github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/database/no_public_firewall_access.go (about) 1 package database 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/cidr" 5 "github.com/khulnasoft-lab/defsec/internal/rules" 6 "github.com/khulnasoft-lab/defsec/pkg/providers" 7 "github.com/khulnasoft-lab/defsec/pkg/providers/azure/database" 8 "github.com/khulnasoft-lab/defsec/pkg/scan" 9 "github.com/khulnasoft-lab/defsec/pkg/severity" 10 "github.com/khulnasoft-lab/defsec/pkg/state" 11 ) 12 13 var CheckNoPublicFirewallAccess = rules.Register( 14 scan.Rule{ 15 AVDID: "AVD-AZU-0029", 16 Provider: providers.AzureProvider, 17 Service: "database", 18 ShortCode: "no-public-firewall-access", 19 Summary: "Ensure database firewalls do not permit public access", 20 Impact: "Publicly accessible databases could lead to compromised data", 21 Resolution: "Don't use wide ip ranges for the sql firewall", 22 Explanation: `Azure services can be allowed access through the firewall using a start and end IP address of 0.0.0.0. No other end ip address should be combined with a start of 0.0.0.0`, 23 Links: []string{ 24 "https://docs.microsoft.com/en-us/rest/api/sql/2021-02-01-preview/firewall-rules/create-or-update", 25 }, 26 Terraform: &scan.EngineMetadata{ 27 GoodExamples: terraformNoPublicFirewallAccessGoodExamples, 28 BadExamples: terraformNoPublicFirewallAccessBadExamples, 29 Links: terraformNoPublicFirewallAccessLinks, 30 RemediationMarkdown: terraformNoPublicFirewallAccessRemediationMarkdown, 31 }, 32 Severity: severity.High, 33 }, 34 func(s *state.State) (results scan.Results) { 35 for _, server := range s.Azure.Database.MariaDBServers { 36 for _, rule := range server.FirewallRules { 37 if allowingAzureServices(rule) { 38 continue 39 } 40 if (cidr.IsPublic(rule.StartIP.Value()) || cidr.IsPublic(rule.EndIP.Value())) && rule.StartIP.NotEqualTo(rule.EndIP.Value()) { 41 results.Add( 42 "Firewall rule allows public internet access to a database server.", 43 rule.StartIP, 44 ) 45 } else { 46 results.AddPassed(&rule) 47 } 48 } 49 } 50 for _, server := range s.Azure.Database.MSSQLServers { 51 for _, rule := range server.FirewallRules { 52 if allowingAzureServices(rule) { 53 continue 54 } 55 if (cidr.IsPublic(rule.StartIP.Value()) || cidr.IsPublic(rule.EndIP.Value())) && rule.StartIP.NotEqualTo(rule.EndIP.Value()) { 56 results.Add( 57 "Firewall rule allows public internet access to a database server.", 58 rule.StartIP, 59 ) 60 } else { 61 results.AddPassed(&rule) 62 } 63 } 64 } 65 for _, server := range s.Azure.Database.MySQLServers { 66 for _, rule := range server.FirewallRules { 67 if allowingAzureServices(rule) { 68 continue 69 } 70 if (cidr.IsPublic(rule.StartIP.Value()) || cidr.IsPublic(rule.EndIP.Value())) && rule.StartIP.NotEqualTo(rule.EndIP.Value()) { 71 results.Add( 72 "Firewall rule allows public internet access to a database server.", 73 rule.StartIP, 74 ) 75 } else { 76 results.AddPassed(&rule) 77 } 78 } 79 } 80 for _, server := range s.Azure.Database.PostgreSQLServers { 81 for _, rule := range server.FirewallRules { 82 if allowingAzureServices(rule) { 83 continue 84 } 85 if (cidr.IsPublic(rule.StartIP.Value()) || cidr.IsPublic(rule.EndIP.Value())) && rule.StartIP.NotEqualTo(rule.EndIP.Value()) { 86 results.Add( 87 "Firewall rule allows public internet access to a database server.", 88 rule.StartIP, 89 ) 90 } else { 91 results.AddPassed(&rule) 92 } 93 } 94 } 95 return 96 }, 97 ) 98 99 func allowingAzureServices(rule database.FirewallRule) bool { 100 return rule.StartIP.EqualTo("0.0.0.0") && rule.EndIP.EqualTo("0.0.0.0") 101 }