with_wildcard_destination_address if {
count(res) == 1
}
+test_deny_outbound_rule_with_public_destination_address if {
+ inp := {"azure": {"network": {"securitygroups": [{"rules": [{
+ "allow": {"value": true},
+ "outbound": {"value": true},
+ "destinationaddresses": [{"value": "0.0.0.0/0"}],
+ }]}]}}}
+
+ res := check.deny with input as inp
+ count(res) == 1
+}
+
test_allow_outbound_rule_with_private_destination_address if {
inp := {"azure": {"network": {"securitygroups": [{"rules": [{
"allow": {"value": true},
diff --git a/checks/cloud/azure/network/no_public_ingress.rego b/checks/cloud/azure/network/no_public_ingress.rego
index 04a269b4..249f4893 100644
--- a/checks/cloud/azure/network/no_public_ingress.rego
+++ b/checks/cloud/azure/network/no_public_ingress.rego
@@ -1,8 +1,7 @@
# METADATA
-# title: An inbound network security rule allows traffic from /0.
+# title: A security group rule should not allow ingress from any IP address.
# description: |
-# Network security rules should not use very broad subnets.
-# Where possible, segments should be broken into smaller subnets.
+# Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
# scope: package
# schemas:
# - input: schema["cloud"]
@@ -31,13 +30,14 @@ package builtin.azure.network.azure0047
import rego.v1
+import data.lib.net
+
deny contains res if {
some group in input.azure.network.securitygroups
some rule in group.rules
not rule.outbound.value
rule.allow.value
some addr in rule.sourceaddresses
- cidr.is_public(addr.value)
- cidr.count_addresses(addr.value) > 1
- res := result.new("Security group rule allows ingress from public internet.", addr)
+ net.cidr_allows_all_ips(addr.value)
+ res := result.new("Security group rule allows ingress from any IP address.", addr)
}
diff --git a/checks/cloud/azure/network/ssh_blocked_from_internet.rego b/checks/cloud/azure/network/ssh_blocked_from_internet.rego
index f3b02c03..ac3d498c 100644
--- a/checks/cloud/azure/network/ssh_blocked_from_internet.rego
+++ b/checks/cloud/azure/network/ssh_blocked_from_internet.rego
@@ -1,5 +1,5 @@
# METADATA
-# title: SSH access should not be accessible from the Internet, should be blocked on port 22
+# title: Security group should not allow ingress to SSH port from any IP address.
# description: |
# SSH access can be configured on either the network security group or in the network security group rule.
# SSH access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any)
@@ -30,6 +30,8 @@ package builtin.azure.network.azure0050
import rego.v1
+import data.lib.net
+
deny contains res if {
some group in input.azure.network.securitygroups
some rule in group.rules
@@ -39,10 +41,9 @@ deny contains res if {
some ports in rule.destinationports
port_range_includes(ports.start, ports.end, 22)
some ip in rule.sourceaddresses
- cidr.is_public(ip.value)
- cidr.count_addresses(ip.value) > 1
+ net.cidr_allows_all_ips(ip.value)
res := result.new(
- "Security group rule allows ingress to SSH port from multiple public internet addresses.",
+ "Security group rule allows ingress to SSH port from any IP address.",
ip,
)
}
diff --git a/checks/cloud/digitalocean/compute/no_public_egress.rego b/checks/cloud/digitalocean/compute/no_public_egress.rego
index 9c60eb33..e616c072 100644
--- a/checks/cloud/digitalocean/compute/no_public_egress.rego
+++ b/checks/cloud/digitalocean/compute/no_public_egress.rego
@@ -1,7 +1,7 @@
# METADATA
-# title: The firewall has an outbound rule with open access
+# title: A firewall rule should not allow egress to any IP address.
# description: |
-# Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+# Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
# scope: package
# schemas:
# - input: schema["cloud"]
@@ -30,12 +30,13 @@ package builtin.digitalocean.compute.digitalocean0003
import rego.v1
+import data.lib.net
+
deny contains res if {
some address in input.digitalocean.compute.firewalls[_].outboundrules[_].destinationaddresses
- cidr.is_public(address.value)
- cidr.count_addresses(address.value) > 1
+ net.cidr_allows_all_ips(address.value)
res := result.new(
- "Egress rule allows access to multiple public addresses.",
+ "Firewall rule allows egress traffic to any IP address.",
address,
)
}
diff --git a/checks/cloud/digitalocean/compute/no_public_ingress.rego b/checks/cloud/digitalocean/compute/no_public_ingress.rego
index 16e66ea8..4de9e78f 100644
--- a/checks/cloud/digitalocean/compute/no_public_ingress.rego
+++ b/checks/cloud/digitalocean/compute/no_public_ingress.rego
@@ -1,7 +1,7 @@
# METADATA
-# title: The firewall has an inbound rule with open access
+# title: A firewall rule should not allow ingress from any IP address.
# description: |
-# Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
+# Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
# scope: package
# schemas:
# - input: schema["cloud"]
@@ -30,12 +30,13 @@ package builtin.digitalocean.compute.digitalocean0001
import rego.v1
+import data.lib.net
+
deny contains res if {
some address in input.digitalocean.compute.firewalls[_].inboundrules[_].sourceaddresses
- cidr.is_public(address.value)
- cidr.count_addresses(address.value) > 1
+ net.cidr_allows_all_ips(address.value)
res := result.new(
- "Ingress rule allows access from multiple public addresses.",
+ "Firewall rule allows ingress from any IP address.",
address,
)
}
diff --git a/checks/cloud/google/compute/no_public_egress.rego b/checks/cloud/google/compute/no_public_egress.rego
index 8e76f1b9..4b5065d6 100644
--- a/checks/cloud/google/compute/no_public_egress.rego
+++ b/checks/cloud/google/compute/no_public_egress.rego
@@ -1,8 +1,7 @@
# METADATA
-# title: An outbound firewall rule allows traffic to /0.
+# title: A firewall rule should not allow egress to any IP address.
# description: |
-# Network security rules should not use very broad subnets.
-# Where possible, segments should be broken into smaller subnets and avoid using the /0 subnet.
+# Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
# scope: package
# schemas:
# - input: schema["cloud"]
@@ -31,16 +30,17 @@ package builtin.google.compute.google0035
import rego.v1
+import data.lib.net
+
deny contains res if {
some network in input.google.compute.networks
some rule in network.firewall.egressrules
rule.firewallrule.isallow.value
rule.firewallrule.enforced.value
some destination in rule.destinationranges
- cidr.is_public(destination.value)
- cidr.count_addresses(destination.value) > 1
+ net.cidr_allows_all_ips(destination.value)
res := result.new(
- "Firewall rule allows egress traffic to multiple addresses on the public internet.",
+ "Firewall rule allows egress traffic to any IP address.",
destination,
)
}
diff --git a/checks/cloud/google/compute/no_public_egress_test.rego b/checks/cloud/google/compute/no_public_egress_test.rego
index c7020430..478ad3d4 100644
--- a/checks/cloud/google/compute/no_public_egress_test.rego
+++ b/checks/cloud/google/compute/no_public_egress_test.rego
@@ -21,7 +21,7 @@ test_deny_egress_rule_with_multiple_public_destinations if {
count(res) == 1
}
-test_allow_egress_rule_with_public_destination if {
+test_allow_egress_rule_with_private_destination if {
inp := {"google": {"compute": {"networks": [{"firewall": {"egressrules": [{
"firewallrule": {
"isallow": {"value": true},
diff --git a/checks/cloud/google/compute/no_public_ingress.rego b/checks/cloud/google/compute/no_public_ingress.rego
index c9805ca2..7b1a9b4d 100644
--- a/checks/cloud/google/compute/no_public_ingress.rego
+++ b/checks/cloud/google/compute/no_public_ingress.rego
@@ -1,8 +1,7 @@
# METADATA
-# title: An inbound firewall rule allows traffic from /0.
+# title: A firewall rule should not allow ingress from any IP address.
# description: |
-# Network security rules should not use very broad subnets.
-# Where possible, segments should be broken into smaller subnets and avoid using the /0 subnet.
+# Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
# scope: package
# schemas:
# - input: schema["cloud"]
@@ -32,6 +31,8 @@ package builtin.google.compute.google0027
import rego.v1
+import data.lib.net
+
deny contains res if {
some network in input.google.compute.networks
count(object.get(network.firewall, "sourcetags", [])) == 0
@@ -40,11 +41,11 @@ deny contains res if {
some rule in network.firewall.ingressrules
rule.firewallrule.isallow.value
rule.firewallrule.enforced.value
+
some source in rule.sourceranges
- cidr.is_public(source.value)
- cidr.count_addresses(source.value) > 1
+ net.cidr_allows_all_ips(source.value)
res := result.new(
- "Firewall rule allows ingress traffic from multiple addresses on the public internet.",
+ "Firewall rule allows ingress from any IP address.",
source,
)
}
diff --git a/checks/cloud/nifcloud/computing/no_public_ingress_sgr.rego b/checks/cloud/nifcloud/computing/no_public_ingress_sgr.rego
index 32873978..53a53349 100644
--- a/checks/cloud/nifcloud/computing/no_public_ingress_sgr.rego
+++ b/checks/cloud/nifcloud/computing/no_public_ingress_sgr.rego
@@ -1,7 +1,7 @@
# METADATA
-# title: An ingress security group rule allows traffic from /0.
+# title: A security group rule should not allow ingress from any IP address.
# description: |
-# Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+# Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
#
# When publishing web applications, use a load balancer instead of publishing directly to instances.
# scope: package
@@ -34,10 +34,14 @@ package builtin.nifcloud.computing.nifcloud0001
import rego.v1
+import data.lib.net
+
deny contains res if {
some sg in input.nifcloud.computing.securitygroups
some rule in sg.ingressrules
- cidr.is_public(rule.cidr.value)
- cidr.count_addresses(rule.cidr.value) > 1
- res := result.new("Security group rule allows ingress from public internet.", rule.cidr)
+ net.cidr_allows_all_ips(rule.cidr.value)
+ res := result.new(
+ "Security group rule allows ingress from any IP address.",
+ rule.cidr,
+ )
}
diff --git a/checks/cloud/nifcloud/nas/no_public_ingress_nas_sgr.rego b/checks/cloud/nifcloud/nas/no_public_ingress_nas_sgr.rego
index cd194072..40525ec7 100644
--- a/checks/cloud/nifcloud/nas/no_public_ingress_nas_sgr.rego
+++ b/checks/cloud/nifcloud/nas/no_public_ingress_nas_sgr.rego
@@ -1,7 +1,7 @@
# METADATA
-# title: An ingress nas security group rule allows traffic from /0.
+# title: A security group rule should not allow ingress from any IP address.
# description: |
-# Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+# Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
# scope: package
# schemas:
# - input: schema["cloud"]
@@ -32,10 +32,11 @@ package builtin.nifcloud.nas.nifcloud0014
import rego.v1
+import data.lib.net
+
deny contains res if {
some sg in input.nifcloud.nas.nassecuritygroups
some c in sg.cidrs
- cidr.is_public(c.value)
- cidr.count_addresses(c.value) > 1
- res := result.new("Security group rule allows ingress from public internet.", c)
+ net.cidr_allows_all_ips(c.value)
+ res := result.new("Security group rule allows ingress from any IP address.", c)
}
diff --git a/checks/cloud/nifcloud/rdb/no_public_ingress_db_sgr.rego b/checks/cloud/nifcloud/rdb/no_public_ingress_db_sgr.rego
index 191fa211..37d5c404 100644
--- a/checks/cloud/nifcloud/rdb/no_public_ingress_db_sgr.rego
+++ b/checks/cloud/nifcloud/rdb/no_public_ingress_db_sgr.rego
@@ -1,7 +1,7 @@
# METADATA
-# title: An ingress db security group rule allows traffic from /0.
+# title: A security group rule should not allow ingress traffic from any IP address.
# description: |
-# Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+# Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
# scope: package
# schemas:
# - input: schema["cloud"]
@@ -32,10 +32,11 @@ package builtin.nifcloud.rdb.nifcloud0011
import rego.v1
+import data.lib.net
+
deny contains res if {
some sg in input.nifcloud.rdb.dbsecuritygroups
some c in sg.cidrs
- cidr.is_public(c.value)
- cidr.count_addresses(c.value) > 1
- res := result.new("DB Security group rule allows ingress from public internet.", c)
+ net.cidr_allows_all_ips(c.value)
+ res := result.new("Security group rule allows ingress traffic from any IP address.", c)
}
diff --git a/checks/kubernetes/network/no_public_egress.rego b/checks/kubernetes/network/no_public_egress.rego
index 0f1185a1..0eea234f 100644
--- a/checks/kubernetes/network/no_public_egress.rego
+++ b/checks/kubernetes/network/no_public_egress.rego
@@ -1,5 +1,5 @@
# METADATA
-# title: Public egress should not be allowed via network policies
+# title: A network policy should not allow egress to any IP address.
# description: You should not expose infrastructure to the public internet except where explicitly required
# scope: package
# schemas:
@@ -26,13 +26,15 @@ package builtin.kube.network.kube0002
import rego.v1
+import data.lib.net
+
deny contains res if {
some policy in input.kubernetes.networkpolicies
isManaged(policy)
some dest in policy.spec.egress.destinationcidrs
- cidr.is_public(dest.value)
+ net.cidr_allows_all_ips(dest.value)
res := result.new(
- "Network policy allows egress to the public internet.",
+ "Network policy allows egress to any IP address.",
dest,
)
}
diff --git a/checks/kubernetes/network/no_public_ingress.rego b/checks/kubernetes/network/no_public_ingress.rego
index 29f3c51b..740c34d8 100644
--- a/checks/kubernetes/network/no_public_ingress.rego
+++ b/checks/kubernetes/network/no_public_ingress.rego
@@ -1,6 +1,7 @@
# METADATA
-# title: Public ingress should not be allowed via network policies
-# description: You should not expose infrastructure to the public internet except where explicitly required
+# title: A network policy should not allow ingress from any IP address.
+# description: |
+# Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
# scope: package
# schemas:
# - input: schema["cloud"]
@@ -26,13 +27,15 @@ package builtin.kube.network.kube0001
import rego.v1
+import data.lib.net
+
deny contains res if {
some policy in input.kubernetes.networkpolicies
isManaged(policy)
some source in policy.spec.ingress.sourcecidrs
- cidr.is_public(source.value)
+ net.cidr_allows_all_ips(source.value)
res := result.new(
- "Network policy allows ingress from the public internet.",
+ "Network policy allows ingress from any IP address.",
source,
)
}
diff --git a/lib/cloud/net.rego b/lib/cloud/net.rego
index 38c01aa7..6746468e 100644
--- a/lib/cloud/net.rego
+++ b/lib/cloud/net.rego
@@ -12,7 +12,7 @@ ssh_port := 22
rdp_port := 3389
-all_ips := {"0.0.0.0/0", "0000:0000:0000:0000:0000:0000:0000:0000/0", "::/0"}
+all_ips := {"0.0.0.0/0", "0000:0000:0000:0000:0000:0000:0000:0000/0", "::/0", "*"}
# "-1" or "all" equivalent to all protocols
# https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html