github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/network/disable_rdp_from_internet.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/network/disable_rdp_from_internet.go (about)

     1  package network
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/cidr"
     5  	"github.com/khulnasoft-lab/defsec/internal/rules"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     7  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     8  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     9  	"github.com/khulnasoft-lab/defsec/pkg/state"
    10  	"github.com/khulnasoft-lab/defsec/pkg/types"
    11  )
    12  
    13  var CheckDisableRdpFromInternet = rules.Register(
    14  	scan.Rule{
    15  		AVDID:      "AVD-AZU-0048",
    16  		Provider:   providers.AzureProvider,
    17  		Service:    "network",
    18  		ShortCode:  "disable-rdp-from-internet",
    19  		Summary:    "RDP access should not be accessible from the Internet, should be blocked on port 3389",
    20  		Impact:     "Anyone from the internet can potentially RDP onto an instance",
    21  		Resolution: "Block RDP port from internet",
    22  		Explanation: `RDP access can be configured on either the network security group or in the network security group rule.
    23  
    24  RDP access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any). Consider using the Azure Bastion Service.`,
    25  		Links: []string{
    26  			"https://docs.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal",
    27  		},
    28  		Terraform: &scan.EngineMetadata{
    29  			GoodExamples:        terraformDisableRdpFromInternetGoodExamples,
    30  			BadExamples:         terraformDisableRdpFromInternetBadExamples,
    31  			Links:               terraformDisableRdpFromInternetLinks,
    32  			RemediationMarkdown: terraformDisableRdpFromInternetRemediationMarkdown,
    33  		},
    34  		Severity: severity.Critical,
    35  	},
    36  	func(s *state.State) (results scan.Results) {
    37  		for _, group := range s.Azure.Network.SecurityGroups {
    38  			var failed bool
    39  			for _, rule := range group.Rules {
    40  				if rule.Allow.IsFalse() || rule.Outbound.IsTrue() {
    41  					continue
    42  				}
    43  				if rule.Protocol.EqualTo("Icmp", types.IgnoreCase) {
    44  					continue
    45  				}
    46  				for _, ports := range rule.DestinationPorts {
    47  					if ports.Includes(3389) {
    48  						for _, ip := range rule.SourceAddresses {
    49  							if cidr.IsPublic(ip.Value()) && cidr.CountAddresses(ip.Value()) > 1 {
    50  								failed = true
    51  								results.Add(
    52  									"Security group rule allows ingress to RDP port from multiple public internet addresses.",
    53  									ip,
    54  								)
    55  							}
    56  						}
    57  					}
    58  				}
    59  				if !failed {
    60  					results.AddPassed(&group)
    61  				}
    62  			}
    63  		}
    64  		return
    65  	},
    66  )