github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/network/ssh_blocked_from_internet.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/network/ssh_blocked_from_internet.go (about)

     1  package network
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/cidr"
     5  	"github.com/khulnasoft-lab/defsec/internal/rules"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     7  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     8  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     9  	"github.com/khulnasoft-lab/defsec/pkg/state"
    10  	"github.com/khulnasoft-lab/defsec/pkg/types"
    11  )
    12  
    13  var CheckSshBlockedFromInternet = rules.Register(
    14  	scan.Rule{
    15  		AVDID:      "AVD-AZU-0050",
    16  		Provider:   providers.AzureProvider,
    17  		Service:    "network",
    18  		ShortCode:  "ssh-blocked-from-internet",
    19  		Summary:    "SSH access should not be accessible from the Internet, should be blocked on port 22",
    20  		Impact:     "Its dangerous to allow SSH access from the internet",
    21  		Resolution: "Block port 22 access from the internet",
    22  		Explanation: `SSH access can be configured on either the network security group or in the network security group rule. 
    23  
    24  SSH access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any)`,
    25  		Links: []string{},
    26  		Terraform: &scan.EngineMetadata{
    27  			GoodExamples:        terraformSshBlockedFromInternetGoodExamples,
    28  			BadExamples:         terraformSshBlockedFromInternetBadExamples,
    29  			Links:               terraformSshBlockedFromInternetLinks,
    30  			RemediationMarkdown: terraformSshBlockedFromInternetRemediationMarkdown,
    31  		},
    32  		Severity: severity.Critical,
    33  	},
    34  	func(s *state.State) (results scan.Results) {
    35  		for _, group := range s.Azure.Network.SecurityGroups {
    36  			var failed bool
    37  			for _, rule := range group.Rules {
    38  				if rule.Allow.IsFalse() || rule.Outbound.IsTrue() {
    39  					continue
    40  				}
    41  				if rule.Protocol.EqualTo("Icmp", types.IgnoreCase) {
    42  					continue
    43  				}
    44  				for _, ports := range rule.DestinationPorts {
    45  					if ports.Includes(22) {
    46  						for _, ip := range rule.SourceAddresses {
    47  							if cidr.IsPublic(ip.Value()) && cidr.CountAddresses(ip.Value()) > 1 {
    48  								failed = true
    49  								results.Add(
    50  									"Security group rule allows ingress to SSH port from multiple public internet addresses.",
    51  									ip,
    52  								)
    53  							}
    54  						}
    55  					}
    56  				}
    57  				if !failed {
    58  					results.AddPassed(&group)
    59  				}
    60  			}
    61  		}
    62  		return
    63  	},
    64  )